iSPIRT Final Comments on India’s Personal Data Protection Bill

Below represents iSPIRT’s comments and recommendations on the draft Personal Data Protection Bill.  iSPIRT’s overall data privacy and data empowerment philosophy is covered here.  

Table of Contents

Major Comments
1. Include Consent Dashboards
2. Financial Understanding and Informed Consent for all Indians
3. Data Fiduciary Trust Scores Similar to App Store Ratings
4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data
5. Warn of Potential Credit and Reputation Hazards
6. A Right to View and Edit Inferred Personal Data
7. Sharing and Processing of Health Data

Suggestions and Questions

  • Fund Data Rights Education
  • Limit Impact Assessment Requirement
  • Passwords should be treated differently than other Sensitive Personal Data.
  • Does the Bill intend to ban automatic person-tagging in photos and image search of people?
  • Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.
  • Need for an Authority appeal process when data principal rights conflict
  • Do not outlaw private fraud detection
  • Limit record keeping use and disclosure to the Authority and the company itself.
  • Fillings may be performed digitally
  • Request for Definition Clarifications
  • Author Comments
  • Links
  • Appendix – Sample User Interface Screens

Major Comments

1. Include Consent Dashboards

We support the idea of a Consent Dashboard as suggested in the Data Protection Committee Report (page 38) and recommend it to be incorporated in the Bill in Section 26 – Right to Data Portability and Section 30 (2) Transparency.  

We envision all of a user’s personal and inferred data that is known by data fiduciaries (i.e. companies) being exposed on a consent dashboard, provided by a third party consent collector or account aggregator (to use the RBI’s parlance). Below is an example user interface:

This mandate would enable users to have one place – their consent collector-provided dashboard – to discover, view and edit all data about them. It would also allow users to see any pending, approved and denied data requests.

Furthermore, in the event of data breaches, especially when a user’s password and identifier (mobile, email, etc) have been compromised, the breach and recommended action steps could be made clear on the consent dashboard.

Given the scope of this suggestion, we recommend an iterative or domain specific approach, wherein financial data is first listed in a dashboard limited to financial data and for its scope to grow with time.

2. Financial Understanding and Informed Consent for all Indians

We applaud the Bill’s Right to Confirmation and Access (Chapter IV, Section 24):

The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

That said, we’ve found in practice that it’s difficult to appreciate the implications of digital policies on users until real user interfaces are presented to end users and then tested for their usability and understanding. Hence, we’ve put together a set of sample interfaces (see Appendix) that incorporate many of the proposed bill’s provisions and our recommendations. That said, much more work is needed before we can confidently assert that most Indians understand these interfaces and what they are truly consenting to share.

The concepts behind this bill are complicated and yet important. Most people do not understand concepts such as “revocable data access rights” and other rather jargon-filled phrases often present in the discussion of data privacy rights. Hence, we believe the best practices from interface design must be employed to help all Indians – even those who are illiterate and may only speak one of our many non-dominant languages – understand how to control their data.

For example, multi-language interfaces with audio assistance and help videos could be created to aid understanding and create informed consent.  Toll-free voice hotlines could be available for users to ask questions. Importantly, we recognize that the interfaces of informed consent and privacy control need rigorous study and will need to evolve in the years ahead.

In particular, we recommend user interface research in the following areas:

  • Interfaces for low-education and traditionally marginalized communities
  • Voice-only and augmented interfaces
  • Smart and “candy-bar” phone interfaces
  • Both self-serving and assisted interfaces (such that a user can consensually and legally delegate consent, as tax-payers do to accountants).

After user interface research has been completed and one can confidently assert that certain interface patterns can be understood by most Indian adults, we can imagine that templated designs representing best practices are recommended for the industry, much like the design guidelines for credit card products published by US Consumer Financial Protection Bureau or nutritional labelling.

3. Data Fiduciary Trust Scores Similar to App Store Ratings

We support the government’s effort to improve the trust environment and believe users should have appropriate, easy and fast ways to give informed consent & ensure bad actors can’t do well. Conversely, we believe that the best actors should benefit from a seamless UI and rise to the top.

The courts and data auditors can’t be the only way to highlight good, mediocre and bad players. From experience, we know that there will be a continuum of good to bad experiences provided by data fiduciaries, with only the worst and often most egregious actions being illegal.

People should be able to see the experiences of other users – both good and bad – to make more meaningful and informed choices. For example, a lender that also cross-sells other products to loan recipients and shares their mobile numbers may not be engaging in an illegal activity but users may find it simply annoying.

Hence, we recommend that data fiduciary trust scores are informed with user-created negatives reviews (aka complaints) and positive reviews.

In addition to Data Auditors (as the Bill envisions), user created, public ratings will create additional data points and business incentives for data fiduciaries to remain in full compliance with this law, without a company’s data protection assessment being the sole domain of its paid data auditors.

We would note that crowd sourced rating systems are an ever-evolving tech problem in their own right (and subject to gaming, spam, etc) and hence, trust rating and score maintenance may be best provided by multiple market actors and tech platforms.

4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data

…so 3rd party actors and civil society can act on behalf of users.

A privacy framework will not change the power dynamics of our society overnight. Desperate people in need of money will often sign over almost anything, especially abstract rights. Additionally, individual citizens will rarely to be able to see larger patterns in the behaviour of lenders or other data fiduciaries and are ill-equipped to fight for small rewards on behalf of their community.  Hence, we believe that user ratings and complaint data about data fiduciaries must be made available in machine-readable forms to not only to the State but to third-parties, civic society and researchers so that they may identify patterns of good and bad behaviour, acting as additional data rights watchdogs on behalf all of us.

5. Warn of Potential Credit and Reputation Hazards

We are concerned about the rise of digital and mobile loans in other countries in recent years. Kenya – a country with high mobile payment penetration and hence like India one that has become data rich before becoming economically rich – has seen more than 10% of the adult population on credit blacklists in 2017; three percent of all digital loans were reportedly used for gambling. These new loan products were largely made possible by digital money systems and the ability of lenders to create automated risk profiles based on personal data; they clearly have the potential to cause societal harm and must be considered carefully.

Potential remedies to widespread and multiple loans are being proposed (e.g. real-time credit reporting services), but the fact that a user’s reputation and credit score will be affected by an action (such as taking out a loan), most also be known and understood by users. E.g. Users need to know that an offered loan will be reported to other banks and if they don’t pay they will be reported and unable to get other loans.

Furthermore, shared usage-based patterns – such as whether a customer pays their bills on time or buys certain types of products – must be available for review by end users.

6. A Right to View and Edit Inferred Personal Data

The Machine Learning and AI community have made incredible strides in computers’ ability to predict or infer almost anything. For example, in 2017, a babajob.com researcher showed the company could predict whether a job seeker earned more or less than Rs 12000 / month with more than 80% accuracy, using just their photo.  She did this using 3000 job seeker photos, 10 lines of code and Google’s TensorFlow for Poets sample code.  Note the project was never deployed or made publicly available.

As these techniques become ever more commonplace in the years to come, it’s reasonable to assume that public facing camera and sensor systems will be able to accurately infer most of the personal data of their subjects – e.g. their gender, emotional state, health, caste, religion, income – and then connect this data to other personally identifiable data such as a photo of their credit card and purchase history. Doing so will improve training data so that systems become even more accurate. In time, these systems – especially ones with large databases of labelled photos – like the governments’, popular social networks’ or a mall’s point of sale + video surveillance system – truly will be able to precisely identify individuals and their most marketable traits from any video feed.

