The Bill is meant to protect Indians’ rights over their data, and envisions a Data Protection Authority (DPA) that will enforce good data practices by public and private institutions.
If data is the lifeblood of the modern economy, then digital entrepreneurship is its beating heart. This is particularly true in India where public and private institutions have historically struggled to reach the last mile. Start-ups are working towards bridging the gap. Access to high-quality data is enabling them to provide micro-credit to the under-banked, ed-tech solutions to students in the smallest towns, and cheaper forms of medical diagnostics to the most vulnerable.
It is in this context that India’s draft Personal Data Protection Bill should be seen. The Bill is meant to protect Indians’ rights over their data, and envisions a Data Protection Authority (DPA) that will enforce good data practices by public and private institutions. This is a timely and welcome move, since it will help minimise data-based harm to Indians.
However, India has also set itself a goal of a $1-trillion digital economy. This ambitious target will require it to develop a thriving start-up ecosystem. It is therefore important that the privacy bill does not lead to an uneven playing field for them. This is not an unfounded risk, as evidence from other countries shows.
We know that in Europe, smaller AdTech firms lost market share to “big tech” players like Google and Facebook after Europe adopted “General Data Protection Regulation” — its privacy law — in 2018. This could be driven by many factors, including big tech’s ability to devote more resources to compliance and reduce data access for smaller firms. Investors have responded to these market signals as well. Researchers from the University of Maryland have shown that venture funding into early-stage technology firms in Europe declined 18 per cent by volume and 40 per cent by value after enforcement of GDPR.
Therefore, India’s privacy law should not disproportionately increase the cost of business for start-ups vis-a-vis big tech and other large incumbents. We have four suggestions on how this level playing field can be achieved.
To start with, the DPA could consider the differential impact on small businesses while formulating regulations under the law. This can be achieved by amending Section 94(1) of the Bill to require that the DPA conduct cost-benefit analysis while making rules, and explicitly consider the impact on small businesses, among other factors. The cost-benefit analysis should be put in the public domain as is mandated in other countries.
Second, the penalties under law should be revisited. The draft Bill provides for fines of up to 4 per cent of global revenues of a business. Smaller, newer digital businesses are likely to have lower profit margins and perhaps even losses. Fines based only on revenue will affect them disproportionately. This can be mitigated by specifying that the DPA also consider profits or profit margins while imposing fines.
Third, long legal battles are disproportionately expensive for small businesses. They might also hesitate to go to court against a DPA order for fear of retribution. One way to alleviate these concerns would be to ring-fence the judicial or adjudicatory functions in a separate body rather than having it housed within the DPA, as envisaged in the current draft. The Supreme Court also recommended such a separation in its observations on the case pertaining to the Competition Commission.
Finally, this is an evolving space where many issues are simply unknown. The DPA would, therefore, benefit from listening to all stakeholders, including start-ups. One way to do this is through board representation. Currently, the board of the DPA consists of five of its senior employees. The board will be more effective if most of its members are independent, and represent civil society, academia, and small businesses.
Explained | The issues, debate around Data Protection Bill
Another way to do so is through processes that prioritise consultation, transparency, and predictability. South Korea, for example, has sought to achieve it by mandating a publicly-released impact assessment before any regulation is passed. Indian regulators like TRAI also have a track record of a reasonably robust consultation process.
Data protection regulation is at a nascent stage around the world. Just as India is seen as a global leader in the design of its “digital infrastructure”, it has an opportunity to be a global leader in data protection, especially for developing countries facing similar challenges and opportunities. To make this happen, the DPA must prove itself able to safeguard the consumer while also creating space for Start Up India to thrive.
This article first appeared in the print edition on March 13, 2020 under the title: ‘A level playing field.’ The writers work at Omidyar Network India, an investment firm.