Relevant Provisions And Its Impact on Startup
An entity covered under the provisions will be required to make an entity-wide policy, to be known as the ‘privacy by design policy’. This policy will essentially contain the systems designed to avoid harm to the user, technology used to process the data, whether data processing is done in a transparent manner and the efforts made to protect the privacy of individuals – This provision increases compliance cost but at the same time, it recognizes the responsibilities tied to personal data of individuals.
Personal Data of individuals can be processed only with the prior consent of individuals – This means, that apps and websites will be mandatorily required to make a detailed disclaimer inviting consent, which includes – purpose and basis of processing, a period of retention, cross border transfer of data, entities with whom such data is shared, etc.
If personal data of individuals is collected through automated means – for example by tracking activities of an individual over an app or website – the individual shall have the right to receive such information in a structured format.
Additional responsibilities imposed on companies that indulge in the collection and processing of personal data of children (below 18) through online means – This essentially affects entertainment companies like gaming, OTT streaming, social media platforms and online education platforms.
All personal data of individuals shall be processed in a transparent manner and specific information relating to such processed data shall be made available in such form and manner as may be notified – This means that companies shall be required to make additional disclosures to the authorities.
The bill introduces a new concept called a ‘consent manager’ which is defined as an accessible, transparent, and interoperable platform, to be employed by a company, vested with the responsibility to enable an individual to gain, withdraw, review and manage his consent – This provision, once again, implies increased compliance costs.
Now entities handling a large amount of personal data will be statutorily required to implement security safeguards commensurate to the risk and harm associated with the processing of such data. Moreover, any breach of personal data shall be informed to the Authorities within the prescribed time – These provisions could imply hiring of data experts and is likely to increase costs over data security.
Based on certain factors, like the volume of data, the risk associated with the processing, or the sensitivity of personal data, the authority may notify a company as a ‘significant data fiduciary’. Additional responsibilities are imposed on such entities, like the conduct of annual data audit, undertaking data protection impact assessment, and appointment of a data protection officer.
For example: Payment apps like Paytm collect biometric and financial data of individuals, which is identified as ‘sensitive personal data’ under the bill. Now, if Paytm wants to carry out large scale processing of such data, it will be required to carry out a data protection impact assessment, which shall first be reviewed by the Authority before Paytm proceeds with processing.
Sensitive personal data (financial data, biometric data, health data, etc.) and Critical personal data (yet to be notified) are not allowed to be stored outside India – This essentially means that entities indulging in the collection and processing of such data must have a local server and database in India.
Food for thought: The Income Tax Act considers the permanent establishment of an entity to ascertain jurisdiction over the income generated by such entity. It has been seen in the past that the tax authorities consider the location of the local server as a permanent establishment of the entity to impose a tax on income earned.
Fun fact: An Indian industry major has recently tied up with a global leader to build data centers and host cloud services across the country.
Possible changes in businesses: Additional features in apps and websites, Educating and training team members, reliable data security measures, updating contracts with software and device vendors, and updating organizational policies.
While we’re here: The Personal Data Protection Bill (PDPB) has significant parallels to the European Union’s General Data Protection Regulation (GDPR), which became enforceable from 25th May 2018. The regulation wreaked havoc in the region and had far-reaching impact on companies across the world. Now, if the PDP were to be imposed in India, it is likely that organizations will have to make radical changes in their processes and operations (relating to handling and processing of personal data). StartUps, however, can keep the PDP in mind from its inception and create a business model around it. This way, the prescribed policy measures can be implemented quickly with minimal resistance.
The big picture: The PDPB hails from a side proposition which has for long been arguing that ‘Data is the new Oil’. The GOI sure has leapfrogged in recognizing the fact that in the modern economy, data indeed is a valuable resource that comes with a lot of responsibilities. Rightly so, the bill has placed data owners at the driver’s seat. However, the bill is criticized to have a lot of holes mainly on grounds of unnecessary and excessive power given to the GOI. Amidst economic turmoil and widespread criticisms, the Joint Select Committee has a huge task in hand to craft India’s first privacy legislation which is a win-win for all.