Europe’s GDPR has enshrined the right for people to view data inferred about them, but in conjunction with the idea of a third party consent dashboard or Account Aggregator (in the RBI’s case), we believe we can do better.

In particular, any entity that collects or infers data about an individual that’s associated with an identifier such as an email address, mobile, credit card, or Aadhaar number should make that data viewable and editable to end users via their consent dashboard.  For example, if a payment gateway provider analyses your purchase history and infers you are diabetic and sells this information as a categorization parameter to medical advertisers, that payment gateway must notify you that it believes you are diabetic and enable you to view and remove this data. Google, for example, lists these inferences as Interests and allows users to edit them:

Using the Consent Dashboard mentioned in Major Comment 1, we believe users should have one place where they can discover, view and correct all personal and inferred data relevant to them.

Finally, more clarity is needed regarding how data gathered or inferred from secondary sources should be regulated and what consent may be required. For example, many mobile apps ask for a user’s consent to read their SMS Inbox and then read their bank confirmation SMSs to create a credit score. From our view, the inferred credit score should be viewable by the end user before it’s shared, given its personal data that deeply affects the user’s ability to gain usage of a service (in this case, often a loan at a given interest rate).

7. Sharing and Processing of Health Data

The Bill requires capturing the purpose for data sharing:

Chapter II, point 5:

“Purpose limitation.— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.”

In the healthcare domain, collecting the purpose for which the data is being shared might itself be quite revealing. For example, if data is being shared for a potential cancer biopsy or HIV testing, the purpose might be enough to make inferences and private determinations about the patient and say deny insurance coverage. On the other hand, stating high-level, blanket purposes might not be enough for future audits. A regulation must be in place to ensure the confidentiality of the stated purpose.  

The Bill has a provision for processing sensitive personal data for prompt action:

Chapter IV, point 21:

“Processing of certain categories of sensitive personal data for prompt action. — Passwords, financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary— (a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal; (b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or (c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.”

While this is indeed a necessity, we believe that a middle ground could be achieved by providing an option for users to appoint consent nominees, in a similar manner to granting power of attorney. In cases of emergency, consent nominees such as family members could grant consent on behalf of the user. Processing without consent could happen only in cases where a consent nominee is unavailable or has not been appointed. This creates an additional layer of protection against misuse of health data of the user.

Suggestions and Questions

Fund Data Rights Education

We believe a larger, public education program may be necessary to educate the public on their data rights.

Limit Impact Assessment Requirement

Section 33 – Data Protection Impact Assessment —

  • Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section. …
  • On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as may be issued by the Authority.

We believe that the public must be protected from egregious data profiling but this provision does not strike an appropriate balance with respect to innovation. It mandates that companies and other researchers must ask government permission to innovate around large scale data processing before any work, public deployments or evidence of harm takes place. We believe this provision will be a large hinderance to experimentation and cause significant AI research to simply leave India. A more appropriate balance might be to ask data fiduciaries to privately create such an impact assessment but only submit to the Authority for approval once small scale testing has been completed (with potential harms better understood) and large scale deployments are imminent.

Passwords should be treated differently than other sensitive personal data.

Chapter IV – Section 18. Sensitive Personal Data. Passwords are different than other types of Sensitive Personal Data, given that they are a data security artifact, rather than a piece of data that is pertinent to a person’s being. We believe that data protection should be over-ridden in extraordinary circumstances without forcing companies to provide a backdoor to reveal passwords. We fully acknowledge that it is useful and sometimes necessary to provide backdoors to personal data – e.g. one’s medical history in the event of a medical emergency – but to require such a backdoor for passwords would likely introduce large potential security breaches throughout the entire personal data ecosystem.  

Does the Bill intend to ban automatic person-tagging in photos and image search of people?

Chapter I.3.8 – Biometric Data – The Bill defines Biometric Data to be:

“facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;”

The Bill includes Biometric Data in its definition of Sensitive Personal Data (section 3.35) which may only be processed with explicit consent:

Section 18. Processing of sensitive personal data based on explicit consent. — (1) Sensitive personal data may be processed on the basis of explicit consent

From our reading, we can see a variety of features available today around image search and person tagging being disallowed based on these provisions. E.g. Google’s image search contains many facial images which have been processed to enable identification of natural persons. Facebook’s “friend auto-suggestion” feature on photos employs similar techniques. Does the Bill intend for these features and others like them to be banned in India? It can certainly be argued that non-public people have a right to explicitly consent before they are publicly identified in a photo but we feel the Bill’s authors should clarify this position. Furthermore, does the purpose of unique identification processing matter with respect to its legality?  For example, we can imagine mobile phone-based, machine learning algorithms automatically identifying a user’s friends to make a photo easier to share with those friends; would such an algorithm require explicit consent from those friends before it may suggest them to the user?

Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.

Chapter IV – Section 25.4 – Right to correction, etc

Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

We believe the mandate on a data fiduciary to notify all relevant entities of a personal data change is too great a burden and is better performed by a consent dashboard, who maintains which other entities have a valid, up-to-date consent request to a user’s data. Hence, upon a data change, the data fiduciary would update the consent dashboard of the change and then the consent dashboard would then notify all other relevant entities.

It may be useful to keep the user in this loop – so that this sharing is done with their knowledge and approval.

Need for an Authority appeal process when data principal rights conflict

Section 28.5 – General conditions for the exercise of rights in this Chapter. —  

The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

This portion of the law enables a data fiduciary to deny a user’s data change request if it believes doing so would harm another data principal. We believe it should not be up to the sole discretion of the data fiduciary to determine which data principal rights are more important and hence would like to see an appeal process to the Data Protection Authority made available if a request is refused for this reason.

Do not outlaw private fraud detection

Section 43.1 Prevention, detection, investigation and prosecution of contraventions of law

(1) Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.

We worry the above clause would effectively outlaw fraud detection research, development and services by private companies in India. For instance, if a payment processor wishes to implement a fraud detection mechanism, they should be able to do so, without leaving that task to the State.  These innovations have a long track record of protecting users and businesses and reducing transaction costs. We recommend a clarification of this section and/or its restrictions to be applied to the State.

Limit record keeping use and disclosure to the Authority and the company itself.

Section 34.1.a. Record – Keeping –

The data fiduciary shall maintain accurate and up-to-date records of the following

(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;

We expect sensitive meta-data and identifiers will need to be maintained for the purposes of Record Keeping; we suggest that this Record Keeping information be allowed but its sharing limited only to this use and shared only with the company, its Record Keeping contractors (if any) and the Authority.

Fillings may be performed digitally

Section 27.4 – Right to be Forgotten

The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

The Bill contains many references to filing an application;  we’d suggest a definition that is broad and includes digital filings.

This also applies to sections which include “in writing” – which must include digital communications which can be stored (for instance, email).

Request for Definition Clarifications

What is “publicly available personal data”?

  • Section 17.2.g – We believe greater clarity is needed around the term “publicly available personal data.“ There questionably obtained databases for sale that list the mobile numbers and addresses of millions of Indians – would there thus be included as a publicly available personal data?
  • We’d recommend that DPA defines rules around what is publicly available personal data so that it is taken out of the ambit of the bill.  
  • The same can be said for data where there is no reasonable expectation of privacy (with the exception that systematic data collection on one subject cannot be considered to be such a situation)

Clarity of “Privacy by Design”

Section 29 – Privacy by Design

Privacy by Design is an established set of principles (see here and in GDPR) and we would like to see the Bill reference those patterns explicitly or use a different name if it wishes to employ another definition.

