Most countries give special treatment to small and medium scale enterprises (“SMEs”) for regulatory compliance given their special needs and limited resources. Countries also grant special treatment and exemptions for data protection compliance, as it is difficult for SMEs to invest large sums into the technological peripherals required to comply with stringent data protection regulations. India has yet to adopt a comprehensive data protection law. Its proposed law, the Personal Data Protection Bill, 2019 (“PDP Bill”), is stringent and has raised the concerns for the financially and structurally unprepared SMEs. In this piece, we underscore that while the PDP Bill, 2019 is a leap forward from its earlier version, the Personal Data Protection Bill, 2018 (“PDP Bill, 2018”), in considering the needs of SMEs, it still falls far short of achieving this goal. We then draw on cross-jurisdictional practices to make recommendations for the forthcoming legislation in India. The scope of our piece is limited to discussion on concessions in data protection laws for SMEs and does not cover the impact of provisions like data localization or restrictions on the cross-border flow of data on functioning of SMEs.
Overcoming the Constitutional Hurdles
Before proceeding with the core analysis, it is useful to clear the air on any possible constitutional challenge to the relaxations for SMEs in data protection law, specifically on the ground of violating the fundamental right to privacy. In the landmark Right to privacy judgment, the Supreme Court (“SC”) recognized privacy as a fundamental right under Article 21 of the Indian Constitution (“Constitution”). However, fundamental rights are applicable only vis-a-vis state actors as defined under Article 12. Nowhere in the judgment did the SC opine that the right to privacy shall be made horizontally applicable against private persons. Therefore, any data protection law would only grant a statutory right to privacy against private persons and such right can be validly restricted by the statute itself. Consequently, any data protection relaxations for SMEs would not fall foul of the Constitution.
SMEs Compliance Relaxations: Need for a Delicate Balance
It is important to assess the impact of data protection regulation on Indian SMEs. As per the last annual report of the Ministry of Micro, Small and Medium Enterprises, of the estimated 63.39 million enterprises in India, only 4,000 were large enterprises. Thus, the vast majority of enterprises to be affected by data protection law would be SMEs. According to a report, even in developed economies like the United States (“US”), SMEs lack financial resources and expertise in handling complex technologies, and the statistics show that 34% of small businesses in the US avoid digitization in their business operations because they fear data privacy and security breaches.
Start-ups and SMEs can significantly enhance their reach and efficiency by tapping into the internet and data analytics technology. Studies cited by a 2015 OECD Report[i] indicate that for SMEs not in the Information and Communication Technology (“ICT”) sector, compliance with stringent data protection regulations may increase the expenditure on information technology (“IT”) by up to 40%.[ii] According to another Report[iii] by the United Nations Conference on Trade and Development (“UNCTAD”) on the impact of data protection regulations on trade, cumbersome domestic and emerging international data protection regulations puts SMEs at a disadvantage and may even force them to exit the market.[iv] This in turn, discourages innovation, reduces consumer choices, and creates the risk of monopolization by larger companies.[v]
Therefore, the need to grant special treatment to SMEs is pressing. However, sweeping exemptions from data protection laws would jeopardize consumer privacy. Big companies would be hesitant to partner with small businesses not fully bound by the data protection regulation, as any mishandling of data by the latter could make them liable to pay hefty fines. It is therefore imperative to strike a balance to ensure consumer privacy and digitization of SMEs without burdening them with cumbersome compliances.
SMEs and proposed Data Protection Bill, 2019
Section 39 of the PDP Bill provides certain compliance exemptions to small entities engaged in “non-automated” or manual processing of data. Interestingly, unlike the EU’s General Data Protection Regulation (“GDPR”), which applies only to processing wholly or partially by automated means (unless manual processing is for filing purposes), the scope of “data” in the PDP Bill also includes data processed wholly by manual means.[vi] Automated processing has been ambiguously defined in the PDP Bill as processing by any “equipment capable of operating automatically in response to instructions given for the purpose of processing data.”[vii] This definition of “automated processing” is so broad that the only entities that would be covered under the manual processing exemption are those which use no computer resources for processing personal data—thereby, the exemption is likely to leave out the majority of SMEs. On the brighter side, inclusion of manual processing under the PDP Bill and its restrictive definition would ensure consumer privacy where processing is primarily manual, encouraging the digitization of small businesses.
