Data Protection Act: A ‘mind-what-you ask-for’ moment for startups & other top tech stories

Hi, This is Pratik Bhakta here in Bengaluru. Perhaps what could turn out to be one of the most crucial acts for Digital India was undertaken by the Indian Parliament through the passage of the Digital Personal Data Protection Bill, 2023 earlier this week. While the law will impact every entity in this country that deals in the personal data of Indian citizens, tech companies and consumer-facing startups are perhaps going to be impacted the most.

While the Act in itself is still being studied by lawyers and policy experts, some of its salient features could have a crucial bearing on the emerging Indian tech and startup industry.

Significant data fiduciary: The law identifies a data fiduciary as one who defines the purpose and means of processing data. Among them, some will be defined by the central government as a ‘Significant Data Fiduciary’ depending, among others, on the following factors:

Volume and sensitivity of the personal data processed
Risks to the right of the data principal
Security of the State
Potential impact on the sovereignty of the country

Industry insiders can assume that financial services players could get included within this category. Maybe ecommerce apps and others might not become significant fiduciaries. But there’s no clarity on that yet.

Impact on crypto and fintech: Startups that are already regulated like lending fintechs or payment aggregators have to abide by strict norms around processing and storage of data as directed by the Reserve Bank of India. But some experts suggested that there could be an additional compliance burden on them now.

Salman Warris, partner at Techlegis Advocate and Solicitors said that fintech and crypto startups could get included into the category of Significant Data Fiduciary.

“(A significant data fiduciary) will have to appoint a data protection officer…and an independent data auditor to evaluate the compliance with the provisions of the Act,” Warris said.

Another section believes that big tech companies, social media giants might only be marked as ‘significant’. They are the biggest repository of customer data in current times. Financial services players might be left to be managed by the regulator.

More power to the customer: Perhaps one of the most critical parts of the Act is that a customer who has been impacted by a data breach needs to be informed.

This is important given past experience has taught us that companies prefer to keep data breaches under wraps. For instance, payment processor Juspay had faced a cyber attack in August 2020. However, news around the breach came out only much later -- in 2021. The company had informed its merchants, but the regulator was not informed then.

https://www.hihonor.com/latam/club/topicdetail/topicid-3548079760343040/
https://www.hihonor.com/latam/club/topicdetail/topicid-3548078971846657/
https://www.hihonor.com/latam/club/topicdetail/topicid-3548079546466304/

Joshua – 1/18

A senior cyber security researcher once had shown yours truly that my own personal data was available for sale on the dark web. Looking at the personal details like address and phone number it was evident that a grocery delivery service I used back in 2016-17 must have been the source of the leak. But never once was I informed that my data was leaked. Now, with the Act, perhaps this will change and consumers will be more aware.

Hefty penalty: Probably one of the harshest sections of the Act is the fine associated with non-compliance. Any breach in observing the obligation for the data fiduciary could result in a fine of Rs 250 crore.

Breaching to inform the data board or the data principal the instance of a data theft can attract a penalty up to Rs 200 crore.

Industry insiders pointed out that such harsh penalties could have a deep impact on early-stage startups who might falter on following the due procedure of the law.

While lawyers help, young founders dealing in personal data will have to always be mindful of the provisions of this law.

Cross-border flows: One section which will give a massive breathing space to startups is cross-border flow of data. The Act has simplified most of the obstacles in this space, thereby seeking to strike a balance between strict data localisation and free flow of data.

“With regards to data localisation and cross-border data transfer, the Act has removed most of the roadblocks and in that sense could be seen as facilitating cross-border data flows and crypto transactions,” Warris said.

Cine Times Now
Yt Flix Online
Cine Times Info
Banglar Diary
Sporting Times
Sporting Times Info
Toro News
Trusted Ultra
Travel Bd Now
Sporting Boom
Movies Anywhere
Movie Streams Club
Cine Times News
The Cine Worlds
News NYK
Update Golf News

This section could help crypto startups given their borderless nature. It could also help fintechs engaged in cross-border trade. Startups looking to take their operations outside India could benefit too from a data storage perspective.

But Warris added that in countries where Indian startups extend their services, the policies of India concerning data protection could become a focal point for scrutiny by those countries.