top of page

Right Now (The StartUp Newsletter) Dec'19

Personal Data Protection Bill

Impact on StartUps

How is it relevant?

The activities of any entity which indulges into processing of ‘personal data’ comes under the direct purview of the proposed legislation.

One of the key source of revenue for many StartUps is data mining. StartUps, especially the ones having large scale user interface through mobile apps or websites, are sitting on a gold mine of data (including personal data of individuals), which is often churned up to be used further or sold to other StartUps or Marketing firms.

Say for example, a healthcare StartUp collects few basic details of users while onboarding like blood group, diagnosed disease, etc. All such data are identified as ‘Personal Data’ and therefore the company and its activities relating to such data would come under the direct purview of the proposed legislation.

Fun fact: There are 2.5 quintillion bytes of data created each day at our current pace, and over 90% of the data in the world was generated in the past 2 years.

Relevant provisions and its impact

  • An entity covered under the provisions, will be required to make an entity wide policy, to be known as the ‘privacy by design policy’. This policy will essentially contain the systems designed to avoid harm to the user, technology used to process the data, whether data processing is done in a transparent manner and the efforts made to protect the privacy of individuals – This provision increases compliance cost but at the same time, it recognizes the responsibilities tied to personal data of individuals.

  • Personal Data of individuals can be processed only with the prior consent of individuals – This means, that apps and websites will be mandatorily required to make a detailed disclaimer inviting consent, which includes – purpose and basis of processing, period of retention, cross border transfer of data, entities with whom such data is shared, etc.

  • If personal data of individuals is collected through automated means – for example by tracking activities of an individual over an app or website – the individual shall have the right to receive such information in a structured format.

  • Additional responsibilities imposed on companies which indulge in collection and processing of personal data of children (below 18) through online means – This essentially affects entertainment companies like gaming, OTT streaming, social media platforms and online education platforms.

  • All personal data of individuals shall be processed in a transparent manner and specific information relating to such processed data shall be made available in such form and manner as may be notified – This means that companies shall be required to make additional disclosures to the authorities.

  • The bill introduces a new concept called a ‘consent manager’ which is defined as an accessible, transparent and interoperable platform, to be employed by a company, vested with the responsibility to enable an individual to gain, withdraw, review and manage his consent – This provision, once again, implies increased compliance costs.

  • Now entities handling large amount of personal data will be statutorily required to implement security safeguards commensurate to the risk and harm associated with the processing of such data. Moreover, any breach of personal data, shall be informed to the Authorities within the prescribed time – These provisions could imply hiring of data experts and is likely to increase costs over data security.

  • Based on certain factors, like the volume of data, the risk associated with processing or the sensitivity of personal data, the authority may notify a company as a ‘significant data fiduiciary’. Additional responsibilities are imposed on such entities, like conduct of annual data audit, undertaking data protection impact assessment and appointment of a data protection officer. For example: Payment apps like Paytm collect biometric and financial data of individuals, which is identified as ‘sensitive personal data’ under the bill. Now, if Paytm wants to carry out large scale processing of such data, it will be required to carry out a data protection impact assessment, which shall first be reviewed by the Authority before Paytm proceeds with processing.

  • Sensitive personal data (financial data, biometric data, health data, etc.) and Critical personal data (yet to be notified) are not allowed to be stored outside India – This essentially means that entities indulging in collection and processing of such data must have a local server and database in India. Food for thought: The Income Tax Act considers permanent establishment of an entity to ascertain jurisdiction over the income generated by such entity. It has been seen in the past that the tax authorities consider the location of the local server as permanent establishment of the entity to impose tax on income earned. Fun fact: An Indian industry major has recently tied up with a global leader to build data centers and host cloud services across the country.

Possible changes in businesses: Additional features in apps and websites, Educating and training team members, reliable data security measures, updating contracts with software and device vendors and updating organizational policies.

While we’re here: The Personal Data Protection Bill (PDPB) has significant parallels to the European Union’s General Data Protection Regulation (GDPR), which became enforceable from 25th May, 2018. The regulation wreaked havoc in the region and had far reaching impact on companies across the world. Now, if the PDP were to be imposed in India, it is likely that organizations will have to make radical changes in their processes and operations (relating to handling and processing of personal data). StartUps, however, can keep the PDP in mind from its inception and create a business model around it. This way, the prescribed policy measures can be implemented quickly with minimal resistance.