Define “prevent continuing disclosure”

Section 27.1 – Right to be Forgotten

The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary…

We request further clarification on the meaning of  “prevent continuing disclosure” and an example use case of harm.

Define “standard contractual clauses” for Cross-Border Transfers

Section 41.3.5 – Conditions for Cross-Border Transfer of Personal Data

(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this subsection to any other person or entity.

We would like to standard contractual clauses clearly defined.

Define “trade secret”

Section 26.2 C – Right to be Forgotten

compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.

We request further clarification on the meaning of  “trade secret” and an example of the same.

Author Comments

Compiled by iSPIRT Volunteers:

Links

Comments and feedback are appreciated. Please mail us at [email protected].

Appendix – Sample User Interface Screens

Link: https://docs.google.com/presentation/d/1Eyszb3Xyy5deaaKf-jjnu0ahbNDxl7HOicImNVjSpFY/edit?usp=sharing

******

Policy Hacks On India’s Digital Sky Initiative 1.0

On August 27, 2018, India announced its much-awaited Civil Aviation Regulations (CAR) for drones. The new CAR had many improvements on the original draft published last year, but most important was the introduction of Digital Sky, a technology platform that would handle the entire process of regulating the registration and permissions for all Remotely Piloted Aircraft Systems above the nano category, i.e. any remote controlled or automated flying object – multi-rotor or fixed-wing, electric or IC-engine. These set of regulations along with the announcement of Digital Sky drone policy represent the government’s “Drone Policy 1.0”.

What this policy isn’t?

From the outset, one of the largest criticisms of the draft was its seeming omission of beyond visual line of sight flights, as well as those of fully-autonomous operations. Combined with a ban on delivery of items, it would seem like the government is pre-emptively clamping down on some of the most promises of Unmanned Aerial Vehicles before they even begin.

But on close inspection, the Ministry of Civil Aviation has made an interesting & what looks to be a promising decision in naming this policy as “1.0”. Through the various public comments made by the Minister of State for Civil Aviation, Jayant Sinha, it can be gathered that there is a phased-approach being adopted for the planning and implementation of the government’s strategy for unmanned aerial vehicles.

The more complex commercial operations will be rolled out atop the digital platform, allowing the government to test the waters before allowing potentially risky operations.

At iSPIRT, we appreciate this data-driven, innovation-friendly yet safety-first approach that has been inherent to all of civil aviation.

What does the policy say?

The policy lays out a general procedure for registering, and taking permissions to fly for every type of remotely piloted aircraft system (RPAS). A good summary of the regulations themselves, what you need to fly, what you can and cannot do is given here. We will be focussing this blog post on mystifying Digital Sky and the surrounding technology – How it works, what it does and what should private players be doing about it.

What is Digital Sky?

Digital Sky is essentially a barebones Unmanned Aircraft Traffic Management system. An Unmanned Traffic Management is to drones what ATC is to aircraft. Most countries are looking to external UTM providers to build and run this digital enabling infrastructure. The government of India, in continuing its digital infrastructure as public goods tradition, has decided to build and run its own UTM to ensure that this critical infrastructure system remains committed to interoperability and is free from the risks of vendor capture in the long run. Digital Sky is the first version of such a UTM for managing drone flights in both controlled as well as uncontrolled airspaces.

For consumers, Digital Sky essentially constructed of three layers. The three layers are Online Registrations, Automated Permissions and Analytics, Tracking and Configurable Policies.

Online Registrations are the layers that onboard operators, pilots, RPAS and manufacturers on to the Digital Sky Platform. It will be a fully digital process, and applicants can track their applications online. All registered users will have an identity number, including the RPAS, which will get a Unique Identification Number (UIN). There is a private key attached to the UIN allowing the drone to prove it is who it claims to be through digital signatures.

Automated Permissions is the transaction layer that digitizes the process of seeking airspace clearance. Using Open APIs or a portal provided by the government, drones can directly seek permissions by specifying the geographic area, time of operations & pilot registration id, signed with the UIN of drone. In response to the API call or portal request, an XML file digitally signed by the DGCA is generated. This XML response is called the Permission Artefact.

All RPAS sold in India under the new policy must carry firmware that can authenticate such a Permission Artefact. Further, they must confirm that the flight parameters of the current mission match those given in the authenticated Permission Artefact. If these parameters do not match, the RPAS must not arm. This condition is referred to simply as No Permission, No Takeoff or NPNT. Thus, the requirement is that any RPAS (except nano) operated in India should be NPNT compliant. We will cover what it means to be NPNT compliant in part two of this series.

To deal with areas of low connectivity, this authenticated request can be carried prior to the flight itself, when connectivity is available. The Permission Artefact can be stored, carried and read offline by an NPNT-compliant RPAS with a registered UIN. Thus flight operations in remote or low-connectivity areas will not be severely impacted. While this seems tedious, it promises to be a lot easier than the draft regulations, which required the filing of flight plans 60 days in advance.

Digital Sky will classify all existing airspace into three colour-coded zones: Green Zones are where drones are pre-authorized to fly, but must still obtain a permission artefact to notify the local authorities of their intent to fly. On applying for permission, a permission artefact is returned instantly. Red Zones are where drone operations are forbidden from taking place. This includes areas such as airports, borders and other sensitive areas. Amber Zones are areas restricted by appropriate reasons as mentioned in the CAR where additional permissions are required. These requests are also initiated and managed through the Digital Sky Platform

Analytics, Tracking & Configurable (ATC) Policies is a shorthand for the regulatory functions that the DGCA will carry out to regulate the use of airspace by unmanned aircraft. It involves functions such as the classification of Red, Amber & Green zones, deconfliction of overlapping flights, incident response, etc.

The MoCA has articulated its desire for an ecosystem-driven approach to building out the drone industry. From an earlier draft of the No Permission No Takeoff technical document shared with manufacturers, it is expected that this layer of Digital Sky will be opened up to private players labelled as Digital Sky Service Providers (DSPs). We will cover more about Digital Sky Service Providers in part three of this series.

Conclusion

Digital Sky appears to be a move towards a more data-driven, phased-approach to policy and regulation for emerging technology. It is a global first and offers a truly forward-looking approach compared to most other nations.

For operators, in the long term, a formal system leads to an eco-system of authorised players, increase in trust, and rise of a legitimate industry. 

Note:  We have been actively following the Digital Sky policy development, Intend to bring in Part two of this blog after an active role out and implementation starts.

Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products

‘Digital India’ is one of the flagship programmes of the Government of India (GoI) with an aim to transform the country into a digitally empowered economy. Given the massive push that the government is giving to this programme, some radical changes have taken place across the country at both the public as well as at the government level in terms of digitization. However, it is also a reality that the growing digitization has increased vulnerability to data breaches and cyber security threats.

According to the Indian Computer Emergency Response Team (CERT-In), more than 22,000 Indian websites, including 114 government portals were hacked between April 2017 and January 2018, including the Aadhaar data leak in May 2017. These incidents clearly emphasized a strong need for cyber security products to tackle the threat to India’s digital landscape. In fact, last year, the Union Ministry of Electronics & Information Technology (MeitY) had directed all ministries to spend 10% of their IT budgets on cyber security and strengthen the Government’s IT structure in the wake of cyber threats.

