Introduction
Startups have been a much-welcome concept in our country for almost the entirety of the past decade. The Startup India Scheme is an initiative of the Government of India that started in 2016 with the primary objective and vision of employment generation and wealth creation. This was done to ensure that the economic ecosystem of the country turned from one of job seekers to job creators. India now has the 3rd largest startup ecosystem in the world; expected to witness a consistent annual growth of 12-15%. According to the Economic Survey Report 2022-2023, Indian startups have risen from 452 in 2016 to 84,012 in 2022.
The desirability of promoting ease of doing business for startups has led to startups now being allowed easier compliance, legal support, tax exemptions as well as credit guarantee schemes. Something similar to such benefits and exemptions is what we also observe in the recently passed legislation of data privacy in India – the Digital Personal Data Protection Act, 2023 (hereinafter, “the DPDP Act”/ “Act”).
After several attempts and bumps on the road to codify a privacy legislation, India finally has a new privacy regime under the DPDP Act 2023 which seeks to provide for the protection of digital personal data and lay down grounds for processing of the same. As many experts have claimed, the Act will induce behavioural changes in tech giants, and make them face tall tasks during compliance. However, it turns out that these compliances are not set in stone, since some Data Fiduciaries are exempted from following them. One such Fiduciary has been categorised as ‘Startups’, under Section 17(3) of the Act.
Thus, this blog will delve into a complete analysis of what changes have been introduced (in the form of duties of Data Fiduciaries) that will cause corporate data processors to up their game, with a special focus on the position of Startups in the status quo, and the exemptions with respect to the desirability of the same vis-à-vis rights of citizens under the Privacy Law.
Tracking the Enhanced Compliance Regime under DPDP, 2023.
Apart from fulfilling fundamental privacy principles such as obtaining the consent of the Data Principal, serving a notice to them regarding the processing (and purpose of doing so) of personal information, or ensuring effective grievance redressal on the occurrence of a breach, the onus of Data Fiduciaries (which can be private or public companies, partnerships, LLP’s, etc.) now goes a notch higher.
The corporate giants are now also expected to integrate technical and organisational measures to ensure compliance with the DPDP Act as well as conduct periodic Data Protection Impact Assessments (hereinafter, “DPIA”). DPIA will essentially outline the enforcement of the rights of a Data Principal as well as increase the impact of risk management of the data within an organisation.
Apart from that, in order to increase reliability in the competitive markets, these data-processing corporates will now have to maintain highly furnished and updated databases/records of whatever personal information that they are in possession of, or are processing, or personal information that has been shared with third party Data Fiduciaries and Processors, so that they can produce a record of the same upon the request of a Data Processor to showcase the same.
Storage limitation will now become the norm since erasure will have to be conducted on personal information, retention of which is no longer necessary. The right to erasure also substitutionally comes with the right of correction, completion, and updation of personal information at the request of a Data Fiduciary, under Section 12(1) of the Act. Penalties can now go up to 250 crores for not taking measures to prevent a security breach. Last, but not the least, the responsibility only goes up the charts if one qualifies as a ‘Significant Data Fiduciary’ as per the conditions prescribed under the Act.
Let’s take an example here- recently, the app- MOVEit, a tech enabled logistics startup was used to move ‘sensitive’ medical and health information by the Colorado Department of Health Care Policy and Financing (HCPF). The same, due to disclosed, but unpatched vulnerabilities (also called zero-day vulnerabilities) fell victim to a mass hack, exposing the data of more than 4 million patients. Had the abovementioned compliance measures (especially, DPIA) been taken by MOVEit, this data breach could have been prevented.
Apart from national standards, Data Fiduciaries, in order to have an edge in the international market, have to comply globally too. For example, the ISO (International Organization for Standardization) forms specialised systems for worldwide standardisations, out of which ISO/IEC 27701 provides a privacy framework for all public and private entities that are controllers and processors of Personally Identifiable Information (PII). Any organisation complying with such ISO standards and requirements will be able to generate documentary evidence of its reliability and interoperability in the tech market. An extension of the same is also PIMS (Privacy Information Management System) which prescribes specific controls (or principles) for the PII Controllers and PII Processors to follow.
However, this is just one side of the picture since this pertains to data fiduciaries in general. The next section will specifically examine the potential position of Startups. Will they follow the same degrees of compliance? What will be the effects of the same on the privacy of individuals? Is there any way to monitor and ensure the legitimate use of such exemptions?
Exemptions granted to Startups under Section 17(3) of the Act.
Under the Act, a “startup” has been explained (under 17(3)) as a private limited company, a partnership firm, or a limited liability partnership incorporated in India, which is eligible to be and is recognised as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government.
Thus, according to this explanation, a startup will fall into the same criteria as that under DPIT (Department of Industrial Policy and Promotion), which is the department that manages matters relating to startups. According to the DPIT, an organisation can gain the tag of startup for a period of 10 years from the date of its inception, given that the yearly turnover for any of the financial years from the time of formation of the organisation does not surpass Rs. 100 crore.
Now, under the DPDP Act, 2023, the Central Government may, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or classes of Data Fiduciaries, including startups, to whom certain provisions of the Act will not apply. Even though the date of implementation is uncertain yet, as and when it takes place- such exemptions will include:
- Exemption from provision of notice to the Data Principal which includes details like the personal data that is being processed, the purpose for which it is being processed, etc.
