New Data Protection Law Reveals Challenges for Startup Entrepreneurs

The early-stage startups will no longer enjoy exemptions from complying with the Digital Personal Data Protection Law (DPDP) concerning limitations on the storage and usage of consumer data without their explicit consent for an unlimited period. Rajeev Chandrashekhar, the Minister of State for Electronics and Information Technology, said this in a media interview.

Startups to Also Face Data Protection Compliance

In an exclusive interview to Financial Express, Chandrashekhar said that while certain stringent provisions of the law would apply to startups, they may be granted a 3-6 month grace period to test their products under relaxed regulations. 

However, he clarified that these exemptions would not be permanent, indicating that the government would establish guidelines in collaboration with the industry and the Data Protection Board.

“The government will frame guidelines as to what kind of startup firms will be eligible for the exemptions. We will discuss the same with the industry as well as the Data Protection Board. But the exemption will not be for an unlimited period,” Chandrasekhar said.

The Purpose Behind Providing A Grace Period To The Early Stage Startups

In the FE Interview, the minister said that the purpose behind providing them a grace period for complying with the strict provisions is that such firms are in pre-business stage. “Once they test their product and enter the business cycle, the exemption will end,” he said.



Chandrasekhar said that when any firm is still in the stage of trying to set up a business, it will not have the wherewithal to put in place a system for data protection, but if they are found to be misusing the grace period in any form, they will be penalised.

Further, the transition period for established firms to the new regime will be different for bigger players and smaller entities. For instance, big tech firms will have tighter time schedule, while entities like hospitals in smaller districts will be given more time. In any case, the full operationalisation of the DPDP will be within the next one-and-a-half years, Chandrasekhar said.

Digital Personal Data Protection Act, 2023: A Paradigm Shift in Data Regulation

India's journey towards digital data protection took a significant step with the notification of the Digital Personal Data Protection (DPDP) Act, 2023 by the Ministry of Law and Justice on August 11, 2023. This landmark legislation aims to establish a comprehensive framework for processing personal data, striking a balance between individual rights and the legitimate needs for data processing. The law covers various entities, including e-commerce platforms, fintech firms, IT service providers, and ride-hailing services, all of which deal with data in digital formats.

What does DPDP With Regard To Limitations On Storage And Usage of Consumer Data Mean?

The Ministry of Law and Justice notified on August 11, 2023 that, “An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. This Act may be called the Digital Personal Data Protection Act, 2023.”

Understanding the DPDP: Key Provisions and Exemptions

The DPDP Act primarily focuses on safeguarding individuals' personal data while allowing its processing for lawful purposes. The law establishes the concept of "data fiduciaries," entities that collect and process personal data. Consent from individuals is a fundamental prerequisite for processing personal data, with exceptions existing for specific cases deemed legitimate.

Grace Period For Early-Stage Startups

Early-stage startups and other entities fall under the purview of this law, but the government acknowledges the challenges they face during the initial stages of business development. The grace period is aimed at allowing startups to test their products without being burdened by full compliance. Nonetheless, this exemption is temporary, and startups will need to transition to full compliance as they move into the business cycle.

Defining Data Protection Rules and Compliance

The DPDP Act enforces three core principles: data minimization, purpose limitation, and storage limitation. Entities can only collect the minimum required data, use it for the specified purpose, and must delete it once the purpose is fulfilled. This empowers individuals by giving them control over their data, preventing its misuse or unauthorized monetization.

Companies handling substantial volumes of data must appoint data protection officers and independent data auditors to ensure compliance and establish a robust grievance redressal mechanism.

Will there be a nodal body for data protection? What will be its powers? 

India will soon have its own data protection regulator, the Data Protection Board (DPB), which will be the nodal body for all data processing and data breach-related issues that may come up. The board’s members, including the chairperson, will be appointed by the central government. They will be appointed for two years and can be reappointed.

Central Government's Authrity Regarding Data Fiduciaries, Including Startups?

The Central Government can, considering the scale and nature of processed personal data, identify specific data fiduciaries or categories of data fiduciaries, which includes startups, to whom certain sections of the law (section 5, sub-sections 3 and 7 of section 8, and sections 10 and 11) won't be applicable. This provision allows for tailored exemptions based on data processing characteristics.

What is the definition of a "startup" under this provision in the Notification?

In this context, a "startup" refers to a private limited company, partnership firm, or limited liability partnership incorporated in India. This classification is contingent upon meeting criteria and procedures outlined by the relevant department within the Central Government responsible for startup-related matters.

Balancing Innovation and Data Protection

India's Digital Personal Data Protection Act, 2023 represents a significant stride toward securing individuals' digital rights while enabling responsible data processing. Early-stage startups will experience a transition toward stringent compliance after an initial grace period, aligning with the law's intent to safeguard personal data. As the nation embarks on this data protection journey, the focus remains on striking a balance between technological innovation and individual data privacy.