Now, in order to be prepared for cyber breaches, the government entities need sophisticated security products and solutions. Currently, there is a heavy reliance on the foreign manufacturers to source these products as there are a handful of domestic players operating in this space. MeitY had issued a draft notification in June 2017 stating its preference to procure domestic cyber security products and give further impetus to the government’s flagship programme ‘Make in India’, thereby also boosting income and employment in the country.

The good news is that now the government has mandated ‘Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products’ policy which was released on July 2, 2018. With this policy in place, the local manufacturers will get the much required clarity and support to produce cyber security products. As the participation of domestic players increases in the cyber security industry, it will not only make the digital economy stronger and safer for the nation, but also enhance the ability of the suppliers to compete at a global business level. At the same time, it will also give an opportunity to foreign players to invest in the Indian cyber security product manufacturers which in turn will enable India to channel more FDI into the economy.

Let’s take a look at the key highlights of this policy are:

What is the objective?

Cyber Security being a strategic sector, preference shall be provided by all procuring entities to domestically manufactured/produced cyber security products to encourage ‘Make in India’ and to promote manufacturing and production of goods and services in India with a view to enhancing income and employment

Who are the procuring entities?

Ministry or department or attached or subordinate office of, or autonomous body controlled by the Government of India (GoI) which includes government companies.

Who qualifies to be a ‘local supplier’ of domestically manufactured/produced cyber security products?

A company incorporated and registered in India as governed by the applicable Act (Companies Act, LLP Act, Partnership Act etc.) or startup that meets the definition as prescribed by DIPP, Ministry of Commerce and Industry Government of India under the notification G.S.R. 364 (E) dated 11th April 2018 and recognized under Startup India initiative of DIPP.

 AND

Revenue from the product(s) in India and revenue from Intellectual Property (IP) licensing should accrue to the aforesaid company/startup in India.

How big is the government opportunity?

There is a huge government opportunity waiting to be leveraged, especially because MeitY had asked all ministries to spend 10% of their IT budgets on cyber security.

What are the key benefits of the policy to the local supplier?

The main benefits of the policy that local suppliers can avail are:

  • Procurement of goods from the local supplier if the order value is Rs.50 lacs or less.
  • For goods that are divisible in nature and the order value being more than Rs.50 lacs, procurement of full quantity of goods from the ‘local’ supplier if it is L1 (refer the note below). If not, at least 50% procurement from the local supplier subject to the local suppliers’ quoted price falling within the margin of purchase preference.
  • For goods that are not divisible in nature and the order value being more than Rs50 lacs, the procurement of the full quantity of goods from the local supplier if it is L1. If not, then the local supplier will be invited to match the L1 bid and the contract will be awarded to the local supplier on matching the L1 price.
  • The cyber security products notification shall also be applicable to the domestically manufactured/produced cyber security products covered in turnkey/system integration projects. In such cases the preference to domestically manufactured/produced cyber security products would be applicable only for the value of cyber security product forming part of the turnkey/ system-integration projects and not on the value of the whole project.

Note: L1 means the lowest tender or lowest bid or lowest quotation received in a tender, bidding process or other procurement solicitation as adjudged in the evaluation process as per the tender or other procurement solicitation.

How do I get my cyber security product listed to start getting the benefits of this policy?

You need to get your product evaluated and approved by the empowered committee of the government.

The ‘Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products’ policy is a commendable step in the direction of providing a robust leap to ‘Digital India’ and ‘Make in India’ programmes.

Get complete details about the policy here. You can also reach the author for more details @ [email protected]

About Author:

Ashish Tandon, Founder & CEO – Indusface

Ashish Tandon a first-generation entrepreneur with a rare combination of strong technology understanding and business expertise has successfully lead and exited several ventures in the areas of security, internet services and cloud based mobile and video communication solutions. Under his leadership as founder & CEO, Indusface a bootstrapped, fast growing and profitable company, has been recognized as an award-winning Application Security company with over 1000+ global customers and a multi-million $ ARR. He is also closely associated with the government and industry bodies of India in drafting of the various Software Product & Security related acts, regulations & policies. Connect with him on LinkedIn or Twitter.

Data Privacy and Empowerment in Healthcare

Technology has been a boon to healthcare. Minimally-invasive procedures have significantly increased safety and recovery time of surgeries. Global collaboration between doctors has improved diagnosis and treatment. Rise in awareness of patients has increased the demand for good quality healthcare services. These improvements, coupled with the growing penetration of IT infrastructure, are generating huge volumes of digital health data in the country.

However, healthcare in India is diverse and fragmented. During an entire life cycle, an individual is served by numerous healthcare providers, of different sizes, geographies, and constitutions. The IT systems of different providers are often developed independently of each other, without adherence to common standards. This fragmentation has the undesirable consequence of the systems communicating poorly, fostering redundant data collection across systems, inadequate patient identification, and, in many cases, privacy violations.

We believe that this can be addressed through two major steps. Firstly, open standards have to be established for health data collection, storage, sharing and aggregation in a safe and standardised manner to keep the privacy of patients intact. Secondly, patients should be given complete control over their data. This places them at the centre of their healthcare and empowers them to use their data for value-based services of their choice. As the next wave of services is built atop digital health data, data protection and empowerment will be key to transforming healthcare.

Numerous primary health care services are already shifting to smartphones and other electronic devices. There are apps and websites for diagnosing various common illnesses. This not only increases coverage but also takes the burden away from existing infrastructures which can then cater to secondary and tertiary services. Data shared from devices that track steps, measure heartbeats, count calories or analyse sleeping patterns can be used to monitor behavioural and lifestyle changes – a key enabler for digital therapeutic services. Moreover, this data can not only be used for monitoring but also for predicting the onset of diseases! For example, an irregular heartbeat pattern can be flagged by such a device, prompting immediate corrective measures. Thus, we see that as more and more people generate digital health data, control it and utilise it for their own care, we will gradually transition to a better, broader and preventive healthcare delivery system.

In this context, we welcome the proposed DISHA Act that seeks to Protect and Empower individuals in regards to their electronic health data. We have provided our feedback on the DISHA Act and have also proposed technological approaches in our response. This blog post lays out a broad overview of our response.

As our previous blog post articulates the principles underlying our Data Empowerment and Protection Architecture, we have framed our response keeping these core principles in mind. We believe that individuals should have complete control of their data and should be able to use it for their empowerment. This requires laying out clear definitions for use of data, strict laws to ensure accountability and agile regulators; thus, enabling a framework that addresses privacy, security and confidentiality while simultaneously improving transparency and interoperability.

While the proposed DISHA Act aligns broadly with our core principles, we have offered recommendations to expand certain aspects of the proposal. These include a comprehensive definition of consent (open standards, revocable, granular, auditable, notifiable, secure), distinction between different forms of health data (anonymization, deidentification, pseudonymous), commercial use of data (allowed for benefit but restricted for harm) and types and penalties in cases of breach (evaluation based on extent of compliance).

