The Art of A Good Unicorn | Startup founders, be careful as data is more liability than asset now
Exploring the implications of the DPDP Act for startups, and investors, and the growing emphasis on accountability and data protection.
India has become a rapidly evolving digital landscape where technology reigns supreme. With a massive wave of digitisation borne out of the Covid-19 pandemic, there has been substantial Internet penetration in certain pockets of India, leading to an upswing in digital consumers. And therein lies the rub: The need for accountability and data protection brewing in Internet startups handling data in India’s burgeoning startup ecosystem. With such a growing reliance on the digital ecosystem, the worries around safeguarding information and ensuring responsible data handling grew.
And so, in August 2023, India’s Rajya Sabha passed the Digital Personal Data Protection (DPDP) Act 2023 to redefine how digital personal data is processed. This would be a way to use the wisdom of the past and the intelligence of the present to look at a potentially creative solution necessary for a technology-driven future.
And while this serves as discourse fodder for lawyers and people in the legal fraternity, are startups and investors giving this the due attention it deserves? Or is there a perception that policymaking may not catch up to evolving technology, so much so that people in the startup realm may not be giving the Digital Personal Data Protection Act 2023 enough focus to understand how it affects these fledgling ventures?
A technology startup that is raising maybe a Series C or a Series D round of funding, primarily, is a data collection business at a fundamental level. The DPDP Act defines such and other startups as private limited companies, partnership firms or LLPs (Limited Liability Partnerships) in India. There’s a term called “data fiduciary”, which is any entity or person that determines the purpose and means of processing personal data. Therefore, any startup in India that collects and processes personal data would be considered a data fiduciary.
There’s said to be a liberal approach to the cross-border flow of data, with the Act said to be simplifying obstacles for startups and aiming at striking a balance between the free flow of data and data localisation.
“Businesses in India have to fundamentally rethink what they do with data. Before, the approach to data was, ‘Data is good, let’s hold on to it as much as we can.’ Everybody from a kirana shop to a hospital collects every piece of data they can find and stores it in an appallingly insecure manner. Fundamentally, the Act is going to force people to rethink whether data is actually an asset or a source of potential liability," says Arun S Prabhu, Partner - Cyril Amarchand Mangaldas.
"Young startups, focussed on growing user base, acquire repositories or databases of unconsented or poorly consented data from third-party data sellers. This data is now commingled with data they have collected directly, When the new law comes into force, they will need to decide whether they have a valid basis to continue to process this data, and either get suitable consent, find a way to deprecate or anonymize this data, or risk a significant fine," Prabhu added.
For non-compliance, there could be high monetary penalties, as laid out under the Act, which could impact early-stage startups.
Mehak Khanna, Partner - Khaitan & Khaitan, remarks, “The Data Protection Bill compliance is going to add on to the cost of compliance for companies. The way the data inventory is maintained, the data is processed and safeguarded, whether the disaster management is working… all of these things are something that the companies would need to work on and consequently, if they don’t, there will be repercussions due to non-compliance. These repercussions can be a lot, because the penalties can go up to ₹250 crore, and there’s going to be a roadblock, as far as due diligence is concerned. This is going to be something that investors are going to be concerned about.”
Prabhu adds, “There is a potential for broad exemptions to be granted for certain types of enterprises. It looks like startups will get some relaxation under the Act. In my experiences engaging with the government, it is very cognisant of the impact that something has on the ease of doing business and innovation specifically. However, just because you’re a startup, doesn’t mean that it’s a free pass. Just like the market values responsibility, innovation and sustainability, startups would need to be sustainable and responsible about what they do with the data.”
Before, an acquirer like a large listed company looked at the data of a startup to ascertain how many customers they have and accordingly valued them at X rupees per customer. No longer, though.
According to Prabhu, “Now, when they look at the data a startup has, they will, also, look at what consents are associated with that data. ‘Did you have a valid notice at the time you collected this data? Can they use this data for the purposes that they intend to use it for? Is there consent associated with this data that continues to be valid under the new law? Is this data subject contactable?', so that they can give them a fresh notice.”
So, merger and acquisition entities would pose these questions and more to ascertain whether a startup ought to be acquired or not.
Prabhu continues, “Effectively, this is a barrier to entry for irresponsible people. On the other hand, startups that have treated this as a data grab would have to think long and hard about what data they can use and how they can continue to use it.”
“With e-commerce, these businesses are fairly sophisticated about how they deal with data. In India, e-commerce needs to be mindful of two principles: purpose limitation and storage limitation. Purpose limitation basically means if you collect data for a certain purpose, you use it for that purpose or something that is reasonably related or ancillary to that purpose. Storage limitation is, basically, if you collect data for a purpose, you keep it for as long as it’s necessary for that purpose; you don’t hold on to it perpetually, just because you’ve got it”, adds Prabhu.
Prabhu continues about the fintech sector, “If you look at the digital lending guidelines, they have specific requirements about what data can be collected and what data cannot be collected. The great thing about the Indian rules is that they suitably recognise the restrictions that the sector regulator has put in place. Fintech businesses, to my mind, will still have to revolve around the RBI framework to the extent that they see deltas between what the RBI permits and what is permitted under the Bill.”
“The Data Protection Act is an asset for the individual, but as far as the industry is concerned, it is definitely an added cost of compliance, which would have its own set of repercussions”, quips Khanna.
So, the DPDP Act may make startup founders take notice by introducing new obligations, but it could, also, be used to showcase a certain degree of dedication to data privacy and foster trust with users. At the same time, it could mean business opportunities, with startups potentially developing new products and services to help businesses comply with the Act or help consumers manage their privacy.
The Digital Personal Data Protection Act 2023 indicates that startups must gear up for a new era of data protection and privacy. As the former judge of the US Supreme Court Louis Brandeis once remarked, “The greatest dangers to liberty lurk in insidious encroachment by people of zeal: well-meaning, but without understanding”. With India’s zeal for technological progress, can the DPDP Act balance it with the need for privacy and data protection?
Shrija Agrawal is a business journalist who has covered startups and private capital markets before it was considered cool in India.
The views expressed are personal