Data Protection Act
What is the Data Protection Act?
The Data Protection Act protects the privacy of individuals relating to their personal data specifies the flow and usage of personal data. This act creates a relationship of trust between persons and entities processing personal data.
Data Protection Bill, 2019 comprises a set of privacy laws, policies, and procedures that aim to minimize interference in privacy caused by the collection, storage, and distribution of personal data. “Personal data” is defined under section 3(28) of the Data Protection Bill, 2019. It means any unauthorized or accidental disclosure/ sharing/ use of or loss of access to personal data that has confidentiality, integrity, or availability of personal data to a data principal.
The Constitution of India has no separate provision for the right to privacy as a fundamental right. However, the courts have observed the right to privacy into the other existing fundamental rights, i.e., freedom of speech and expression under Art 19(1)(a) and right to life and personal liberty under the Constitution of India. Although, these Fundamental Rights under the Constitution of India are subject to reasonable restrictions given under Art 19(2) of the Constitution that may be imposed by the State. In the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and Ors., the constitution bench of the Hon'ble Supreme Court has held the Right to Privacy as a fundamental right, subject to certain reasonable restrictions.
Data can be divided into two parts: public data, and personal data. Public data refers to the kind of data accessible to the public at large, for example, Court records, birth records, death records, basic company details. Whereas, private data is personal to an individual/ organization and cannot freely be circulated by anybody without the prior permission of the subject, like financial details, family details, browsing details, preferences, psychological characteristics, locations, and travel history, behavior, abilities, photographs, aptitudes, etc. It could also be a combination of these attributes or even inferences drawn from the refined data.
At the moment, India does not have specific legislation enacted primarily for data protection. Whereas, the regulatory mechanism for data protection and privacy is given under the Information Technology Act, 2000 and Information Technology Rules, 2011.
Its effect on Startup Ecosystem
Firms increasingly exploit data to optimize products and processes and innovate new business models. However, the use of personal data can invade consumers' and employees’ privacy expectations which may further create complex challenges for individuals, groups, and societies. Data protection law tries to resolve these issues by defining rules for what firms are supposed to legally do with data.
The substantive content of data protection law and individuals’ privacy perception vary significantly across the world, for example, Europe has stricter laws than the U.S.A.
The differences between European data protection law and the laws of other countries became even more clear post the EU General Data Protection Regulation (GDPR) came into force in May 2018, replacing the 1995 EU Data Protection Directive (DPD). In particular, the GDPR imposed higher fines for non-compliance, gave elaborate definitions of personal data, and defined stringent criteria for what counts as user consent.
While the companies often claim that stricter data protection regulation puts them at a disadvantage about firms intotries with less strict regulations, further pointing towards trade-offs between privacy protection and the promotion of competitiveness.
However, few others oppose the idea of lenient laws and need stricter regulations which may be needed to restore trust in the digital economy. Beyond the firm level, this question is important for societies and policymakers, given the possible effects on domestic firms’ global competitiveness. To understand how privacy regulation impacts firms, it is important for policymakers seeking to protect both individuals’ privacy and firms’ competitiveness.
The question arises, how does data protection regulation affect innovation among startups?
Startups are likely to innovate new products and services; i.e., the effects of regulations on innovation are likely to create opportunities clearly and quickly for startups. Usually, startups have smaller budgets available for compliance as compared to large or established firms, which means that regulations may negatively affect them. However, their greater flexibility and strong innovation-orientation mean that startups may also be particularly likely to identify and exploit regulation-induced opportunities for innovations. The above-mentioned factors mean that any positive or negative effects of data protection regulation may have on innovation are particularly likely to show up on startups.