Devil in the detail: New privacy law has startups in a bind as government may not grant exemptions

Devil in the detail: New privacy law has startups in a bind as government may not grant exemptions
  • Early stage startups were expecting to be exempted from the newly passed Digital Personal Data Privacy Act, but it looks unlikely, say legal experts.
  • Government has not yet given a timeline to implement the newly minted DPDP Act. Startups ready to make representations to the government asking for two years to implement new privacy law.
  • Industry awaits rules that will ensure implementation of the Act, as the devil is expected to be in the detail.

After years of debate, India now has a data privacy law in place. Companies can no longer report data breaches and get away with it. There will be consequences if data of consumers is compromised or misused. Earlier this month, both houses of the Parliament passed the Digital Personal and Privacy Act, which will change how businesses collect personal information digitally and even use that information.

However, the new DPDP Act has the startup ecosystem and their legal advisors in a bind because there is no clarity on how much time will be given to implement the new Act. The startup ecosystem is ready with their representations as they are seeking at least two years to implement the new DPDP Act.

So far, businesses and startups have been collecting personal information of consumers at varying stages of their journey and consumers have had little say in how this information is being used. Despite the law, there is no clarity on when consumers can actually expect compliance by service providers. There are key aspects on which there are no answers. The first is the implementation of the Act.

While the Union minister for Electronics, IT and Railways, Ashwini Vaishnaw has said that the law will be implemented “soon”, companies are in a bind as they do not know how soon that could be. The new Act will require the smaller companies and startups to completely rework their backend and frontend to comply with the new law, which is why they need more time.

Law firms are divided on when the sun will set on the existing law that governs data privacy. Probir Roy Chowdhury, Partner at J Sagar, is of the view that the absence of a sunset/implementation period means that stakeholders should ensure that they are ready to comply as soon as the DPDP Bill is enacted. But this may not be the case as the government is engaging with stakeholders to arrive at a time period that companies will get to implement the new DPDP Act.

The industry is betting on a two-year timeframe to implement the new privacy laws just as the European Union had granted industry before the General Data Protection Regulation kicked in. The European Union’s Parliament passed the GDPR in 2016 but the law was implemented by May 2018. India’s startup ecosystem is betting on a similar timeframe to implement the new privacy laws.

Industry is also awaiting the drafting of the rules, which will detail how the privacy law will be implemented. The government is yet to release these rules. Explains Jitendra Ahlawat, Managing Partner at HJA & Associates LLP, “The entire Act is about the fundamental lay of the land. In many cases, the Act refers to rules which will be drafted later. The rules will outline details on how the Act will be implemented.”

Till the rules are in place, the industry is unsure on the implementations and the nitty gritties of the Act. The longer the government takes to draft the rules, the more time the industry has to implement the new Act and transition to a new format. Many startups that Business Insider spoke to said that they were not even expecting the DPDP Bill to be passed by the Parliament in its current form.

The startup ecosystem is also disappointed by the lack of exemptions in the Act. Early stage startups were expecting to get exemptions from implementing the new privacy law, but the Act does not give details on the same nor has the minister hinted at any. Ahlawat says early stage startups were to get exemption from certain conditions under the Act, but there is no clarity on the same. Garima Mitra, co-founder of Treelife, says: “We don’t know what exemptions startups are going to get, if at all any.”

Before enforcing the new law, the government also has to appoint the Data Protection Board to deal with compliance issues and breaches if any. The board will be a body corporate and will have perpetual succession and a common seal, with power, subject to the provisions of this Act. The Board will consist of a Chairperson and such number of other Members as the Central Government may notify. The Chairperson and other Members shall be appointed by the Central Government.

Currently, startups are looking at their basic IT infrastructure to figure at what stage is a consumer’s data collected and how many people have access to that data. Once data mapping is over, startups will have to focus on provisions of the new law and integrate the core principles into their backend and frontend. Currently there is no provision to erase the data of a consumer, companies will have to also put in place systems that will allow change and erasure of data.

Explains Mitra, “The way to ease it is to give a timeline to ease it. No rules have been formulated. The Act is the first step towards transition. But a lot of time will be needed to transition to provisions in this Act. This Act will affect all companies that collect data and digitise it. GDPR was implemented after 18 months."