Additionally, we have outlined the technological aspects for implementation of the Act. We have used learnings from the Digital Locker Framework and Electronic Consent Framework (adopted by RBI’s Account Aggregator), previously published by MeitY. This involves the role of Data Fiduciaries – entities that not only manage consent but also ensure that it aligns with the interests of the user (and not with those of the data consumer or data provider). Data Fiduciaries only act as messengers of encrypted data without having access to the data – thus their prime task remains managing the Electronic Data Consent. Furthermore, we have highlighted the need to use open and set standards for accessing and maintaining health records (open APIs), consented sharing (consent framework) and maintaining accountability and traceability through digitally verified documents. We have also underscored the need for standardisation of data through health data dictionaries, which will open up the data for further use cases. Lastly, we have alluded to the need to create aggregated anonymised datasets to enable advanced analytics which would drive data-driven policy making.

We look forward to the announcement and implementation of the DISHA Act. As we move towards a future with an exponential rise in digital health data, it is critical that we build the right set of protections and empowerments for users, thus enabling them to become engaged participants and better managers of their health care.

We have submitted our response. You can find the detailed document of our response to DISHA Act below

Policy Hacks Session on GDPR & DEPA

Here are concerns and curiosity about European Union General Data Protection Regime (GDPR) and there is a related issue in India being covered under Data Empowerment and Protection Architecture (DEPA) layer of India Stack being vigorously followed at iSPIRT.

iSPIRT organised a Policy Hacks session on these issues with Supratim Chakraborty (Data Privacy and Protection expert from Khaitan & Co.), Sanjay Khan Nagra (Core Volunteer at iSPIRT and M&A / corporate expert from Khaitan & Co) and Siddharth Shetty (Leading the DEPA initiative at iSPIRT).

Sanjay Khan interacted with both Siddharth and Supratim posing questions on behalf of Industry.

A video of the discussion is posted here below. Also, the main text of discussion is given below. We recommend to watch and listen to the video.

GDPR essentially is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

Since it affects all companies having any business to consumer/people/individual interface in European Union, it will be important to understand this legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

Supratim mentioned in the talk that GDPR is mentioned on following main principles.

  1. Harmonize law across EU
  2. Keep pace with technological changes happening
  3. Free flow of information across EU territory
  4. To give back control to Individual about their personal data

Siddharth explained DEPA initiative of iSPIRT. He mentioned that Data Protection is as important as Data empowerment. What this means is that individual has the ability to share personal data based on one’s choice to have access to services, such as financial services, healthcare etc. DEPA deal with consent layer of India Stack.

This will help service providers like account aggregators in building a digital economy with sufficient control of privacy concerns of the data. DEPA essentially is about building systems so that individual or consumer level individual is able to share data in a protected manner with service provider for specified use, specified time etc. In a sense, it addresses the concern of privacy with the use of a technology architecture.

DEPA is being pursued India and has nothing to do with EU or other countries at present.

For more details on DEPA please use this link here http://indiastack.org/depa/

Sanjay Khan poses a relevant question if GDPR is applicable even on merely having a website that is accessible of usable from EU?

Supratim explains, GDPR applicable, if there is involvement of personal data of the Data subjects in EU. Primarily GDPR gets triggered in three cases

  1. You have an entity in EU,
  2. You are providing Goods and services to EU data subjects whether paid for or not and
  3. If you are tracking EU data subjects.

Many people come in the third category. The third category will especially apply to those websites where it is proved that EU is a target territory e.g. websites in one of the European languages, payment gateway integration to enable payments in EU currency etc.

What should one do?

Supratim, further explains that the important and toughest task is data management with respect to personal data. How it came? where all it is lying? where is it going? who can access? Once you understand this map, then it is easier to handle. For example, a mailing list may be built up based on business cards that one may have been collected in business conferences, but no one keeps a track of these sources of collections. By not being able to segregate data, one misses the opportunity of sending even legitimate mailers.

Is a data subject receives and gets annoyed with an obnoxious email in a ‘subject’ that has nothing do with the data subject, the sender of email may enter into the real problem.

Siddharth mentioned that some companies are providing product and services in EU through a local entity are shutting shops.

Supratim, mentions that taking a proper explicit and informed consent in case of email as mentioned GDPR is a much better way to handle. He emphasised the earlier point of Data mapping mentioned above, on a question by Sanjay khan. Data mapping, one has to define GDPR compliant policies.

EU data subjects have several rights, edit date, port data, erase data, restrict data etc. GDRP has to be practised with actually having these rights enabled and policies and processed rolled out around them. There is no one template of the GDPR compliant policies.

Data governance will become extremely important in GDPR context, added Siddharth. Supratim added that having a Data Protection officer or an EU representative may be required as we go along in future based upon the complexity of data and business needs.

Can it be enforced on companies sitting in India? In absence of treaties, it may not be directly enforceable on Indian companies.  However, for companies having EU linkages, it may be a top-down effect if the controller of a company is sitting there.

Sanjay asked, how about companies having US presence and doing business in EU. Supratim’s answer was yes these are the companies sitting on the fence.

How about B2B interactions? Will official emails also be treated as personal? Supratim answers yes it may. Again it has to be backed by avenues where data was collected and legitimate use. Supratim further mentions that several aspects of the law are still evolving and idea at present is to take a conservative view.

Right now it is important to start the journey of complying with GDPR, and follow the earlier raised points of data mapping, start defining policy and processes and evolve. In due course, there will be more clarity. And if you are starting a journey to comply with GDPR, you will further be ready to comply with Indian privacy law and other global legal frameworks.

“There is no denying the fact that one should start working on GDPR”, said Sanjay. “Sooner the better”, added Supratim.

We will be covering more issues on Data Protection and Privacy law in near future.

Author note and Disclaimer: PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system. PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on the case to case basis.

Understanding iSPIRT’s Entrepreneur Connect

There is confusion about how iSPIRT engages with entrepreneurs. This post explains to our engagement model so that the expectations are clear. iSPIRT’s mission is to make India into a Product Nation. iSPIRT believes that startups are a critical catalyst in this mission. In-line with the mission, we help entrepreneurs navigate market and mindset shifts so that some of them can become trailblazers and category leaders.

Market Shifts

Some years back global mid-market business applications, delivered as SaaS, had to deal with the ubiquity of mobile. This shift upended the SaaS industry. Now, another such market shift is underway in global SaaS – with AI/ML being one factor in this evolution.

Similar shifts are happening in the India market too. UPI is shaking up the old payments market. JIO’s cheap bandwidth is shifting the digital entertainment landscape. And, India Stack is opening up Bharat (India-2) to digital financial products.

At iSPIRT, we try to help market players navigate these shifts through Bootcamps, Teardowns, Roundtables, and Cohorts (BTRC).

We know that reading market shifts isn’t easy. Like stock market bubbles, market shifts are fully clear only in hindsight. In the middle, there is an open question whether this is a valid market shift or not (similar to whether the stock market is in a bubble or not). There are strong opinions on both sides till the singularity moment happens. The singularity moment is usually someone going bust by failing to see the shift (e.g. Chillr going bust due to UPI) or becoming a trailblazer by leveraging the shift (e.g. PhonePe’s meteoric rise).

Startups are made or unmade on their bets on market shifts. Bill Gates’ epiphany that browser was a big market shift saved Microsoft. Netflix is what it is today on account of its proactive shift from ground to cloud. Closer home, Zoho has constantly reinvented itself.

Founders have a responsibility to catch the shifts. At iSPIRT, we have a strong opinion on some market shifts and work with the founders who embrace these shifts.

Creating Trailblazers through Winning Implementations

We are now tieing our BTRC work to specific market-shifts and mindset-shifts. We will only work with those startups that have a conviction about these market/mindset-shifts (i.e., they are not on the fence), are hungry (and are willing to exploit the shift to get ahead) and can apply what they have learned from iSPIRT Mavens to make better products.

