After the Supreme Court of India’s 2017 decision recognizing privacy as a fundamental right of an individual under the Indian constitution, an emphasis was placed to enact comprehensive data protection legislation. The BN Krishna Committee drafted the Personal Data Protection Bill 2018, which was opened for public consultation. Later, the Personal Data Protection Bill 2019, which is the government’s version of the data protection law, was introduced in Parliament in December 2019. As of now, it is uncertain when the bill will go to the Parliament floor for debate and discussion as it is currently being scrutinized by an expert committee. But it has been reported the expert committee will submit the report on the bill in this year’s winter session. This means the enactment of the bill could be a reality soon.
The current state of the Indian economy
Under normal circumstances, the bill's enactment and compliance would have gone smoothly for companies. But with the spread of COVID–19 and a countrywide lockdown for approximately three months, the economy is in a vulnerable condition. It has shrunk by 5.9% as per the United Nations Conference on Trade and Development report. Further, it is expected the Indian economy will contract even more in the financial year 2021.
Considering the above, a pertinent question arises: Can Indian companies, which are already facing the brunt of the economy, also bear the compliance cost with the enactment of the new data protection law? Or will the data protection law push companies into insolvency?
Compliance costs for adopting GDPR
To understand the possible impact the Personal Data Protection Bill 2019 might have on companies’ compliance costs, a parallel needs to be drawn with the compliance cost faced by the companies in implementing the EU General Data Protection Regulation. The reason being that in its present form, this bill follows the GDPR pattern, although it does deviate from the GDPR in certain areas.
According to DataGrail’s "The Cost of Continuous Compliance" report, 74% of small- and mid-sized organizations spent more than $100,000 in compliance costs. Notably, 20% spent more than $1 million. Only 6% of respondents spent less than $50,000. A study into the compliance cost of implementing the GDPR by the Ponemon Institute indicates the average compliance cost for companies increased from $3.53 million to $5.47 million. Such compliance cost includes hiring a data protection officer, a record of processing activities (inventory), gap assessment, policies and procedures, modifying processes, training employees and monitoring compliance. In addition to this, there may also be increased legal costs.
The above statistics clearly show the GDPR added a significant burden on companies. Here, it must also be kept in mind that Europe already had a data protection directive that was enforced since 1995. Still, shifting to the GDPR added compliance costs. The data protection law in India, on the other hand, would be very new. Right now, Indian companies are running under the IT law and other sector-specific laws, which are nowhere close to a comprehensive data protection law, and hence, shifting to a comprehensive data protection law with a contracting economy will hamper the Indian companies.
A way forward
The data protection law is essentially a balance among the companies, state and individuals. But, if this law is implemented without considering the current economic slowdown, companies might have to bear the brunt of the costs. The financially sound companies will, of course, pave their way and achieve compliance. But when it comes to startups or other companies without much financial backing, an added compliance cost due to a data protection law might push them over the edge into insolvency.
To ensure such companies are not burdened, the Indian government can either delay the enactment of the data protection law until the economy functions better or grant exemptions from the enforcement of the data protection law in favor of the companies who are not financially sound.
Another way the Indian government can ensure the corporates are not burdened with the compliance cost is to implement the law in a stepwise manner. This means those provisions that do not increase the financial cost of a company significantly can be enforced first. Such provisions that resemble the already existing IT law or sector-specific data protection law can be enforced as these provisions are already being complied with under the previous regime. At the same time, provisions that are completely new and require added cost, such as the provisions relating to data localization, can be implemented later. This, in turn, can make sure that the trade is not affected.
It is yet to be seen how the enforcement of the data protection law takes place in India. However, right now is the time for the Indian government to properly plan how the enactment and implementation of the data protection law will occur. Further, economic factors must also be taken into account, and it must be understood that rushing into enactment will do more harm than good.
Photo by Srikanth D on Unsplash
If you want to comment on this post, you need to login.