Private Data Regulation and Startups

The Indian Data regulation draft bill proposes many governance regulations for all business entities, including startups, to comply with the fast-changing Internet Privacy laws. The write up explores some of the changes the draft policy proposes and the kind of vulnerability faced by startups arising from these legalities.

Facebook's Cambridge Analytica has sparked a much-needed privacy awakening across the world. Much like all the other global economies, India is all set to come up with a new set of laws to ensure data privacy. The Personal Data Protection Bill, 2019 was introduced in the Parliament in December 2019. This bill is set to regulate private and government, data controllers and data processors. The business entities engaged in any of the above there activities would now have to undergo stricter regulations to ensure compliance with these norms, raising their operational costs significantly. In particular, Startups are and will be especially vulnerable to these legalities as these organizations have limited funding and are also subject to fast growth.

The proposed bill, in its second draft, qualifies data as 'critical' and 'sensitive' to differentiate the compliance requirements. The business entity is required to store all data classified as crucial inside the territory of India. A failure to do so can cost companies penalties that can go up to 15 Crore or 4 per cent of a company's total worldwide turnover. This compliance requirement needs a legal interpretation of critical data and sensitive data which cannot be done by non-specialized personals. A poorly drafted privacy policy can not only cost a company dearly but for startups, it can also lead to their winding up at their nascent stage. This compliance requirement would change the constructs of the objectives driving the startups. Tech startups manufacturing and providing fitness applications would now need considerable different privacy agreements than the startups creating online dating platforms.

Taking a cue from the EU enacted General Data Protection Regulation, the Indian Bill makes individual consent central to data sharing. The entity processing the data is now under the obligation to process it fairly and reasonably. This requirement prescribes a detailed duty on the data fiduciary to provide a comprehensive notice and future notice to the data principal, which then raises the cost and efforts for the data fiduciaries and data principal. Startups will now have to attract higher investments if their business ideas involve public data. Along with the higher requirement for capital, the sentences under the law would make startups with public data riskier investments.

Startups today are yet to fully understand the implications of data protection on their clients and the new data protection regulatory regimes. Till date, most of them have lengthy and complicated user agreements which encourage users to give consent without understanding what is it that they are giving their consent to. Most companies copy the policy documents from big companies engaging in a similar business, which not only makes them susceptible to financial hurt from frivolous suits or actual suits.

The introduction of the new data regulation bill has raised the stakes for having an adequately drafted policy more than ever. Every company answers to the questions of how data is collected, where that information is shared, how the information is used, and how it's protected differently. Each company's needs are unique, and hence it is time for startups to change their approach towards legal services and tailor their documents, terms and conditions and privacy policies according to their industrial structures to be most effective in protecting the company.