Another change is that we will work with young or old, big or small startups. In the past, we worked with only startups in the “happy-confused” stage.

We are making these changes to improve outcomes. Over the last four years, our BTRC engagements have generated very high NPS (Net Promoter Scores) but many of our startups continue to struggle with their growth ceilings, be it an ARR threshold of $1M, $5M, $10M… or whether it is a scalable yet repeatable product-market fit.

What hasn’t changed is our bias for working with a few startups instead of many. Right from the beginning, iSPIRT’s Playbooks Pillar has been about making a deep impact on a few startups rather than a shallow impact on many. For instance, our first PNGrowth had 186 startups. They had been selected from 600+ that applied. In the end, we concluded that we needed even better curation. So, our PNGrowth#2 had only 50 startups.

The other thing that hasn’t changed is we remain blind to whether the startup is VC funded or bootstrapped. All we are looking for are startups that have the conviction about the market/mindset-shift, the hunger to make a difference and the inner capacity to apply what you learn. We want them to be trailblazers in the ecosystem.

Supported Market/Mindset Shifts

Presently we support 10 market/mindset-shifts. These are:

  1. AI/ML Shift in SaaS – Adapt AI into your SaaS products and business models to create meaningful differentiation and compete on a global level playing field.

  2. Shift to Platform Products – Develop and leverage internal platforms to power a product bouquet. Building enterprise-grade products on a common base at fractional cost allows for a defensible strategy against market shifts or expanding market segments.

  3. Engaging Potential Strategic Partners (PSP) – PSPs are critical for scale and pitching to them is very different from pitching to customers and investors. Additionally, PSPs also offer an opportunity to co-create a growth path to future products & investments.

  4. Flow-based lending – Going after the untapped “largest lending opportunity in the world”.

  5. Bill payments – What credit and corporate cards were to West, bill payments will be to India due to Bharat Bill Pay System (BBPS).

  6. UPI 2.0 – Mass-market payments and new-age collections.

  7. Mutual Fund democratization – Build products and platforms that bring informal savings into the formal sector.

  8. From License Raj to Permissions Artefact for Drones – Platform approach to provisioning airspace from the government.

  9. Microinsurance for Bharat – Build products and platforms that reimagine Agri insurance on the back of India Stack and upcoming Digital Sky drone policy.

  10. Data Empowerment and Protection Architecture (DEPA) – with usage in financial, healthcare and telecom sectors.

This is a fluid list. There will be additions and deletions over time.

Keep in mind that we are trying to replicate for all these market/mindset-shifts what we managed to do for Desk Marketing and Selling (DMS). We focussed on DMS in early 2014 thanks to Mavens like Suresh Sambandam (KissFlow), Girish Mathrubootham (Freshworks), and Krish Subramaniam (Chargebee). Now DMS has gone mainstream and many sources of help are available to the founders.

Seeking Wave#2 Partners

The DMS success has been important for iSPIRT. It has given us the confidence that our BTRC work can meaningfully help startups navigate the market/mindset-shifts. We have also learned that the market/mindset-shift happens in two waves. Wave#1 touches a few early adopters. If one or more of them create winning implementations to become trailblazers, then the rest of the ecosystem jumps in. This is Wave#2. Majority of our startups embrace the market-shift in Wave#2.

iSPIRT’s model is geared to help only Wave#1 players. We falter when it comes to supporting Wave#2 folks. Our volunteer model works best with cutting-edge stuff and small cohorts.

Accelerators and commercial players are better positioned to serve the hundreds of startups embracing the market/mindset-shift in Wave#2. Together, Wave#1 and Wave#2, can produce great outcomes like the thriving AI ecosystem in Toronto.

To ensure that Wave#2 goes well, we have decided to include potential Wave#2 helpers (e.g., Accelerators, VCs, boutique advisory firms and other ecosystem builders) in our Wave#1 work (on a, needless to say, free basis). Some of these BTRC Scale Partners have been identified. If you see yourself as a Wave#2 helper who would like to get involved in our Wave#1 work, please reach out to us.

Best Adopters

As many of you know, iSPIRT isn’t an accelerator (like TLabs), a community (like Headstart), a coworking space (like THub) or a trade body. We are a think-and-do-tank that builds playbooks, societal platforms, policies, and markets. Market players like startups use these public goods to offer best solutions to the market.

If we are missing out on helping you, please let us know by filling out this form. You can also reach out to one of our volunteers here:

Chintan Mehta: AI shift in SaaS, Shift to Platform Products, Engaging PSPs

Praveen Hari: Flow-based lending

Jaishankar AL: Bill payments

Tanuj Bhojwani: Permissions Artefact for Drones

Nikhil Kumar: UPI2.0, MF democratization, Microinsurance for Bharat

Siddharth Shetty: Data Empowerment and Protection Architecture (DEPA)

Meghana Reddyreddy: Wave#2 Partners

We are always looking for high-quality volunteers. In case you’re interested in volunteering, please reach out to one of the existing volunteers or write to us at [email protected]

A Look Back At How Startup India Has Eased The Journey Of Startup And Investors

image1

It’s been two years since the fateful 2016 budget which recognised “Startups” as a separate breed of companies unto themselves, demanding bespoke treatment from the government and authorities. The clarity brought forth helped quell the nerves of both companies and investors, who had to otherwise resort to exotic exercises, supplementary structures, and platoons of professionals to keep their entrepreneurial dreams alive.

As we all await with bated breath for the slew of reforms expected of the Finance Minister, it behoves us to see how far we’ve come and how much further we need to proceed so that a billion dreams may become a reality.

This article is the first part of a two-part series which explores how Startup India has eased the friction in the Startup ecosystem so far, from an investor’s perspective with the second part talking about the next step of reforms which would have a multiplier effect on the ecosystem.

Flywheel of Funding

More often than not, any coverage about fundraising covers the journey of startups and entrepreneurs and the travails of raising their multimillion dollar rounds. But there exists another dimension to this story, that of fund managers raising their own funds. A large section of the investor community was elated that the government recognised this oft-ignored story and created the Rs 10,000 Cr (USD 1.5 billion) Fund of Funds managed by SIDBI which invests into SEBI registered AIFs and Venture Capital Funds.

This approach seeks to galvanise an ecosystem through a flywheel effect, instead of gardening it via direct intervention. The 10,000 Cr corpus can help seed AIFs worth Rs 60,000 Cr in India, which when fully deployed, is estimated to foment 18 lakh jobs and fund thousands of Indian startups. By contributing a maximum of 20% of the corpus of a fund, many fund managers can hasten they fundraise and concentrate more on helping their portfolio companies raise, instead of competing with them.

The Fund of Funds has invested into 88 AIFs so far, thus galvanising more than 5,600 Cr (USD 873 million) worth of investments into 472 Startups.