Unlike the 2018 version, the PDP Bill, 2019 does not define small entities, instead allowing the Data Protection Authority (“DPA”) to set regulations on the exact criteria for classification as a “small entity,” considering factors like turnover, volume of data processed per day in the preceding year, and whether “disclosure to others” was the purpose of data collection.[viii] The PDP Bill, 2018 on the other hand, defined “small entity” as entities 1) having an annual turnover of less than Rupees 20 lakhs (about USD 26,500), 2) that do not collect personal data for disclosing it to others, and 3) do not process personal data of more than 100 data principals in any one day in the preceding calendar year.[ix] The exemptions are granted for manual processing to small businesses with respect to obligations including the notice requirement, retention of data, data portability, right to be forgotten, and transparency and accountability measures.[x]
Both the PDP Bill, 2018 and the PDP Bill, 2019 envisage the concept of significant data fiduciaries (“SDFs”) that are subject to additional compliance requirements and higher fines for violations.[xi] Importantly, the criteria for categorization of SDFs are to be determined by DPA by taking into account following factors:
(a) volume of personal data processed;
(b) sensitivity of personal data processed;
(c) turnover of the data fiduciary;
(d) risk of harm by processing by the data fiduciary;
(e) use of new technologies for processing; and
(f) any other factor causing harm from such processing.[xii]
SDFs may include information technology companies, social media platforms, and other major companies dealing with large amounts of personal data. The criteria make it adequately clear that a large portion of non-SDFs would be SMEs not dealing with voluminous or sensitive personal data.
These additional compliance requirements pertain to a set of obligations under the heading “transparency and accountability measures” that inter alia include data protection impact assessments, recordkeeping, data audits and appointment of data protection officers (hereinafter “four key obligations”). However, there is a stark difference in the way these compliances have been prescribed in each Bill. Under the PDP Bill, 2018, all compliance obligations under “transparency and accountability measures” were applicable by default to all entities, with the DPA having the power to limit the application of above-mentioned four key obligations to one or more categories of SDFs only.[xiii] In contrast, in the present PDP Bill, 2019, the four key obligations are mandatory only for SDFs, and DPA has the power to extend them to non-SDFs if it deems their processing activities to carry significant harm to the data principals.[xiv] Though the PDP Bill, 2019 is less stringent than PDP Bill, 2018 on non-SDFs or SMEs, it overall falls short of lightening the burden on those SMEs that are not completely reliant on manual processing, as they will still have to comply with the majority of obligations. This is because unlike many other jurisdictions, which we discuss below, the PDP Bill lacks compliance concessions for SMEs.
Concessions for SMEs: A Cross-Jurisdictional Analysis
There are primarily three types of concessions that SMEs can be granted with respect to data protection laws: first, complete exemptions, where all or certain types of SMEs are completely exempted from the general data protection law; second, partial exemptions, where SMEs are covered by the general data protection law but certain relaxations are granted to them from compliance; third, sector-specific relaxations, where relaxations are granted to SMEs via the data protection regulations governing the sector to which SMEs pertains.
Complete Exemptions for SMEs
Some data protection laws grant exemptions to all businesses falling below a certain threshold. For example, Australia’s Privacy Act, 1988 (“APA”) exempts small businesses and not-for-profit organizations that have an annual turnover of $3 million or less.[xv] However, there are some exceptions to this rule. The statute does cover persons or entities that trade in personal information, or are a health service provider or credit reporting agency or otherwise deal with critical financial information.[xvi] APA also provides an opt-in mechanism for small businesses that received an exemption, in which case they become subject to its provisions in the same way as a statutorily covered entity.[xvii] Small businesses are free to opt-out prospectively after notifying their withdrawal.[xviii] Opt-in mechanisms help small businesses gain consumer confidence by showing their compliance with privacy and data protection standards.
Similarly, California’s Consumer Privacy Act, 2018 is only applicable to companies whose annual revenue exceeds USD 25 million, or whose half of annual revenue is obtained from the selling personal information of consumers, or that process personal information of at least 50,000 people annually.[xix] Nevertheless, this threshold has been criticized for being too low to protect the interest of SMEs.
Japan, on the other hand, has abolished its previous exemption for entities not handling personal information of more than 5,000 individuals in any day for the past six months.[xx] However, its data protection law does allow exemptions to be provided by a cabinet order in cases where the risk of harm to individuals’ rights and interests is limited.[xxi]
Partial Relaxations and Sector-Specific Relaxations
The European Union’s GDPR and India’s proposed PDP Bill, 2019 do not completely exempt SMEs from data protection obligations, but grant them specific relaxations in their application. GDPR recommends that member states should take into account the specific needs of micro, small and medium-sized enterprises (“MSMEs”) in the application of the regulation.[xxii] GDPR exempts MSMEs with fewer than 250 employees from record-keeping obligation.[xxiii] SMEs have also been granted exceptions from the requirement to appoint a Data Protection Officer (“DPO”).
