Start-ups, data privacy and trade secrets
For many start-ups, the data they possess is their biggest source of value. These fledgling companies must have a defined strategy for protecting data as both a business asset and an IP right.
Start-ups are the product of a fresh set of passion-driven entrepreneurs possessing innovative ideas. There are no hard and fast rules to define a start-up: the Merriam-Webster Dictionary defines the word as “a fledgling business enterprise” but also as “the act or an instance of setting in operation or motion”, while WhatsApp co-founder Jan Koum calls it “a feeling”.
In a February 2016 notification, the Indian government defined a ‘start-up’ as an entity which is not more than seven years old and has a turnover of not more than Rs250 million from its date of incorporation. The entity must be engaged in the innovation, development, deployment or commercialisation of new products, processes or services that are driven by technology or intellectual property. This definition arises from the government initiative Startup India, which aims to create an environment conducive for start-ups and to facilitate their growth.
The business models of most start-ups run on software and are delivered as online services. Many start-ups are managed in accordance with the integrated ‘SMAC’ concept (ie, incorporating social, mobile, analytics and cloud-based models). Another characteristic of many start-ups is that of ‘permissionless innovation’, which boils down to testing boundaries and taking risks. Internet pioneer Vint Cerf said:
If you want to try something out, you just do it. The Yahoo! guys and the Google guys and the Skype guys didn’t ask permission to build their products and services; they just put them up on the Internet and let people come and use them.
So long as such a culture is prevalent among start-ups, they are bound to confront legal and regulatory challenges.
One of these challenges is privacy and data protection. In the recent landmark decision of Justice K S Puttaswamy (Retd) v Union of India, a nine-judge bench of the Supreme Court unanimously held privacy to be a fundamental right as enshrined in the Constitution. The court also discussed privacy in relation to the virtual world, meaning that the verdict is likely to have implications for start-ups, which – as Facebook founder Marc Zuckerberg said – have a “move fast and break things” way of functioning.
This chapter discusses how start-ups are being recognised in India, with various incentives being provided to them, including IP protection – but also how these incentives come with responsibilities, particularly in the area of data protection. Informational privacy has been recognised to be a fundamental right of individuals, and a new regime of data protection law is on its way.
Since data is the only asset of a large number of start-ups, they must be vigilant about data protection laws before they commercially exploit and claim property rights in collected data. The purpose of this chapter therefore is to emphasise the balance that start-ups should conceptualise and create while investing time, effort and money into building their assets.
Recognition and IP protection for start-ups
To encourage entrepreneurship among the youth of India, in 2015 the prime minister launched an initiative called “Start Up India, Stand Up India”. As a part of this initiative, the government started various incentive-driven schemes, including Start-Ups IP Protection (SIPP), which is intended to facilitate the protection of innovative start-ups’ patents, trademarks and designs until March 2020.
SIPP is designed to nurture and mentor innovative and emerging technologies among start-ups and assist companies in protecting and commercialising them by providing access to high-quality IP assistance, services and resources. To implement this objective, the patents, trademarks and designs regulatory body empanels ‘facilitators’, who can be any advocate, patent agent or trademark agent registered with the regulatory body or any representative from a government department. These facilitators help the start-up applicants by providing pro bono advice on protecting different IP rights in India or abroad, as well as assistance in the filing and disposal of IP applications, including drafting applications, filing responses raised by the IP office and appearing on behalf of the start-ups at hearings.
The government pays each facilitator a fee for filing IP applications: Rs10,000 per patent, Rs5,000 per trademark and Rs2,000 per design. An additional amount is paid on the final disposal of the application, with or without opposition. Start-ups bear only the statutory fees for the applications.
Start-ups eligible for this scheme must not have availed of funds under any other government scheme.
Privacy and data protection
We are living in a world of ubiquitous data surveillance. Companies are collecting, handling and analysing huge quantities of data (including personal data), which they eventually intend to monopolise. But it does not stop there: it is now common to click on a link to a product on an e-commerce website one day, only to find an advertisement for the same product on one’s Facebook page or Google search results the next day. As the Supreme Court has noted:
Uber knows our whereabouts and the places we frequently visit. ‘Facebook’ at the least, knows who we are friends with. ‘Alibaba’ knows our shopping habits. ‘Airbnb’ knows where we are travelling to.
