To understand the impact of the Draft Data Protection BIll (DPB) on Small and Medium Businesses (SMBs) and startups, Privacy Mode interviewed representatives across the industry. The interviewees shared their perspectives on how complying with the mandates and provisions of the Bill is likely to affect opportunities for innovation, investment and the costs of doing business in India.
This report provides a more nuanced discussion on data governance policies, especially regarding the regulation of data protection laws in India, and helps inform more consultations around data governance, data protection and rights.
The Personal Data Protection (PDP) Bill, 2019, was first introduced in the Lok Sabha by the Ministry of Electronics and Information Technology (MeitY) in December, 2019. Its primary intent was to protect the digital privacy of individuals relating to their data, while acknowledging the right to privacy as a fundamental right and necessary to protect personal data as an essential facet of informational privacy. It also aimed to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.
Cite this report- Dash, Sweta “The past as a compass for future - SMEs and the startup ecosystem in India share concerns about the (retracted) draft Data Protection Bill, 2021 - and the way forward for businesses” (2022) at https://hasgeek.com/PrivacyMode/dpb-survey-report/
(The reference text of the Draft Data Protection Bill, 2021 is mentioned in the citations. You can also see the timeline, showing how the text and provisions of the Bill have evolved through various stages.)
According to the Bill, personal data is defined as data about or relating to:
- Natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such a natural person.
- Whether online or offline.
- Any combination of such features with any other information.
- Shall include any inference drawn from such data for the purpose of profiling.
In 2019, the Union Government referred this Bill to a Joint Parliamentary Committee (JPC). The updated Draft Data Protection Bill (DPB), 2021 emerged from the JPC report tabled in 2021.
The Draft DPB had changed the initial PDP Bill significantly, and received mixed responses and concerns from stakeholders .
To understand the impact of the Draft DPB on Small and Medium Businesses (SMBs) and startups, Privacy Mode interviewed representatives across the industry. The interviewees shared their perspectives on how complying with the mandates and provisions of the Bill is likely to affect opportunities for innovation, investment and the costs of doing business in India.
This report provides a more nuanced discussion on data governance policies, especially regarding the regulation of Data Protection Laws in India and helps inform more consultations around data governance, data protection and rights.
The conduct of this survey and the drafting report was done prior to the withdrawal of the DPB on 3rd August, 2022. The intent of producing this report was to collect peer review from industry practitioners and compile this as feedback to be shared with MeitY and the JPC. We believe that this report is relevant and timely because the findings presented here provide insights into industry concerns which can be leveraged when the government drafts the next version of India’s privacy bill. For data privacy of users to be genuinely achieved in India, privacy policies and laws must provide guidelines and directions to the industry without detailing operational requirements. Else, compliance becomes a checkbox to tick, while privacy continues to be put on the backburner.
|Summary of key concerns
|Ambiguities about sensitive and personal data, and the addition of non-personal data (NPD) into the ambit of DPB
|Increase in compliance burden and costs owing to provisions such as privacy by design and algorithmic fairness which will be certified by the Data Protection Authority (DPA)
|Restrictions on cross border flow of data, and impact on innovation
|Mandates for privacy by design and algorithmic fairness are unviable and impractical to implement
|Overreaching powers for the government further increase unjustified surveillance
While the JPC report recommended that both personal and non-personal data must be brought under the ambit of the same data protection law, or rather under “a single administration and regulatory authority", respondents remain sceptical of the intent and implications of such a move. They said this transition from PDP to the current DPB relegates users to the margins instead of putting them on the centrestage in the discourse on privacy .
To them, the onus of the user’s privacy now shifts on to businesses. And, since data aggregated by businesses is a mix of both personal and non-personal, it increases their operations and compliance costs. Segregating this data into non-personal data, sensitive personal data, and critical personal data is a herculean task for businesses, especially those who operate on a data heavy model.
📖 Read more about this key finding
On one hand, the DPB now allows non-consensual processing of data under several circumstances. That is concerning because consent must ideally be the foundation of a Bill on data protection, especially given the fact that DPB is still a chapter in the history of the milestone Puttaswamy judgement.
Clause 13 of the DPB, for instance, notes that non-consensual processing of data “can reasonably be expected by the Data Principal.” The next Clause then disregards user consent for measures like search engine operation and credit scoring.