Bringing back tax breaks, not a back-breaking Tax

The Government’s support of Indian investors found its way into the Income Tax Act, with several measures to incentivise investments into the Indian Startup ecosystem, such as:

  • Insertion of Section 54 EE, which exempts Long-Term Capital Gains up to Rs 50 lakhs provided it has been invested in the units of a SEBI registered AIF
  • Insertion of section 54GB, which exempts Long-Term Capital Gains of up to Rs 50 lakhs provided it been invested into the shares of a Startup which qualifies for section 80IAC
  • Clarifying that the conversion of debentures or preference shares to equity shares will not be considered as a transfer and thus subject to capital gains at the point of conversion (the entire Venture Capital industry is based on convertible debentures and preference shares and this move has settled long-standing disputes regarding the instruments of investments)
  • Issuing a notification that the dreaded angel tax will not apply to shares issued at a premium to domestic investors by those startups who qualify under the DIPP scheme (although the scope of this needs to be extended to rid the spectre of angel tax that haunts various investors and entrepreneurs)
  • Clarifying that the stance of the assessee in categorising the sale of listed securities held for more than 1 year as Capital Gains or Income from Business can’t be questioned by the taxman
  • Changing the definition of a capital asset to include any securities held by a Foreign Portfolio Investor, thus removing the friction arising from asset classification (a similar provision is sorely needed for domestic hedge funds and Category III AIFs)

Capital without Borders

The Startup India scheme over the past few years has rolled out the red carpet to foreign investors while rolling back the red tape. The success of this is evidenced by the percentage of funding foreign capital represents in the Indian startup ecosystem, which is 9 times higher than domestic capital investment.

Some of the initiatives include:

  • Liberalising Foreign Direct Investment into most sectors including financial services, single brand retail, pharma, media and a host of other sectors up to 100% in most areas
  • Abolishment of the Foreign Investment Promotion Board
  • Relaxation of External Commercial Borrowings (ECBs) for Startups for up to USD 3 million
  • Allowing for issue of shares for non-cash consideration to non-residents under the automatic route
  • Marshalling foreign investment into Indian entities primarily for the purpose of investing in other Indian entities has been brought under the automatic route as opposed to the previous government approval route
  • Dismantling the approval mechanism for the transfer of securities by a Foreign Venture Capital fund to an Indian resident
  • Moving most of the filings (FCGPR, FCTRS, etc) to an online window managed by the RBI (ebiz.gov.in)

Well begun is half done

The government’s efforts to improve life for Startups in investors have begun to bear fruit in tangible ways as evidenced by the reduction in the number of companies seeking to have a Delaware entity with Indian operations. The recent leapfrog in the “Ease of Business” rankings also stands testament to this.

The Government must now seek to consolidate all these gains and clarify its stance and the stance of the tax department on long pending issues which have been a bane to all startups. While we have miles to go before we sleep, we must look back and take note of what we’ve achieved before we seek to scale greater heights.

This post has been authored by Siddarth Pai of 3one4 Capital

How GST will work for software exporters

GST council has yesterday cleared all the bills required to implement the GST. Finance minister wants to kick-start from July 1 2017. This can be easily achieved is the model laws can be enacted in the current session of parliament. The GST is therefore set become a reality from the second quarter of the current financial year.

GST is going to catalyze greater IT adoption. We can see the business going digital in future and a Digital India emerging.

Apart from receiving GST as a catalyst for Software product industry growth, we also need to get prepared for adopting GST our selves. Not everyone has prepared for GST though. At iSPIRT we are starting discussion group on GST so that community can take advantage from shared learning. This blog is the first in series of this effort.

Few fundamental changes in the Goods and Service tax (GST) as it is called are

  • It is supply based and not sales based tax system
  • Being an indirect tax, it applies where the consumption happens
  • There are three statues and taxes that are part of GST i.e. SGST (state GST), CGST (Center GST) and IGST (integrated GST = SGST+CGST)
  • Both state and center will get tax on Goods and services supplied unlike earlier only Center received the service tax
  • The GST subsumes many of the indirect taxes prevalent at present

GST will significantly change the way of doing business. Also, it is bound to greatly impact the international trade regime e.g. excise duty will merge in GST and deemed exports benefits under excise laws may come to an end. The exports aspect will impact Software exporters, irrespective of whether they are operating under SEZ, STP, EOU, EPCG or outside as these export schemes. GST on Import is going to impact every one, as in globalized world with cloud penetration, everyone is bound to use goods and services imported.

In this blog we cover in brief the application of GST on the import and export of goods and services.

How it impacts Import?

Basic custom duty (BCD) is not covered under GST and it will remain same. There will be two components on each import to be paid i.e. Basic Duty + IGST.

IGST will subsume currently applicable countervailing duty (CVD) and additional duty of customs (SAD).

Integrated Goods and Services Tax (IGST) means tax levied under this Act on the supply of any goods/services in the course of inter State trade or commerce. IGST has two components SGST and CGST. A supply of goods/services in the course of Import into the territory of India shall also be deemed to be a supply of goods/services in the course of inter-state trade or commerce.

The levy of IGST will be payable for each transaction, as against the monthly payment in case of IGST payable on domestic interstate transactions.

The other difference in GST is aboput IGST computation. The IGST will be computed on transaction value of imported goods plus duties and taxes etc. charged under any statute other than the GST Law. Hence, ISGT will be applied on total landed value, basic customs duty and any other charges.

On import of services GST will be based on reverse charge method just as the Service tax is today i.e. IGST will apply on reverse charge mechanism. Hence, all Software or a SaaS bought online will be subject to reverse charge basis IGST.

But there is a input credit allowed in ISGT on imports. The service provider, trader or manufacturer of imported goods/services shall be eligible to offset IGST paid on import of goods/services against his output liability. The same does not apply to BCD as BCD is not part of GST.

Although it does not apply to Software sector, the anti-dumping duties and safeguard duties will continue to be applied as they were and have not been subsumed in the IGST.

Impact on exports

Exports under GST will be Zero rated i.e. there will not be any exports duty except on items that enjoy an export duty levy currently. Software exports will be zero rated.

The biggest impact will be on units presently enjoying exemptions on inputs like service tax in SEZ. Under GST all duties and taxes will be payable at the time of a transaction when procuring input goods/service and the exporter can get refund for these after exporting. Exemptions will be replaced by refunds after exports.

This will put lot of burden on arranging working capital for the inputs. This burden will be higher for manufacturing firms than services firms.

On pursuance of commerce ministry, in a recent announcement, the finance ministry has agreed to relax the refund pains. The finance ministry has agreed to refund 90% of the duties paid by exporters within a period of seven days under the Goods and Services Tax (GST) regime. If duty refunds could not be made within seven days, then government will pay interest to exporters. However, it is yet to be decided how much interest will be paid to exporters in such a scenario, as per announcement. (Source: livemint news item)

The remaining 10% refund will be made after verification by tax authorities.

This is a bit of relief to exporters. Compliance process will change from presently exemption based compliance to a refund claim filing in time.  The crux here is to use digital technology to automate many of these issues in GSTN.

Whereas these announcements have been made, the details will depend upon how rules are notified.

GST will undoubtedly make the efficient in long run. However, the next one year will be full of challenges and adjustments by Ministry of finance to oversee a smooth rollout.

Should you have further questions on GST, please write to [email protected]

 

 

 

Place of Effective Management (POEM) of a business

Finance minister had announced during budget 2016 that place of effective management (POEM) will determine if a company is resident in India or not. Accordingly, this was notified in Finance ACT 2016 as under.

Finance Bill

The details of what will determine the place of business rules was not decided in the Finance Act 2016. The POEM provisions was supposed to become effective from April 2017. The detailed guidelines of what rules and conditions will determine the POEM has been issued by CBDT on 24 January 2017.

Ever since the announcement in 2016 there were many apprehensions on POEM, especially in SaaS companies.

