Data Protection Bill to exempt startups from usage and purpose provisions

The Personal Data Protection Bill, to be tabled in Parliament during the monsoon session beginning on Thursday, is likely to exempt startups from key provisions relating to usage and purpose of data collected from citizens.

This means that unlike big data fiduciaries, startups may not be bound by limitations such as collecting the absolute minimum data required for any purpose and limiting its usage to the intended purpose. They also may not be required to delete the data once the service for which it was collected has been delivered.

Analysts said that if such exemptions are granted then citizens may have to deal with the startups concerned at their own risk, and there may be no respite from spam and marketing calls. Further, the chances of data breaches from such entities may be high.

While the Union Cabinet has approved the Personal Data Protection Bill, the government has not put the contents of the legislation in the public domain. A draft released in November last year for public consultation had said the government reserves the right to provide exemptions after considering the volume and nature of personal data processed by certain data fiduciaries or class of data fiduciaries. In a leaked version of the final draft it has reportedly added startups to this category.

However, the definition of startups has not been provided. According to experts, if this clause is retained, the category of startups which may be exempt from the provision may be spelt out at the rule-making stage.

Officials said that while startups may be given exemptions at the discretion of the government on a case-by-case basis, in instances of data breach they will be equally liable for penalties and other regulations under the law as other data fiduciaries.

While certain consumer groups and legal experts have welcomed the thought behind exempting startups from such provisions (enumerated in Sections 6, 9, 10, 11, and 12, of the Bill), they have also expressed concern over non-compliance of broader regulations while dealing with personal data.

“The government needs to specify as to how and on what basis the startups will be exempted. Further, the government should also clearly mention the timeline for which certain sections of startups will be given exemptions,” said Amol Kulkarni, director of research at Consumer Unity and Trust Society (CUTS).

According to Kulkarni, after giving the exemptions, the government will have to closely monitor how the startups are processing data and take action if consumers complain against them.

“Even if the government is likely to exempt the startups from certain provisions, the main clause is that exemption will be dependent on volume and nature of data processed. The exemptions on case-to-case basis would be helpful as it is difficult to define any thumb rule as to which class of startups will get exemptions,” said Supratim Chakraborty, partner at Khaitan & Co.

According to Chakraborty, the government should prioritise the nature of data a startup is processing over volume of data. Simply put, if a startup with two-three people is processing data around child psychology or medical data, it should definitely not be given any exemptions. Financial Express