On the other hand, the mechanisms for businesses to adhere to consent have become more cumbersome. With the requirements of consent managers and multiple levels of checks and balances, respondents are confused about what is even expected of them. To them, this will eventually be a reason for greater compliance costs for the business and friction for the end-users.
📖 Read more about this key finding
The draft DPB’s mandates on physical data storage and processing the data within the country’s jurisdictional borders is seen as a serious impediment to growth, investment, and innovation opportunities for businesses.
Additionally, the DPB has different standards for handling sensitive personal data and critical personal data adds to compliance costs because businesses are finding it difficult to understand what this will mean for costs of operations. They also find it challenging to now segregate three categories of data and having to invest in resources that will be needed to do the same.
Transfer of data cross-border requires explicit consent of the Data Principal, pursuant to a contract or intra-group scheme approved by the Data Protection Authority (DPA) in consultation with the Centre. This leaves businesses worried about extra approval mechanisms and audit systems. So much so that some said they might consider moving the base of their business to a different country instead.
📖 Read more about this key finding
In principle, respondents welcomed the move to build mechanisms and processes for Privacy By Design and Algorithmic Fairness. They think it is time that privacy and fairness gets its due recognition and importance in data businesses. However, they are concerned that these are theoretical concepts and not viable to implement and adhere to on a routine basis. Respondents said that it is difficult to have broad but uniform standards for these approaches, and that a blanket solution will not cater to the nuances of data that each business operates with.
Respondents also shared that these are not measurable metrics - which then translates into:
- It will be difficult to comply with and get certifications by the DPA; and
- It is always possible for some algorithms to have roundabout ways to seem fair without actually being fair. Respondents felt that this defeats the purpose of this provision in the DPB .
📖 Read more about this key finding
The DPB 2021 assures exemptions for the government and central agencies (including the police, Central Bureau of Investigation (CBI), Enforcement Directorate (ED), Research and Analysis Wing (RAW), Intelligence Bureau (IB) and Unique Identification Authority of India (UIDAI) after the JPC report with the insertion of a non-obstante provision in Clause 35.
Respondents remain fearful of such provisions that grant overarching powers for the government and central agencies to process data without the user’s consent. Among other things, they are concerned that these exemptions are “scary”, “unjustified”, and “unconstitutional”.
They are also worried that such unregulated data access by the State can have potential security threats to their digital and proprietary information.
📖 Read more about this key finding
The objective of this qualitative study was to understand the concerns that startups and SMBs had regarding the Draft DPB. At a time when startups and SMBs play such a crucial role in the digital economy of the country, and data itself holds the centrestage across sectors, it is imperative to hear from the individuals who have firsthand experiences that can inform more consultations around data governance, data protection and rights.
The interviews reveal that there is a strong need for:
- Clarifying the scope and intent of the DPB;
- Include provisions for reasonable and proportional legal safeguards as part of the mandates drafted in the DPB. Without this, respondents are worried that the ramifications will be fatal for innovation, growth and security of data, among other things.
Now that the DPB has been withdrawn and it is likely that the Government will table a new set of legislations for data privacy in the winter session of the Parliament later this year, we hope that these concerns of SMBs and startups will be taken into account. We hope the report helps to facilitate more interactions between practitioners and policymakers for such future iterations of India’s privacy bill, and in turn, will inform policy directions and guidelines that can genuinely protect users’ digital data.
After four years since it was first tabled in the Parliament, the Draft DPB was withdrawn in August 2022. The next version of data protection legislation is likely to be tabled in the winter session of the Parliament later this year. It has been said that the DPB will be replaced by a more “comprehensive framework” that will be in alignment with “contemporary digital privacy laws”.
It is worth remembering that a robust legislation on digital data protection is, indeed, the need of the hour, and surely long overdue. And, the road to this legislation has had a commendable history - one that stems from the Puttaswamy judgement which acknowledged privacy as a right. That the country needs a reliable data protection law, especially in these times of digitization and consensus on the importance of data, cannot be emphasized enough.
We do consider this a milestone that the State is finally invested in the framing of a legislation that is meant to safeguard the users’ data privacy and sovereignty as well as facilitate growth and innovation of businesses dealing with digital data. Reports already suggest that certain concerning aspects of the DPB are likely to be taken care of. Having said that, the fact remains that four years later, we are at square one again.
