Data Protection Bill: Don’t mule the unicorn

Data Protection Bill: Don’t mule the unicorn

Authors: Aparajita Bharti & Nikhil Iyer
Published: May 19, 2022 in the Economic Times

The Justice Sri Krishna Committee Report on a Free and Fair Digital Economy, which was the basis for the Personal Data Protection Bill, was released in July 2018. Until then, India had 16 unicorns – startups with a valuation of US$ 1 billion or more. Since then, there have been 84 more unicorns (as of May 2022). The upcoming law on data protection, currently under deliberation by the Ministry of Electronics and Information Technology, must create a conducive growth environment so that India’s startup ecosystem keeps thriving.

Broadly speaking, this law will set industry standards for data protection, resulting in enhanced customer trust in the digital economy. However, some provisions in the Personal Data Protection Bill 2019 and the Joint Parliamentary Committee’s (JPC) 2021 report merit a deeper discussion around the implications especially for India’s start-ups.

Startups around the world use various services and plug-ins to conduct their business efficiently, ranging from services that help with sending emails to customers, shipping, marketing, payments, etc. Often, these services are offered by global tech companies, who may be using foreign servers for their purposes, and who send processed data back to India to the concerned startup. Going by the JPC’s suggestions, these entities may need to obtain the DPA’s approval for each contract or scheme to be used for cross-border data transfers, which may deny approval on grounds of ‘public policy’ or ‘state policy’. This is an onerous requirement, which will require substantial resources from both the startups, and the Government. It is especially worrisome as the export-focused Information Technology/ IT enabled Services industries are crucial cogs in India’s growth story. Over half of these exports are to the USA, with another quarter to Europe.

There is also immense uncertainty over how non-personal data (NPD) will be regulated. NPD is data which is stripped of any personally identifiable information or which is anonymised, e.g. weather data, geospatial data, telemetry data, travel data, etc. The ability to process this data in innovative and creative ways, often through proprietary methods is important for startups, for which they invest significant technical and financial resources. Any law which mandates sharing of NPD, is bound to affect their incentives to invest in data collection, storage, analytics, etc., as it will interfere with the companies’ intellectual property rights over their datasets. This provision can also make Indian start-ups less attractive to global funders.

Further, neither does the current Bill, nor the JPC’s suggestions, forbid the Central Government from accessing foreign data once it is in India. This has raised concerns that India may not meet data adequacy requirements – essentially, it may fail to offer adequate protection to data that is imported into India for processing. Indian startups that look to process the world’s data will find these as impediments, as other countries may forbid their companies from sending citizens’ data to India.

Another cause of concern is for start-ups focused on building products for children. According to the Bill, Indian companies creating products and services for children in edtech, gaming, social media, etc. will have to contend with a high age of consent at 18 years, even as other countries allow children to consent to data processing at a much younger age- 13 in the USA, or 16 years, as under the GDPR in Europe. India’s current Bill also puts a blanket ban on profiling children, making customisation of services difficult, e.g., to use AI to offer customised programs for children in a classroom as per their learning abilities – further disincentivising innovation for this target group.

With regulatory ambiguity on key issues, the Indian startup story is at a crossroads today. On the one hand, recent months have indicated that the market is bullish about their prospects, going by the investments they have attracted. Investors have backed startups across a range of sectors – fintech, SaaS, e-commerce, travel, healthcare, education, etc., many of which have become unicorns. On the other hand, by imposing such requirements, we risk tempting Indian founders to register their startups outside India to avoid onerous compliance. An overzealous data protection framework can, therefore, undo decades of progress that the Indian start-up ecosystem has made.

While the Indian government’s aspiration to be a global thought leader in tech regulation is appreciable, straying too far from global benchmarks can have unintended economic consequences. One hopes that the next version of the Bill that the Government brings to Parliament, will take into account the aspirations of India’s entrepreneurs, to whom we are looking to create millions of jobs of the future.