Government to exempt early-stage startups from stringent DPDP compliance

Firm timelines will be fixed by the government with regard to the exemption provided to early stage startups, from complying with the provisions of the Digital Personal Data Protection law (DPDP) related to limitations on storage and usage of consumer data without their consent.

In an interview with Fe, minister of state of electronics and IT, Rajeev Chandrasekhar said that early stage startups may be given a period of 3-6 months to test their products during which they will be exempt from certain stringent provisions. “The government will frame guidelines as to what kind of startup firms will be eligible for the exemptions. We will discuss the same with the industry as well as the Data Protection Board. But the exemption will not be for an unlimited period,” Chandrasekhar said.

The minister said that the purpose behind providing them a grace period for complying with the strict provisions is that such firms are in pre-business stage. “Once they test their product and enter the business cycle, the exemption will end,” he said.

Chandrasekhar said that when any firm is still in the stage of trying to set up a business, it will not have the wherewithal to put in place a system for data protection, but if they are found to be misusing the grace period in any form, they will be penalised.

Further, the transition period for established firms to the new regime will be different for bigger players and smaller entities. For instance, big tech firms will have tighter time schedule, while entities like hospitals in smaller districts will be given more time. In any case, the full operationalisation of the DPDP will be within the next one-and-a-half years, Chandrasekhar said.

The minister said that DPDP Act basically aims at data minimisation, purpose limitation and storage limitation. “Data minimisation, means entities can only collect, what is absolutely minimum required. Purpose limitation means they can only use it for the purpose for which they have acquired the data. And storage limitations is that after the services have been delivered, the data needs to be deleted,” Chandrasekhar said.

This means once the law becomes operational, all digital platforms, which have citizens data will have to ask them whether they want their data to remain with them or want the same to be deleted.
No more will they be able to monetise consumer data by using it for purposes other than for which it was collected. “In this sense, the DPDP addresses the asymmetry which existed between the platforms and users,” the minister said.

Companies handling large volume of data will also have to appoint data protection officers, who will be the point of contact for the grievance redressal mechanism. Such entities will also have to appoint an independent data auditor to carry out data audit.

On criticism from certain sections regarding the exemptions provided to certain government agencies from DPDP, Chandrasekhar said that such critics are taking an absolutist position, which is being unreasonable. “The government needs to have certain exemptions for carrying out its legitimate duty to the people it serves,” he said. Chandrasekhar said that in the tech space there cannot be a perfect legislation. What is needed is a framework and subordinate legislation will keep on improvising the regulations as technology changes. Financial Express