As we wait for a data protection law in India, we hope that the new legislation will cater to the on-ground voices of the businesses who will be affected by such laws. Besides, as SMBs and startups have had a lot of experience with regulations and compliance procedures for their specific businesses already, be it with the European Union’s General Data Protection Regulation (GDPR) or with sectoral laws and policies for their industry, they certainly do have useful insights on what data protection regimes can actually do to foster innovation while safeguarding privacy rights.
Below are some recommendations, drawn from the survey, which Privacy Mode advocates need to be considered in the new data protection legislation when it is next tabled in the Parliament.
The mixing of personal and non personal data has given rise to a lot of confusion about the DPB, and adds more layers of compliance and operational costs for businesses.
Since non personal data can be de-anonymized, it poses a privacy threat to the ecosystem. Even when the data is in the form of aggregated, non-identifiable form, respondents said that there is always the possibility of re-identification.
We recommend that non-personal data be left out of the DPB, and that it be governed through other frameworks. We also recommend that the government must carry out consultations with stakeholders to decide on how non-personal data can be regulated. It is also recommended that policymakers provide concrete definitions for new categories of data as sensitive personal data, and not let this be an arbitrary process.
It is imperative that the DPB does not mandate restrictions on storage, transfer, and processing of personal data within the border of this country alone. This will be a serious blow to the open nature of the internet and digital data.
While it is commendable that this provision is meant to assure safety and privacy of personal data, these could very well be achieved without such restrictive measures. An environment ensuring free flow of data - while guaranteeing privacy and reasonable safeguards for data sovereignty - will help in promoting an open and innovative society and economy.
In fact, the latest National Trade Estimate Report on Foreign Trade Barriers released by the US government in March 2022 also makes a strong case against such provisions in the DPB. It said that these provisions “would serve as significant barriers to digital trade between the United States and India. These requirements, if implemented, would raise costs for service suppliers that store and process personal information outside India by forcing the construction or use of unnecessary, redundant local data centres in India … (and) could serve as market access barriers, especially for smaller firms.”
To assure privacy in the free flow of data across borders, the future version of a privacy bill for India must endeavour to provide adequate legal safeguards that will be beneficial to the user’s data and to the business’s success. Additionally, ambiguous phrases like “public policy” and “State policy” must be defined in it.
First, as the founder of an MLOps business said,
“But I think the way to do privacy by design is to create public goods, shared recipes, scripts, tools, methods, in steps to be followed, make it really easy for companies to think about privacy, right? But you will not have this until you have means, motive, and opportunity.” By means, the founder referred to necessary background knowledge about tools and script required. By motivation, they referred to the creation of a general discourse on privacy in tech. And, by opportunities, they meant that individuals who pursue privacy research and design ought to be given incentives and made to feel valued. “The bill addresses a little bit of the motivation, but we have a long way to go,” the founder said.
Second, respondents suggested that there should be clarity about what Privacy by Design even means in the context of DPB, and how the DPA hopes to certify and approve this for businesses.
Third, many respondents suggested that Privacy by Design policy should not be a mandatory compliance requirement that needs approval by the DPA. “It should come into picture when there is a dispute in terms of data protection, i.e., if there have been some issues in terms of data protection, data privacy or information security, then the privacy by design policy of the company can be scrutinized.”
Fourth, one respondent involved with an agri-tech business suggested easing of the consent management systems involved with Privacy by Design policy as prescribed in the provisions of the DPB. They suggested one waiver instead of multiple consent management checks that add more friction to the process for users and for businesses.
First, the provision needs clarity. Since this is a design and technology principle that is largely a theoretical concept, it will be useful to have defined boundaries regarding what the DPB means by algorithmic fairness.
An architect with a FinTech business said,
“I think the regulation needs to define what exactly it tries to achieve with looking at the whole fair AI algorithm. In my view, that basically comes to the question of specific vulnerable groups, for example, groups of women who do not have access to the formal financial system. So for people with low income or people who are on social benefits, and make sure that the algorithms are not discriminating against groups of people.”
