The Digital Personal Data Protection Bill, 2022, is being hailed by industry experts as more progressive in comparison to its predecessor. It is believed that the new Draft Bill, if enacted, will enable startups to create processes in line with DPDP requirements and offer B2B and B2C plug-and-play solutions when it comes to the processing of digital data and its protection.
Unlike the last Draft Bill, which posed challenges for startups with regard to data localisation and cross-border data transfer norms, the new DPDP Bill removes most of the distractions.
Expanding on Soudarajan’s views, Mathew Chacko, partner, Spice Route Legal, said in the absence of big companies wanting to reinvent the entire data play, opportunities galore for Indian startups to offer plug-and-play access requests, plug-and-play deletion protocols, or plug-and-play dashboards for customers.
The DPDP Bill Ensures Startups’ Focus On Product Quality And Value Creation
According to the new Draft Bill, significant data fiduciaries will have to appoint a data protection officer, who will represent the significant data fiduciary under the provisions of the Act, and an independent data auditor to evaluate the compliance of the data fiduciaries with the provisions of the Act. In addition, these fiduciaries will also have to undertake other measures, including data protection impact assessment and periodical audits, catering to the objectives of the Act.
From basic consent to deletion, access, and correction of data, all of these practices are going to be an essential part of data information and security architecture. So, does this mean startups coughing up extra money to stay abreast of the provisions of the Bill, if enacted?
“I don’t think so. This is very similar to having a testing team for the software you have developed. The provisions of the new Draft Bill assure that corresponding safeguards are in place when sensitive customer data is being handled,” Soundarajan clarifies.
These safeguards will only help enhance the quality of products offered by data fiduciaries, including startups, he added.
Cross-border Data Processing Provisions Need More Clarity
Meanwhile, industry and legal experts demand more clarity on the provisions concerning cross-border data processing, as the new Draft Bill has moved away from imposing the essentiality of data localisation.
Explaining this, Chacko said that there are two ways to look at it. In the first scenario, the companies who send data outside for processing may find it difficult in the short term because the government could create a list of countries with which data can be shared. This may pose a challenge until we finalise the list of countries we will be willing to share our data with.
In the second scenario, where Indian startups provide services outside the Indian territory, other countries may look at India’s policy when it comes to data protection.
Unfortunately, the present provisions of the Bill keep Indian government agencies out of their purview. This could trigger other countries to ignore Indian startups – just like the Chinese companies that are barred by many nations.
“Hopefully the government will come up with another law, which deals with the government’s access to data. Without that Indian startups will be in trouble,” said Chacko.
Startups Seek Govt’s Support To Stay Afloat
Having welcomed the new DPDP Bill, many industry experts are of the view that the government should also come up with a startup-friendly sunset clause and certain grants to ensure seamless compliance.
The former CEO of Data Security Council of India and NASSCOM vice-president Rama Vedashree, who was earlier a member of Srikrishna Committee, has demanded that startups and MSMEs must be given some grant and adequate time to comply with the provisions of the Bill.
“As and when the new DPDB Bill is enacted, MSMEs and early-stage startups can surely be given time and support they need from the government. I hope the new bill does not exempt them,” said Vedashree.
Vedashree further asserted that exempting offline data and powers vested with the central government to exempt certain data fiduciaries – to put it mildly – is worrying. “If we want to guarantee privacy as a fundamental right and make both private and public agencies accountable, we can’t afford such umbrella exemptions/provisions,” he said.
The Ministry of Electronics and Information Technology has invited chapterwise feedback on the new DPDP Bill latest by December 17, 2022. Earlier, speaking with Inc42, Minister of State Electronics & Information Technology Rajeev Chandrasekhar had stated that the DPDP Bill will be simple and evolvable. It will incorporate views from all the stakeholders.