In a recently organised stakeholder’s consultation, members of the Internet and Mobile Association of India [IAMAI] raised concerns about the possible impact of the Data Protection Bill on the tech startup sector in India.
The first and most important concern emanates from the insurmountable difficulty of collecting and processing personal data proposed in the draft Bill. Restrictive clauses around purpose limitation, storage limitation and collection limitation will make it very difficult for startups and potential startups to get into the data business. Restrictive norms of consent including “bearing the burden of proof of consent," is responsible for the correctness of the data collected will add to the difficulties of data fiduciaries.
In addition, poorly defined benchmark for “significant data fiduciaries” leaves the room wide open even for mid-sized data companies the onerous burden of compliance such periodic data audit, data protection impact assessments including permission from the proposed Data Protection Authority for every new technology introduced.
Finally in case of accidental or involuntary non-compliance with any of the provisions of the law invites heavy fines which most of the startups are not in a position to pay and criminal charges that are most undesirable.
IAMAI members point out that collection and processing of first-hand data for monetisation is the only lifeline for startups. Such data is also critical for analysing customer preference and response, designing and fine-tuning services, identifying key revenue streams, targeted marketing and promotion.
In the new regime, the absence of avenues to collect primary data from users, startups would be forced to depend on incumbent businesses for ‘anonymised data’ that does not come within the ambit of this Bill. Incumbents may refuse to share data with potential competitors, or demand premium price for anonymised data products. Going forward, such incumbents can become the gatekeepers to the tech sector. This does not augur well for a competitive space required to promote tech startups.
Some other members of the association who are mid-sized startups with ambitions to expand in overseas market feared that their plans may be scuttled by the provisions of data localization. Other countries where they are expanding may retaliate by demanding reciprocal data localisation. Data localisation also forces Indian startups to look for more expensive and inefficient local solutions.
On the whole, with ease of doing business being still relatively difficult for startups; creation of an additional and complex regulator in the form of Data Protection Authority with the ill-defined mandate will make things much more difficult for Indian tech startups.