SMEs can also be granted sector-specific relaxations with respect to additional data protection compliances pertaining to that sector. Sector-specific exemptions allow regulators to grant tailored relaxations to SMEs after taking into account the specific needs of SMEs and nature of data processed in that sector. For example, the Reserve Bank of India prescribes less stringent cyber security compliance measures for Non-Banking Financial Institutions with assets below Rs. 500 Crore (about USD 66.77 million).
Conclusion and Recommendations
India is an emerging economy and unlike Japan, it cannot afford to do away with the data protection relaxations for SMEs. In the light of above analysis and comparative study, we present the following observations and recommendations:
- It is appreciable that the PDP Bill, 2019 covers processing by non-automated means. However, what constitutes processing by automated means needs to be clearly defined and should exclude basic computer applications like calculators, excel sheets, etc., otherwise it would thwart even minimum digitization of grass-roots level SMEs.
- The definition of a small entity for the purpose of granting relaxations for manual processing should also include the consideration of the type of personal data being processed. Similar to Australian law, India may also consider giving fewer relaxations to those small entities that process highly sensitive data like health and financial data.
- Section 63(4) of the PDP Bill, 2019 states the factors that shall be taken into account when imposing a penalty for violations. Though many penalties in the Bill are defined in terms of percentage of turnover, and different fines are stipulated for SDFs and non-SDFs, Section 63(4) disappointingly omits considerations of the entity’s turnover in determination of final quantum of penalty.
- An opt-in mechanism to the likes of APA should also be introduced in India where small businesses involved in manual processing and non-SDFs can commit themselves to abiding by the exempted obligations. Such mechanism would incentivize small businesses and non-SDFs to voluntarily comply with data protection law in order to gain consumer confidence. This would create positive privacy-centric competition among SMEs.
- Section 50 of the PDP Bill authorizes the DPA to approve any code of practice submitted by an industry or trade association, any sectoral regulator or statutory Authority, or any departments or ministries of the governments. In approving such codes of conduct, the DPA should take into account the impact of such codes on SMEs of that sector. Wherever feasible, different methods for compliance with the same obligations may be considered for SMEs and non-SMEs to make compliance easier for the former.
- Finally, the Government should take affirmative steps to assist SMEs in complying with the data protection laws.
These recommendations would go a long way in realizing the vision of Digital India and Start-up India, while at the same time promoting consumer choice and privacy in this information-driven world.
Mr. Prantik Mukherjee is a final year law student at the Damodaram Sanjivayya National Law University (DSNLU), Andhra Pradesh, India.
Ms. Soumya Tiwari is a penultimate year law student at the Rajiv Gandhi National University of Law (RGNUL), Punjab, India.
—
[i] Stone, S., J. Messent and D. Flaig (2015-05-01), “Emerging Policy Issues: Localisation Barriers to Trade”, OECD Trade Policy Papers, No. 180, OECD Publishing, Paris. 56 http://dx.doi.org/10.1787/5js1m6v5qd5j-en.
[ii] Id. at. 56
[iii] UNCTAD, Data Protection Regulations and International data flows: Implications for Trade Development https://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf
[iv] Id. at. 64.
[v] Id. at. 116.
[vi] PDP Bill, 2019, Section 3(11).
[vii] Id., Section 3(6).
[viii] PDP Bill, 2019, Section 39.
[ix] PDP Bill, 2018, Section 48(2).
[x] Id., Section 48(1).
[xi] See generally PDP Bill, 2019, Chapter VI (Transparency and Accountability Measures) and Chapter X (Penalties and Compensation); PDP Bill, 2018, Chapter VII(Transparency and Accountability Measures) and and Chapter XI (Penalties and Compensation).
[xii] See PDP Bill, 2019, Section 26; PDP Bill, 2018, Section 38.
[xiii] PDP Bill, 2018, Section 38(3).
[xiv] PDP Bill, 2019, Section 26(3).
[xv] Privacy Act, 1988, Section 6D (Australia).
[xvi] Id., Section 6D(4).
[xvii] Id., Section 6EA.
[xviii] Id., Section 6EA(4).
[xix] California Consumer Privacy Act, 2018 [1798.100 – 1798.199], (Title 1.81.5 added by Stats. 2018, Ch. 55, Sec. 3.), Section 1798.140(c).
[xx] Amendment Act of Protection of Personal Information, Article 2 and Chapter IV Sec 1 (Japan).
[xxi] Id., Article 2(4).
[xxii] GDPR, Recital (98), (132), and (167); Section 5, Article 40.
[xxiii] GDPR, Recital (13).