We have entered the ecosystem of the ‘Internet of things’, where internet companies are controlling personal data and exercising subtle control over individual behaviour and choices. This practice is called ‘surveillance capitalism’, and the personal data that arises from it is valued by businesses, since it serves as a key commercial asset that companies can both use for internal marketing and license to third parties.
However, such data collection, handling and analysis must be done in legitimate ways, so as to not invade the privacy of any individual. Privacy has been recognised as a fundamental human right in the UN Universal Declaration of Human Rights. In August 2017 it was recognised as a fundamental right, protected as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution.
The Supreme Court has provided no specific definition of privacy. However, in reference to ‘informational privacy’, it has recognised, as emanating from the right to privacy, the exclusive right of individuals to:
- exploit their identity and personal information commercially;
- control the information that is available about them on the Internet; and
- disseminate certain personal information for limited purposes only.
Gradually, countries across the world are developing laws on data protection, with the European Union recently introducing the EU General Data Protection Regulation (679/2016). India is still in the process of developing equivalent legislation. Presently, the Information Technology Act 2000 contains provisions which mention safeguarding online privacy.
Additionally, India has the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, which seek to provide individuals with rights to their information and to oblige corporate bodies (ie, any company engaged in commercial or professional activities under the Information Technology Act) to protect the privacy of a consumer’s information. The rules require any corporate body to:
- provide individuals with the right to access and correct their information; and
- obtain consent before disclosing sensitive personal information.
However, the rules only protect ‘sensitive personal information’, not personal information. This excludes information which is freely accessible, available in the public domain or furnished under the Right to Information Act 2005.
Apart from the lacunae in the existing law, many challenges to data protection exist, including the dynamic and changing nature of information on the Internet. For example, seemingly harmless data such as IP addresses, keywords used in searches and websites visited can now be combined and analysed to identify individuals and learn personal information about them. These activities are redefining ‘personal data’, and a law identifying the correct protection for personal data is lacking.
Another issue is jurisdiction, since Indian data subjects are using the services of companies that do not fall within the purview of Indian laws. Elsewhere, the European Union is trying to combat this problem by addressing the “export of personal data” outside of the European Union in its General Data Protection Regulation, thereby including all companies processing the data of any EU data subject.
The Supreme Court has emphasised the importance of an individual’s “informed consent” being obtained by any data processor before sharing or selling that individual’s information. The court has charged the government with putting into place a robust data protection regime, incorporating the findings of a committee which is presently reviewing data protection norms in India. The Supreme Court has directed that such a regime requires a careful and sensitive balance between individual interests and the legitimate concerns of the state, which include protecting national security, preventing and investigating crime and encouraging innovation.
This petition has been conjoined with a public interest action challenging the accountability of internet companies such as Facebook, Twitter and Google with respect to their current data protection framework in India. This petition arises from the non-applicability of existing privacy laws on non-Indian corporate bodies and the consistent refusal by their Indian subsidiaries to accept responsibility over content, data or information generated in India. The Supreme Court has issued notices to Google, Twitter and the Indian government, seeking their legal opinions on data sharing with cross-border corporate entities; meanwhile, Facebook and WhatsApp have been directed to file affidavits swearing to not share user information with third parties.
Another company which is presently under scrutiny is the Indian arm of Monster.com. Allegedly, Monster India has been unlawfully selling user data to a third-party company, which in turn has been duping job seekers. The trial court has observed:
At the time of entering personal information or data, job seekers are not aware that the said data can be sold to any third person or that it can be misused. Accordingly, the said ostensible consent of the said applicant/individual cannot be said to be a free, voluntary or informed consent.
The court has ordered the police to conduct a probe against the online job portal.