The BIG Picture: The PDPB hails from side proposition which has for long been arguing that ‘Data is the new Oil’. The GOI sure has leapfrogged in recognizing the fact that in the modern economy, data indeed is a valuable resource that comes with a lot of responsibilities. Rightly so, the bill has placed data owners at the driver’s seat. However, the bill is criticized to have a lot of holes mainly on grounds of unnecessary and excessive power given to the GOI. Amidst economic turmoil and widespread.


Indian StartUp Ecosystem

What's Buzzing?

Car Dekho raises USD 70 Million at a valuation of about USD 700 Million.

In series D Funding round, Car Dekho raised $70 million (₹500 Cr.), led by China’s Ping An’s Global Voyager Fund.

While we’re here: The last few years have seen Chinese investors deepening their push into the Indian startup ecosystem. Chinese companies have invested in more than a dozen Indian StartUps infusing over $7 Billion (₹50,000 Cr.). Some of the big names include Ola (ride hailing), Oyo-Rooms (hospitality), Paytm (payment platform), Paytm Mall (Ecommerce) and Swiggy (Food Delivery). In fact, out of all the investment proposals received under the ‘Invest India’ programme, nearly 42% of proposals were from China.

The BIG Picture: With the resources brought in by the new investors, including Ping An which also happens to be a majority shareholder of China’s largest auto portal- AutoHome, Car Dekho is looking to expand its international footprint. It has already started operations in Philippines and Indonesia.

RIL acquires majority stake in NowFloats

Reliance Industries, through its Reliance Strategic Business Ventures, has acquired 85% stake in Hyderabad based software as a service (SaaS) startup – NowFloats for ₹142 Cr., valuing the start up at about ₹167 Cr.

While we’re here: Reliance is stepping into digital sectors such as ecommerce, mixed reality, big data, logistics and deeptech by investing and acquiring homegrown and global tech Startups. So far, significant investments have been made in over 2 dozen startups. Among the top 12 Indian Startups, RIL has acquired majority stake in almost all of them.

Speaking of RIL investing into startups, it is fascinating to see how big corps are giving heightened focus to new age startups who are disrupting the traditional markets through their innovative offerings. Recently, the homegrown utility vehicle major – Mahindra & Mahindra, agreed to acquire 55% stake in the radio taxi operator – Meru Cabs. In addition, other big corps with deep pockets, like Hero Group, Wipro and MG Motors, have also been investing in the start up ecosystem.

What else is Buzzing?

  • Zomato is looking forward to raise another $600 million next month, says Zomato CEO Deepinder Goyal.

  • Used motorcycle startup – CredR, which claims to be India’s largest used motorcycle consumer brand, raised ₹38 Cr. from its existing investors.

  • Ola is looking to increase its international footprint by doubling scale of operation in Australia and New Zealand. The company is currently the fastest growing ride sharing player in the region.

  • SoftBank backed Grofers, the grocery shopping app, posted a loss of ₹448 Cr. in FY18-19. The loss widened by over 70% from last year.

  • Logistics firm Shadowfax raised ₹430 Cr. in a funding round led by Flipkart.


Around the World in a Blink

Learning from the Best

Duolingo, the language learning app, based out of Pittsburgh, USA, recently raised $30 Million (₹210 Cr.) at a valuation of $1.5 Billion (₹10,700 Cr.). What went right?

Need gap: To keep things in perspective, an average Indian pays around ₹3,000-15,000 to learn a foreign language from a local tutor. Whereas, it can be learnt at absolutely no cost on Duolingo app in a fun and interactive way.

Revenue model: Duolingo has an advertisement-based revenue model for free subscriptions. The premium subscription, which eliminates ads and provides some additional features, comes at a subscription fee. The app currently earns $100 million (₹710 Cr.) from annual subscription.

What’s next?: Duolingo is constantly adding new languages to keep tapping new users and also to live up to the loyalty of old users. It has plans to expand its employee strength and explore application of AI and machine learning to serve users in a better way.

Is good business all it takes?

No! The company won Inc. magazine’s Best Workplaces award in 2018. It also made appearance in Entrepreneur Magazine’s Top Company Culture List in 2018.

In a nut-shell, a lucrative revenue model coupled with a visionary growth plan catering to an acute need gap makes a start up extremely attractive. But, making a healthy working environment for its human capital works like the cherry on top of the cake. Fast forward, in 2019, Duolingo was named one of Forbes's "Next Billion-Dollar Startups".



bottom of page