 Unwrapped |
Want this newsletter delivered to your inbox?
Thank you for subscribing to Unwrapped
We’ll soon meet in your inbox.
Hi, This is Pratik Bhakta here in Bengaluru. Perhaps what could turn out to be one of the most crucial acts for Digital India was undertaken by the Indian Parliament through the passage of the Digital Personal Data Protection Bill, 2023 earlier this week. While the law will impact every entity in this country that deals in the personal data of Indian citizens, tech companies and consumer-facing startups are perhaps going to be impacted the most.
While the Act in itself is still being studied by lawyers and policy experts, some of its salient features could have a crucial bearing on the emerging Indian tech and startup industry.
Significant data fiduciary: The law identifies a data fiduciary as one who defines the purpose and means of processing data. Among them, some will be defined by the central government as a тАШSignificant Data FiduciaryтАЩ depending, among others, on the following factors:
- Volume and sensitivity of the personal data processed
- Risks to the right of the data principal
- Security of the State
- Potential impact on the sovereignty of the country
Industry insiders can assume that financial services players could get included within this category. Maybe ecommerce apps and others might not become significant fiduciaries. But thereтАЩs no clarity on that yet.
Impact on crypto and fintech: Startups that are already regulated like lending fintechs or payment aggregators have to abide by strict norms around processing and storage of data as directed by the Reserve Bank of India. But some experts suggested that there could be an additional compliance burden on them now.
Salman Warris, partner at Techlegis Advocate and Solicitors said that fintech and crypto startups could get included into the category of Significant Data Fiduciary.
тАЬ(A significant data fiduciary) will have to appoint a data protection officerтАжand an independent data auditor to evaluate the compliance with the provisions of the Act,тАЭ Warris said.
Another section believes that big tech companies, social media giants might only be marked as тАШsignificantтАЩ. They are the biggest repository of customer data in current times. Financial services players might be left to be managed by the regulator.
More power to the customer: Perhaps one of the most critical parts of the Act is that a customer who has been impacted by a data breach needs to be informed.
This is important given past experience has taught us that companies prefer to keep data breaches under wraps. For instance, payment processor Juspay had faced a cyber attack in August 2020. However, news around the breach came out only much later — in 2021. The company had informed its merchants, but the regulator was not informed then.
A senior cyber security researcher once had shown yours truly that my own personal data was available for sale on the dark web. Looking at the personal details like address and phone number it was evident that a grocery delivery service I used back in 2016-17 must have been the source of the leak. But never once was I informed that my data was leaked. Now, with the Act, perhaps this will change and consumers will be more aware.
Hefty penalty: Probably one of the harshest sections of the Act is the fine associated with non-compliance. Any breach in observing the obligation for the data fiduciary could result in a fine of Rs 250 crore.
Breaching to inform the data board or the data principal the instance of a data theft can attract a penalty up to Rs 200 crore.
Industry insiders pointed out that such harsh penalties could have a deep impact on early-stage startups who might falter on following the due procedure of the law.
While lawyers help, young founders dealing in personal data will have to always be mindful of the provisions of this law.
Cross-border flows: One section which will give a massive breathing space to startups is cross-border flow of data. The Act has simplified most of the obstacles in this space, thereby seeking to strike a balance between strict data localisation and free flow of data.
тАЬWith regards to data localisation and cross-border data transfer, the Act has removed most of the roadblocks and in that sense could be seen as facilitating cross-border data flows and crypto transactions,тАЭ Warris said.
This section could help crypto startups given their borderless nature. It could also help fintechs engaged in cross-border trade. Startups looking to take their operations outside India could benefit too from a data storage perspective.
But Warris added that in countries where Indian startups extend their services, the policies of India concerning data protection could become a focal point for scrutiny by those countries.
Parliament passes Data Bill
Digital Personal Data Protection Bill passed by both houses of Parliament: The Digital Personal Data Protection (DPDP) Bill was passed by the Lok Sabha on Monday, in a voice vote amidst sloganeering by the Opposition, asking the government to address the Manipur issue. Following this, the upper house also passed the Bill in a session that saw a walkout by Opposition lawmakers. The bill will become law following an assent from President Droupadi Murmu.
Data Bill to make social media cos accountable, fortify it industry: Ashwini Vaishnaw | The Digital Personal Data Protection Bill that the Rajya Sabha will make social media companies operating in India more accountable, boost the business of the IT industry and change the way organisations process data of Indians, minister for electronics and IT Ashwini Vaishnaw said.
Also read | Decoding Data Protection Bill 2023
Experts flag revised data billтАЩs silence on generative AI tools: The absence of artificial intelligence or lack of any provisions to govern the emerging technology and tools like generative AI from the latest version of Digital Personal Data Protection Bill has caused concern among experts who feel it will leave a lacunae in the privacy law.
aniltikotekar4sme.com 