Overlap with IP rights
Contrary to traditional business models, where the assets of a company are physical and tangible in nature and may have a resale value, the primary asset of many start-ups is data, collected over time using innovative resources and technical skills. This data can qualify as confidential information or a trade secret if it is of commercial significance and is kept secret as required by law. It can also qualify for copyright protection if it is published.
India has no trade secrets law. Courts have instead protected trade secrets (eg, consumer profiles, lists of suppliers and clients, distribution methods and advertising strategies) under common law.
To claim any proprietary rights in their data for exclusive use and exploitation, start-ups must first understand privacy laws and take proper safeguards and measures. A balance must be struck, wherein a start-up can claim IP protection over data – provided that it is data protected – but an embargo is created if privacy rights are invaded.
Takeaway for start-ups
Laws on data protection are gradually crystallising. Although big internet-based companies are presently under scrutiny, it cannot be long before existing start-ups step into their shoes. Many start-ups are sitting on vast amounts of data, which is their most valuable asset. If they do not ensure that their data is protected from privacy concerns, their entire empire will fall.
In its recent privacy judgment, the Supreme Court noted the following ‘nine privacy principles’ that data controllers must ensure.
A simple-to-understand notice of its information practices shall be given to all users before personal information is collected. This may include the details of the personal information being collected, the purpose and use of its collection and whether it will be shared with third parties. Data breaches, if any, shall be notified.
Choice and consent
Choices (eg, opt-in or opt-out) shall be given to individuals with regard to providing their personal information, and individual consent shall be obtained only after providing notice of the data processor’s information practices. Only after consent has been granted should data be collected, processed and used.
A data controller shall collect personal information only as is necessary for the purposes identified for such collection, regarding which notice must be provided and individual consent obtained. Such collection shall be through lawful and fair means.
Personal data collected and processed should be adequate and relevant to the purposes for which it is processed. If there is a change of purpose, this must be notified to the individual. After personal information has been used it should be destroyed.
Access and correction
Individuals shall have access to personal information about themselves and shall be able to seek correction, amendment or deletion of such information where it is inaccurate.
Disclosure of information
Personal information shall not be disclosed to third parties, except after providing notice and seeking informed consent from the individual for such disclosure. Third parties must adhere to the relevant and applicable privacy principles.
Personal information shall be secured by reasonable security safeguards against loss, unauthorised access, destruction, use or other reasonably foreseeable risks.
All necessary steps shall be taken to ensure compliance with the privacy principles, information regarding which shall be made available to all individuals in an intelligible form, using clear and plain language.
The data controller shall be accountable for complying with measures which give effect to the privacy principles.
It is evident that in the age of Big Data, the right to privacy is an emerging and pivotal issue. Such data is the heart of the business of internet-based start-ups. While endeavouring to make it big, start-up companies must thin the chances of liability for data privacy violations by taking proper safeguards as they exploit and claim proprietary rights over their data.
Anand and Anand
First Channel Building
Plot 17A, Sector 16A
Film City, Noida 201301
Tel +91 120 405 9300
Fax +91 120 424 3056
Tusha Malhotra is a partner at Anand and Anand. She is the co-author of the India chapters in multiple leading legal guides and regularly contributes articles to various publications and law journals. She is also a regular speaker at a wide range of forums. Ms Malhotra has been a counsel in various noteworthy matters, including Merck, and has been a part of pioneering judgments, such as the first case on the interpretation of Section 3(d) of the Patents Act, the first patent case decided in favour of the patentee under the amended Patents Act and a leading case on the interpretation of Section 15(2) of the Copyright Act.
Rashi Punia is an associate in the litigation department at Anand and Anand. She has a bachelor’s degree and an LLB from the Army Institute of Law, Mohali and has obtained a diploma in cyber law from the Asian School of Cyber Laws. She has worked with an IP and internet law firm, where one notable achievement was working on a case regarding intermediary liability in copyright infringement. She has worked as a judicial clerk with a judge at the High Court of Delhi. She also has experience working for a non-governmental organisation in Rajasthan. At Anand and Anand, Ms Punia primarily works on pharmaceutical patent, trademark and copyright issues.