Why exempting startups from the personal data protection law may hurt more than help

By Akshayy S Nanda

  • 20 Feb 2024
Akshayy S Nanda, partner, Saraf and Partners

In the digital age, data has emerged as a currency of unparalleled value, driving innovation, powering economies, and shaping industries. With the proliferation of data-driven technologies, concerns over privacy and data protection have come to the forefront of public discourse. The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) is a significant step in the effort to protect the privacy of Indians in the digital age.  

The aim and objective of the DPDPA is to provide a genuine choice and control to individuals in the country to determine how their personal data is to be processed. The DPDPA establishes a comprehensive framework for the collection, processing, storage, and transfer of personal data, imposing strict obligations on organizations to ensure the privacy and security of individuals' information. However, amid the stringent requirements of the DPDPA, there is a provision for startups to be granted certain exemptions aimed at fostering innovation and enabling entrepreneurial growth. 

The DPDPA recognizes the unique challenges faced by startups in complying with regulatory obligations and provides for granting of certain exemptions for startups that meet the criteria notified by the government. These exemptions are aimed at reducing regulatory burdens on startups in the early stages of development, allowing them to focus on innovation, product development, and market expansion. The exemptions for startups include: 

  • Exemption from provision of notice to the Data Principal, which includes details like the personal data that is being processed, the purpose for which it is being processed, etc. as well as seeking consent. 

  • Exemption from having to ensure completeness, accuracy, and consistency, of personal data being processed. 

  • Exemption from the erasure of personal data beyond the retention period. 

  • Exemption from the duty of providing the Data Principal with a summary of the personal data processed and the identities of other Data Fiduciaries and Processors with whom the personal data of the principal has been shared.  

  • Exemption from being designated as a Significant Data Fiduciary. 

  • In the fast-paced world of startups, navigating regulatory frameworks can feel like a daunting task. With limited resources and a laser focus on growth, many startups may view compliance with the personal data protection law as a burdensome obstacle standing in the way of innovation.  

    However, what may seem like a shortcut to success could ultimately lead to unforeseen consequences. An argument is often put forth in favor of exempting startups from the personal data protection laws is that it facilitates rapid growth and innovation. Proponents argue that reducing regulatory burdens enables startups to focus their resources on product development and market expansion which leads to a more conducive environment for entrepreneurship. However, this line of thinking overlooks the long-term risks associated with inadequate personal data protection practices. 

    In today’s fast-paced digital economy, exempting startups from complying with the provisions of the DPDPA is likely to undermine consumer trust. In an era marked by increasing concerns over data privacy, consumers are more discerning about the companies they choose to engage with. Considering such heightened privacy concerns, the loss of consumer trust can have dire consequences, leading to customer attrition, damaged brand reputation, and diminished market credibility.  

    In case a startup is exempt from providing a notice and seeking the consent of the individuals prior to processing personal data, there is a high probability that the users may not use the services of the startup considering the lack of transparency. If consumers are unaware of the personal data being collected by the startup and do not have the right to seek information from the startup regarding the processing activity including third parties with whom their personal data may have been shared, it is likely that the consumers may not prefer to utilize the services of the startup.  

    A leading argument put forth in favour of the exemptions is the financial burden on startups for compliance with the DPDPA. However, it is important to consider the cost of losing users on account of the exemptions and the eventual cost incurred in compliance with the requirements of the DPDPA at a later date as such exemptions are likely to be for a limited period.  

    It is also important to analyze whether the startups may actually face a higher cost for setting up the notice and consent mechanism, data deletion mechanism, mechanism for enabling the rights of individuals at a later date once the timeline of exemption expires. As a startup grows and matures, it may find it increasingly difficult to retrofit its operations and products to meet the regulatory requirements, resulting in higher implementation costs and operational disruptions.  

    Additionally, exempting startups from the personal data protection law creates an uneven playing field, disproportionately benefiting larger corporations with established compliance infrastructures. In a scenario where startups are not held to the same standards as their more established counterparts, innovation becomes skewed in favor of those who can afford to prioritize regulatory compliance.  

    Also, by embracing the exemptions that may be provided to startups, they may risk putting the startups at a competitive disadvantage compared to other competing startups that embrace personal data protection as a core value proposition. It is important for startups to consider that such exemptions from the current regulations may leave them unprepared for future changes in the regulatory environment. As regulatory requirements evolve and may become more stringent over time, there is risk of the startups facing higher costs of compliance as the startups would eventually need to bring their operations up to par with the updated regulations. 

    Another unintended effect of the exemptions is likely on the appropriate technical and organizational measures as well as reasonable security safeguards that startups are required to implement. If a startup fulfills the criteria of a significant data fiduciary considering the sensitivity of the personal data being processed, the startup is unlikely to carry out periodic data protection impact assessments. A data protection impact assessment entails an analysis of the processing activities, assessment of risks to right of the individuals and management of the risks by way of mitigating measures. The appropriate levels of technical and organizational measures as well as reasonable security safeguards ultimately depend on the degree of risk to the rights and interests of the individuals.  

    If a startup is processing sensitive data and falls within the purview of a significant data fiduciary, the technical and organizational measures put in place by the startup may prove to be inadequate considering they are not obligated to conduct periodic data protection impact assessments. This increases the risk of personal data breach, and a personal data breach of sensitive data raises significant concerns of harm being caused to the users, which ultimately will impact the consumer trust and growth of the startup.    

    By prioritizing privacy from the outset, startups can build trust with consumers, differentiate themselves from competitors, and mitigate the risks associated with non-compliance with the provisions of the DPDPA. Rather than seeking exemptions, startups should embrace the requirements of the DPDPA as a cornerstone of their business strategy, leveraging them as a competitive advantage in an increasingly data-driven world. It is critical for startups to understand that building personal data protection from an early stage is beneficial rather than trying to retrofit features into their products or services at a later stage which can prove to be costly.  

    The DPDPA is here to stay, and startups would eventually be required to ensure that their processing activities comply with the provisions of the DPDPA. Therefore, complying with the provision of the DPDPA in the early stages will prove to be beneficial to startups in numerous ways as discussed. Startups should take cue from established businesses today which are marketing ‘privacy’ as a competitive differentiator to increase the sale of their products and services.     

    The DPDPA serves as a catalyst for innovation by incentivizing the development of privacy-enhancing technologies. Startups operating within a regulatory framework are compelled to find creative solutions to comply with data protection requirements while still delivering value to their customers. By exempting startups from these laws, policymakers risk stifling innovation and impeding the emergence of new technologies that prioritize privacy.  

    In light of these considerations, it is crucial for startups to approach personal data protection compliance with a long-term perspective. While exemptions may offer short-term relief, they could ultimately lead to higher costs and risks for the startup in the future. Instead, startups should prioritize proactive compliance efforts, investing in robust data protection measures from the outset to ensure the long-term success and sustainability of the business. 

    Akshayy S Nanda is Partner at law firm Saraf and Partners. Views are personal.