Data Protection Bill revision: Startups could be exempted from some provisions

Written by Soumyarendra Barik

New Delhi | November 18, 2022 04:19 AM IST

3 min read

Data Protection Bill revision, Startups Data Protection Bill revision, start ups, Business news, Indian express, Current Affairs

In August, this paper had also reported that the new Bill could dilute the contentious data localisation requirements by allowing cross-border data flows to “trusted geographies”. The government could notify these geographies following an analysis of a particular region’s data security laws, and from where it can access personal data of Indians.

To ease compliance burden for the country’s startups, they could be exempted from certain provisions of the revamped data protection Bill, The Indian Express has learnt. The new Bill could also have a regulatory sandbox for startups, which would allow them to operate for a certain period of time without having to adhere to provisions of the Bill.

The Data Protection Board, an adjudicating body proposed to enforce the provisions of the Bill, will be incharge of categorising entities that could claim these exemptions after an assessment of the number of users and volume of personal data they process, among other factors, it is learnt. These entities — expected to be identified as “small data fiduciaries” — might be exempted from adhering to undertaking certain additional safeguards for children’s personal data, among other things. A data fiduciary is essentially any business that handles and processes personal data of individuals.

The Indian Express had, in July, reported that several startups in the country had complained about some of the provisions of the previous version of the Bill for being too “compliance intensive”. Under the old version, the Bill had an exemption for “small entities” where the processing of data was manual, and not automated. Almost none of the startups in India would have qualified for that exemption given that data processing is largely an automated task.

In August, the government withdrew the earlier Personal Data Protection Bill from Parliament after putting in nearly four years and having gone through multiple iterations including deliberations by a Joint Committee of Parliament. It said the government would soon finalise a “comprehensive legal framework” for the online ecosystem. The government is understood to be close to finalising the revamped Bill, internally being referred to as the ‘Digital Personal Data Protection Bill’, and come out with a final draft version in a week.

On Tuesday, The Indian Express reported that under the revamped Bill companies dealing in personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore. Penalties are expected to vary on the basis of the nature of non-compliance by data fiduciaries — entities that handle and process personal data of individuals. Companies failing to notify people impacted by a data breach, and unable to safeguard children’s personal data could be fined close to Rs 150 crore.

Soumyarendra Barik

Soumyarendra Barik is Special Correspondent with The Indian Express and reports on the intersection of technology, policy and society. With over five years of newsroom experience, he has reported on issues of gig workers’ rights, privacy, India’s prevalent digital divide and a range of other policy interventions that impact big tech companies. He once also tailed a food delivery worker for over 12 hours to quantify the amount of money they make, and the pain they go through while doing so. In his free time, he likes to nerd about watches, Formula 1 and football. ... Read More

Tags:

start ups