Data Protection Bill: Restrictions on cross-border data transfer will hurt Indian start-ups that depend on global tools #NAMA

Key Takeaways

• No clarity on how the law will work when Indian businesses use so many global tools
• Indian companies looking to go global will face a problem with the law
• The compliance burden might stop companies from offering services in India

“There is certainly a lot of awareness lacking especially among small companies and young companies on how [the Data Protection Bill] is going to impact them. Most of the popular discourse has been around the rights part of the issue. There needs to be a much stronger conversation around how it is going to impact businesses. There is every reason for us to be anxious as businesses,” said Sijo Kuruvilla George, Executive Director at Alliance of Digital India Foundation, in a panel discussion on cross-border data transfers at a MediaNama event— Decoding India’s Data Protection Bill— held on January 19, 2022, in which Prasanto Roy, Public Policy Advisor, Ashish Aggarwal, VP & Head of Public Policy at NASSCOM, Jyotsna Jayaram, Partner at Trilegal, and Rahul Sharma, Founder of The Perspective and Grade Ace also participated.

MediaNama’s discussion on the Data Protection Bill 2021 was organised with support from Google, Flipkart, Meta and Star India, and in partnership with ADIF. To support a MediaNama discussion, please let us know here.

What problems will Indian businesses face?

1. Indian start-ups and entrepreneurs rely a lot on tools that might not be compliant: Nikhil Pahwa, Founder and Editor, MediaNama gave the following scenario of how a business in India might be using tools from around the world and will find it hard to comply with the data localisation mandate:

“If I am targeting the US market for drop shipping from Aliexpress to the US, and I’m running this business out of India, I might be using using Optimizely to optimize my page, I might be using MailChimp to mail my customers, I might be using a bunch of other services to identify products for drop shipping, I might be using PayPal as a payment gateway. In that sort of a global context, how exactly does this work because you know financial data is sensitive personal data here. If you look at Gujarat, and Ahmedabad in particular is a hub for all sorts of WordPress developing outfits that that create most many of the best themes globally. How does all of this survive data localization mandate, like how will those transactions actually take place is something I don’t understand.  Will they actually be able to function?”

In such instances, who is going to be liable, Pahwa asked. “Is it going to be like arbitrary implementation where they won’t go after that small WordPress development outfit out of Ahmedabad, but they might focus on the larger players?”

Adding to this example, George pointed out how Indian companies :

Advertisement. Scroll to continue reading.

“An average small ecommerce store, right, will have at least 34 to 35 plugins. And these plugins will be different for different ecommerce stores. And we have millions of such stores operating out in the web. So that’s one just to layer that what Nikhil [Pahwa] brought to the table. But if I add one more layer to that, this is probably a business that’s functioning, they have 34 stable things, they are gonna use the next four or five years. But if you look at the way, you know, most young developers or founders have started to play around with right. Every other day you try out new services. And there is a new service, which may or may not be  fully complying with all our norms. And that’s a small startup. And lots of tools are the way in which we optimize productivity.”

2. Indian companies looking to go global will face a problem with the law: “If you’re imagining a future where Indian SAAS companies, Indian startups are going to be global unicorns, then those very companies will face a problem with this law because then they want to optimize things and they want to be near to customers in terms of what they are offering as services and solutions. Then this very law will come and bite them right because it will require them to segment the way they architect their data and solution. So I think that that entire thought process somewhere got a bit of a gloss over when we are thinking about our own domestic economy,” Aggarwal explained.

3. Could stop companies from offering services in India: George explained how the norms can deter some companies from having a presence in India because of the compliance burden. “Even a simple Google Form circulated for getting information or let’s say salary levels or whatever, or even gender for that matter, will definitely come into the purview of this particular localization law,” George said. Adding to this, Roy gave the example of RBI-new norms for card information that has left many international players such as New York Times not knowing what to do for their Indian users.

“In the best case scenario, we’ll have compliance solutions by which we adhere to these norms. But in the worst case scenario, we’ll have a lot of companies deciding not to do business in India.  Behind the recent RBI regulation we had a couple of companies saying that, hey, we’re not able to understand how to comply with it, so in the interim, we’re going to stop services to your country.” – Sijo George

Recommendations

• Relook the categorisation of data fiduciaries and significant data fiduciaries by taking into account millions of young entrepreneurs and developers out there, George recommended. “We have 1000s of solopreneurs, who operate just on platforms by running their businesses. So the challenges that open up in terms of completely sidelining them or just burdening them with additional compliance is could be very high if you don’t get the balance right,” George said.

“Balancing the ability to innovate for the large sections of youngsters will be the engine that powers India over the next decade or more. And that balance, I think it’s sort of missing. […] We have a brilliant opportunity to sort of catapult ourselves into a major powerhouse from the startup sector or anything else and this sort of completely missed that particular board.

• Invest in awareness and capacity building: There have to be sufficient investments into awareness building, sufficient investments into capacity building, and a very phased implementation so that people have time to get adjusted to it, George recommended. We also need to ensure that as a country there is adequate data infrastructure there to support what the Bill requires, George added.
• Start a fund to support businesses: “For the telecom sector for increasing service life and everything, we use a fund, an equivalent should be at least conceptualized in terms of getting people equipped in terms of making sure solutions are available. Otherwise, we will have a situation where almost everyone is on the wrong side of the law, and that’s not healthy for just any country for that matter,” George suggested.
• Don’t hamper innovation: “We have made significant progress in terms of this law and it’s great. But I just think that the objective of maximizing privacy protection should not be something at the cost of hampering innovation. Just even in January, every day, we are counting new tech unicorns and it is going to be a flood when we think of the next decade in that sense. So I think maximizing innovation and maximizing privacy protection if you do that, that’s really the smart way of doing this law,” Aggarwal said.
• Get key players like cloud service providers on board first: Roy recommended that when there is such enormous complexity in the ecosystem we can follow RBI’s template and have key platforms such as payment gateways and cloud service providers comply and have other companies use the services of these compliant platforms. But George pointed out that this will create antitrust issues as there will be a concentration of a few key players.

“They tell the regulated entities to regulate the others. One example of that is all the third party apps which are regulated through NPCI. And if you know, the NUE, which are competitors to NPCI, the same things will apply to them that all the associated entities and apps and so on will need to be, regulation will be enforced through them. So I think the same thing comes here that startups may be aware that platforms like cloud service providers, etc, will be actually liable.” –  Roy.

Update (Feb 1, 11:00 am): This post was rewritten following editorial direction

Also read:

• Data Protection Bill: Financial data, non-personal data and algorithmic transparency should be regulated separately #NAMA
• Data Protection Bill: Lower age of consent, limit data portability, strengthen data breach rules, and introduce more grounds for processing data #NAMA
• MP Ritesh Pandey on Data Protection Bill: Childrens consent, DPA, Govt access to data; hopes that judiciary will add checks and balances
• Data Protection Bill 2021: Key takeaways from the JPC report tabled in Parliament