Second, it is necessary to have use cases for this provision. In the words of the respondent cited earlier,
“This is what needs to be defined very well by the regulation: what specific use cases need to be addressed? Otherwise, we can always find, you know, a criteria on which certain algorithms won’t be fair or want to get to groups of customers in the same way. So it is a very, I would say delicate question, which needs specific use cases to be defined to make it very much practicable and enforceable, especially in the financial technology sector.”
Third, data and technology experts, especially, recommended that this provision of the future version of a privacy bill for India can be closer to being practical only when measurability and accountability factors are clarified. Respondents said that it is essential to know what metrics the DPA hopes to use for algorithmic fairness.
Finally, that will then require a team of auditors who are well-versed with data and algorithms in ways that they can address nuances and specificities of all businesses. The auditors should be composed of neutral arbitrators too “who can actually assess how fair the algorithms are in that particular context” said one respondent.
To thwart the risks of overriding powers of the government’s access to data, some of the recommendations by respondents are as follows.
The lack of clarity about what constitutes as “necessary or expedient” to enable broad data sharing with the government needs to be addressed.
“I think the Bill needs to specify what exactly means by fair requirements, and in what cases this actually needs to happen. Otherwise, what is left at the discretion of the government agencies might be interpreted in multiple ways. It is important to outline more more concrete, specific use cases,” said an architect.
One of the respondents suggested that such demands for broad exemptions to the government and central agencies must be supported by “at least the High Courts or higher, and not even by the level of a magistrate or even SHO kind of thing.” Another respondent also echoed this recommendation,
“I think the exemptions need to have a process that the courts need to uphold, rather than the exemptions being blanket requests, which they can make at any time without any sort of checks and balances.”
It is worth noting that the earlier 2018 draft did have provisions for due authorization by law for such provisions.
This report has been created through semi-structured interviews with individuals in SMBs and startups .
The Privacy Mode team identified and shortlisted business leaders, startup founders, Chief Executive Officers (CEOs), Chief Technology Officers (CTOs), security and compliance experts, product managers, and engineering heads from the Indian SMB and startup ecosystem. A total of 30 individuals were interviewed through June and July 2022. Domain diversity and scale of operations of the startups were the two factors considered when shortlisting and contacting individuals and organisations to participate in this research.
The Privacy Mode team reached out to the interviewees with a primer on DPB, interview questionnaire, and an ethics and consent form prior to the interviews. See Appendices I and II for reference to the primer and the questionnaire. The primer and background material were compiled so that respondents understood the nuances and trajectories of DPB before the interview, and were in a position to respond to the questions with an informed opinion.
We thank all the interviewees who participated in this research and have shared their views.
Sweta Dash is the Lead Researcher of this study. She is a researcher and independent journalist based in New Delhi.
Kalki Vundamati was the research assistant for the report.
Aditya Sujith Gudimetla drafted the interview questionnaire, which was finalized taking into account comments from reviewers, and based on the responses during initial interviews.
Neeta Subbiah draft the primer, and participated in initial interviews.
Sankarshan Mukhopadhyay, editor at Privacy Mode, reviewed and provided critical feedback during various stages of this report’s preparation.
David Timethy is project manager at Privacy Mode. He oversaw the completion and publication of this report.
Anish TP create charts and visuals for the report.
In keeping with Privacy Mode’s policy of peer review, interviews were conducted by the Lead Researcher and collaborators from the community. We thank the interviewers from the community for their active role in the research process, and for bringing a critical perspective to this report.
- Dr. Akshay S Dinesh is policy and ethics consultant at Weavez Technologies.
- Joshina Ramakrishnan from Weavez Technologies is a software engineer and an entrepreneur with a decade of experience in inclusive technologies.
- Kritika Bhardwaj is an advocate practising in Delhi.
- Maansi Verma is a lawyer and public policy researcher.
- Sameer Anja is co-founder at Arrka Privacy Management Platform.
👉 Draft Data Protection Bill, 2021:
👉 Seetharaman, Bhavani: “Understanding innovation in the Indian tech ecosystem” published at Mozilla Open Innovation Project: Understanding Innovation in the Indian Tech Ecosystem . Specifically, see the chapter on the impact of policy on entrepreneurs in non-urban ecosystems - https://has.gy/ipSo
👉 Timeline of the Bill
👉 Appendix - 1 Primer
👉 Appendix - II Interview questionnaire