- Exemption from having to ensure completeness, accuracy, and consistency, of data being processed.
- Exemption from the erasure of data even though now it needs not to be retained.
- Exemption from the duty of providing the Data Principal identities of other Fiduciaries and Processors with whom the personal data of the principal has been shared.
Now that we have seen what some of the exemptions are, let us study the effects that such exemptions will have over Startups in the status quo with respect to various dimensions as discussed below.
Disharmony Between the Exemptions Granted and the Fundamentals of Privacy
In 2012, the Planning Commission and the Group of Experts on Privacy Issues headed by Justice (retd.) AP Shah came out with the ‘Report of the Group of Experts on Privacy’ which was one of the first documents on privacy law in India. This report essentially outlined nine fundamental principles that are central to the definition of the Right to Privacy. Ironically, the exemptions that have been granted to Startups violate three of these fundamental principles, which are the principles of provision of Notice to the Data Principal, Right to Access and Correction, and Right to Information which has been disclosed to a third party; as have been explained above. If a notice is not given to Data Principals, their consent given to startups will not be fair either.
Now, firstly, the main question of concern is whether such a violation of the fundamentals, which form the very heart and soul of a subject matter of law, can be allowed even if it is in the form of an exception. Moreover, the purpose and desired outcomes of granting these exceptions may not align with their desirability in law. The desired outcome of this exception is to allow startups to cut down on compliance costs while not compromising on the fundamentals in their nascent stage. However, if such dimensions of carve-outs violate basic principles, the legislative intent as well as the purpose of the law itself may be defeated.
Secondly, similar to the contention that has been raised in the Lok Sabha by the opposition, such startups may subsequently be subsidised by a potential Data aggregator to set up a data mine and exploit the data then collected without consequence, using the exemptions granted to startups for their advantage. Rajya Sabha Member and lawyer Sirgapoor Niranjan Reddy pointed out that exemptions for startups “may have to be conditioned”, as they can be misused, especially in the case of data mining startups.
Thirdly, we know that Significant Data Fiduciaries have increased obligations under the DPDP Act, depending upon the volume and sensitivity of the personal information that they process. Now, even if the Central Government, while notifying Data Fiduciaries that may be subject to such exemptions under 17(3) makes sure that they do not exempt a Startup that is a Significant Data Fiduciary, there is high probability of the Startup changing its nature of business (from that of ordinary Data Fiduciary to Significant Data Fiduciary) and still being able to enjoy the exemptions granted to it till it does not meet the notified time period/ the threshold income.
These are the potential challenges that follow such exemptions granted to Startups.
Way Forward and Suggestions
To ensure that Privacy is not defeated and the exceptions are not unethically exploited to circumvent responsibility under the law, there are a few steps that can be taken by the Central Government.
- The notice which indicates the list of Data Fiduciaries being granted the exemptions as under section 17(3) should mention details like the precise time period/ threshold for which non-compliance is allowed under the law, and should also mention the course of action once the compliance period of the Startup is over. Such a course of action should also have elaborate details of whether the data that has been so far collected by the startup without storage limitation (since erasure is not compulsory once the purpose for which data was collected is satisfied) will now be deleted. Such elaboration becomes of utmost importance because 17(3) has not even been put under delegated legislation as per Section 42 of the Act, thus no rules, regulations, etc. will be able to provide clarity on the same topic, even in the due course of time.
- Keeping in mind that the DPDP Act, 2023 in no place necessitates a privacy policy, the notice must also mandate Startups to come up with a privacy policy mentioning those compliances which will not be undertaken by them, owing to the exemptions granted. This will make sure that the Data Principals have full disclosure of the rights that can be potentially denied to them by a Startup, which can otherwise be fulfilled by any other non-exempted Data Fiduciary. This will give the Data Principals a chance to make a fair choice wherein their privacy rights are not compromised.
- As was elaborated earlier too, there is always a possibility of a startup prospectively converting its nature of business from an ordinary data fiduciary to a significant data fiduciary. For example, a startup which may deal with transfer of messages may subsequently start dealing with transaction of payments too. In such a case, since there is a change in the volume and sensitivity of data, the startup may go from being an ordinary data fiduciary to a significant data fiduciary. In such a case, the Central Government must come up with a mechanism to monitor the trajectory of such exempted startups so that the degree of care with which sensitive data is handled does not suffer at the hands of such startups. Further, it must also be made sure that startups, if being used by a Big Data Aggregator in the form of a data mine must be immediately stripped of the exemptions granted to them.
The intention behind such analysis was to discover all potential outcomes of giving such wide-ranging exemptions to Startups. Seeing that Startups are not an unfamiliar concept in the digital India that we live in today, and witnessing the big consumer base that they entertain, it is an evident conclusion that they cannot be allowed to go unchecked in the data market when it comes to dimensions of privacy.
(This post has been authored by Lavya Bhasin, a student at National Law Institute University, Bhopal)
CITE AS: Lavya Bhasin “The New Privacy Regime for Startups: A Dreamy Vision or Wake-Up Call?” (The Contemporary Law Forum, 05 October 2023) <
tclf.in/2023/10/08/the-new-privacy-regime-for-startups-a-dreamy-vision-or-a-wake-up-call/> date of access.