IndiaCorpLaw

The JPC Report on Personal Data Protection Bill: What is in it for Indian Startups?

[Raj Shekhar is a III-year B.A., LL. B, student at National University of Study and Research in Law, Ranchi.]

On 16 December 2021, the Joint Parliamentary Committee (“JPC”) submitted its long-awaited report to the Indian Parliament after two years of deliberations on the of the Personal Data Protection Bill (“Bill”). While the experts and stakeholders are divided in their opinion about the bill, the ‘start-up’ sector has its fair share of challenges. This article tries to decipher the impact of the Joint Parliamentary Committee’s recommendations, if implemented, on start-ups and small businesses in the country.

Incentivizing the Startups – The Positive Take-Aways from JPC Report

Compliance with the obligations laid down by existing legislation often prove burdensome for Indian start-ups. The JPC Report has taken a positive stance aimed at promoting and protecting startups. To understand this better, it becomes pertinent to observe a few special carve-outs made for startups in JPC Report.

Deferred Implementation Timeline

One of the key challenges that the entire business ecosystem in India would face post the implementation of the bill would be the increased obligations and infrastructure development to ensure compliance with these stringent requirements. While the multinational and established players of the market will be able to absorb the costs of compliance, the start-up sector would be devastated. This factor was considered extensively by the JPC which recommended a deferred timeline for implementation of obligations under the bill. Such a suggestion comes as welcome respite to the start-ups.

Ensuring Corporate Innovation

Start-ups are often seen as the originating points of innovation owing to their non-traditional ground breaking emphasis on innovation to change the existing status quo. Keeping this in mind, the JPC recommended that the obligations with respect to data protection could negatively impact corporate innovation, which is primarily driven by data statistics. Further, it is recommended that while formulating such obligations their impact on start-ups and adherence to the objectives of “Ease of Doing Business” should be the guiding factors. The special emphasis on start-ups demonstrates how the government has recognized the impetus that these entities provide to corporate innovation.

Regulatory Sandbox

The JPC has recommended that while framing regulations, the DPA should keep in mind interests of start-ups, encourage innovations and promote sandboxes. Thus, a special emphasis has been provided to the creation and maintaining of sandboxes to enable startups to carry out their innovations in a regulated, safe and secure environment without compromising on the aspect of privacy.

Subsidizing Start-ups for Enabling Data Localization Compliance

One of the major concerns that has plagued startups regarding the bill has been the stringent requirement of data localization which is an extremely cost extensive process as it requires a complex technological infrastructure that start-ups are unlikely to have. The JPC has recommended that the government subsidize the development of such infrastructure for start-ups in particular. It was noted that the development of adequate infrastructure may generate employment, such measures would promote investment and fair economic practices. It shall also ensure proper taxation of data flow and creation of local Artificial Intelligence ecosystem to attract investment and to generate capital gains. As a result, new sources of revenue would be generated. Thus, it has directed that the revenue generated out of such data localization should be used in welfare measures by helping small businesses and start-ups in complying with data localization requirements

Flexibility in Penalties

The JPC pointed towards the evolving nature of digital technology, and stated that the penalties should not be fixed but should rather be subject to a maximum cap. Further, the determination of this quantum should be done by taking into account factors such as the size and nature of the defaulter. This is a welcome move especially for start-ups as it would ensure that they are proportionately penalized for any act of non-compliance.

Exemptions for Small Businesses

The bill defines “data fiduciaries” as entities who decide the means and purpose of processing personal data and has accordingly laid down obligations on them for data protection. The JPC has recommended the sub-categorization of small entities into two categories, (i) entities that undertake carrying out automated processing of personal data and (ii) entities that carry out non-automated processing of personal data. It exempts the latter from statutory compliance obligations that are otherwise applicable to data fiduciaries. This would lead to the overall reduction of the compliance burden on start-ups.

Indirect Effects of Data Localization Requirements for Other Businesses on Start-ups

The recommendation of the JPC to prepare a stringent data localization plan and the introduction of compliance with ‘state’ and ‘public’ policy as standards for cross border transfer of data can have a huge impact on startups. These requirements could lead to shutting off access to global cloud service platforms for startups in India. As a result, access to global markets and the latest technologies will be limited too. The increased operating costs that the global leaders in cloud storage would incur will prevent them from offering the same global competitive pricing in India. This could drastically affect the productivity, profit margins, and thus undercut the overall competitiveness of Indian startups.

Inclusion of Non-Personal Data

The JPC has recommended expanding the Bill’s ambit to also include regulation of non-personal data. This means that the government can demand such data from any entity, for any legitimate purposes. This provision can disrupt the business operations of startups who put in significant efforts to collect data and develop insights, and as such, a mandatory sharing requirement can hurt their efforts.

Children’s Data

The pandemic has changed the overall education industry and has given rise to many EdTech startups. The JPC recommendation to mandatorily ask data fiduciaries processing children’s data to register with the Data Protection Authority, irrespective of their overall size of operation, can be seen as a death knell for such ventures.

The Future of the Bill: What Lies Ahead?

While a conscious effort on part of the experts to ensure the growth of startups is visible in the pro-startup recommendations, there are some costs that cannot be ignored. The report having been tabled in Parliament awaits the scrutiny of the houses and, at the time of writing, the Ministry of Electronics and Information Technology is preparing a cabinet note on Data Bill. The upcoming developments on the Bill would be interesting to watch especially in light of the fact that many dissent notes were filed regarding the JPC recommendations by the members of the committee.

Raj Shekhar