In order to clear this apprehension a PolicyHacks session of iSPIRT was conducted.

The video discussion on POEM attended by Girish Rowjee, Founder CEO of Greytrip; Mrigank, Mrigank Tripathi,  Founder CEO of Qustn Technologies; Sanjay Khan Nagra, of Khaitan and Co.; Avinash Raghava and Sudhir Singh, iSPIRT  is given below.

What does the above POEM ruling incorporate in finance bill imply?

In simple terms the place of effective management in above act means a place where key management or commercial decisions that are necessary for the conduct of the business of an entity are made, in substance. This implies Indian resident status on a company will apply even when the entity is incorporated outside India, if the place of effective management is proven to be in India.

The guidelines issued on 24th January 2017 by CBDT will be used to determine if a business of non-Indian entity or a subsidiary of Indian entity will fall under the place of business rules or not. The Guide lines can be accessed here.

POEM is an internationally recognised test for determination of residence of a company incorporated in a foreign jurisdiction.

Why this regulation has been brought in?

POEM require Indian firms with overseas subsidiaries or foreign companies in India to pay local taxes based on where the business is effectively controlled.

The main intention of this regulation is to capture the income in shell companies incorporated outside India that are held by resident Indians with a basic intention of retaining the income outside India.

The regulation is not intended to discourage valid Indian businesses to setup an entity outside India or operate in global markets.

Does it impact Software sector?

It is very common for the India Software companies to open an office in foreign geography, many times as a subsidiary of Indian company and sometimes a new entity with mixed local and Indian management. Hence, the POEM has been worrying entrepreneurs in this sector. For SaaS segment, it is very normal to have a foreign entity, either for reasons of funding or market penetration.

As mentioned above, for a valid global business the POEM will not be a hurdle. Businesses, having global operation but not retaining income in foreign companies (i.e repatriating profits to Indian company) through authorised route and after complying with other regulations, POEM will not be a a worrying factor.

There may be a very few Software Companies, who may need to be concerned, to pass the test of POEM. Any determination of the POEM will depend upon the facts and circumstances of a given case. The POEM concept is one of substance over form. If POEM is established to be in India for businesses operating outside India, they will be taxed in India.

It is not possible to generalize the impact of POEM on Software sector or illustrate few used cases. Whether a business operating outside India will get classified as POEM can only be ascertained after detailed examination.

Exemption for turnover less than 50 Crore

There is good news for startups as per the Press release accessible here, it has been decided that the POEM guidelines shall not apply to companies having turnover or gross receipts of Rs. 50 crore or less in a financial year.

This was not clear before video discussion and doubts were expressed during discussion, as this rule has not been described in the guideline circular of CBDT but has been mentioned in the press release of same date from CBDT.

Hence, we can expect that the rule of less than 50 crore income shall be embedded in income tax rules to be notified later.

Other salient features

  1. The provision would be effective from 1st April 2017 and will apply to Assessment Year 2017-18 and subsequent assessment years.
  2. The Assessing Officer (AO) shall, before initiating any proceedings for holding a company incorporated outside India, on the basis of its POEM, as being resident in India, seek prior approval of the Principal Commissioner or the Commissioner, as the case may be.
  3. Further, in case the AO proposes to hold a company incorporated outside India, on the basis of its POEM, as being resident in India then any such finding shall be given by the AO after seeking prior approval of the collegium of three members consisting of the Principal Commissioners or the Commissioners, as the case may be, to be constituted by the Principal Chief Commissioner of the region concerned, in this regard. The collegium so constituted shall provide an opportunity of being heard to the company before issuing any directions in the matter.

The point 2 and 3 mentioned above will ascertain that there is no arbitrary discretion exercised by Assessing officers on ground.

The Guidelines issued can be accessed here, also provides examples that explains when an active business outside India will be treated as Indian business based on POEM. These examples do not explain each and every case.

Also the exemption of 50 Crore is neither given in Finance Act or in the Guidelines but mentioned in press release.

CBDT may therefore issue further circulars to clarify these positions.

External Commercial Borrowing norms for Startup (ECB)

What is ECB?

External commercial borrowings(ECB) imply borrowing (debt) from a foreign (non-resident) lender. ECB is an attractive financing route as it generally offers access to finance with low rate of interest available from overseas low interest markets.

ECBs have been in use by many corporations, PSUS and especially by MNCs setting up operations in India. Who can raise an ECB, from where and under what conditions, rate, maturity period etc. are all governed by Reserve Bank of India (RBI) in India.  Startups till now did not have access to the ECB route of funding.

RBI announcement on ECB for Startups

Announcement was made by the Reserve Bank in the Fourth Bi-monthly Monetary Policy Statement for the year 2016-17 released on October 04, 2016, for permitting Startup enterprises to access loans under ECB framework.

Sanjay Khan Nagra, iSPIRT volunteer talks about this announcement in the video embedded. Below.

As such RBI circular is self-explanatory attached here. However, for ready reference, some salient features of the RBI announcement are covered in the text given below.

What are the key announcements?

What is a Startups as per circular?

The above circular covers Startups as defined by the Official Gazette of Government of India dated February 18, 2016 (i.e. Startup Policy of DIPP) given here.

How much can a startup borrow and in what currency?

A startup can borrow up to US$ 3 million or equivalent per financial year either in Indian rupee or any convertible foreign currency or a combination of both. In case of borrowing in INR, the non-resident lender, should mobilise INR through swaps/outright sale undertaken through an AD Category-I bank in India.

What is minimum maturity period?

Minimum average maturity period will be 3 years.

For what end-use can startups use ECB?

Usually there are end-use direction for an ECB. However, for startups under the above said circular of RBI, ECB can be used for any expenditure in connection with the business of the Startup.

What is all-in-cost of ECB?

There are no limits. The RBI circular says, this shall be mutually agreed between the borrower and the lender

In what forms can one receive the lending?

It can be in the form of loans or non-convertible, optionally convertible or partially convertible preference shares and the minimum average maturity period will be 3 years.

Can this be converted in to equity?

Yes, conversion into equity is freely permitted, subject to Regulations applicable for foreign investment in Startups.

Who can lend?

Previously, ECB regime inter alia set out various conditions for Indian companies raising loan from external borrowings including conditions relating to (i) eligible borrowers (ii) eligible lenders (iii) permitted end uses etc.

After this circular, the lender / investor shall be a resident of a country who is either a member of Financial Action Task Force (FATF) or a member of a FATF-Style Regional Bodies; and shall not be from a country identified in the public statement of the FATF. (Please see RBI Circular for detail)

However, overseas branches and subsidiaries of Indian banks and overseas wholly-owned subsidiary or joint venture of an Indian company will not be considered as recognized lenders.

What are security norms?

Foreign lenders or Investors are allowed to request security for any collateral in the nature of movable, immovable, intangible assets (including patents, IP rights etc.) but shall comply with foreign direct investment norms applicable for foreign lenders holding such securities.

Issuance of corporate or personal guarantee is allowed. Guarantee issued by non-resident(s) is allowed only if such parties qualify as lender under paragraph 2(c) above. Exclusion: Issuance of guarantee, standby letter of credit, letter of undertaking or letter of comfort by Indian banks, all India Financial Institutions and NBFCs is not permitted.

For more details you are requested to refer the RBI circular here.

 

Enablers for Defence Start-ups in India

Once upon a time, there was an Asian Dragon and an Asian Elephant, both wanting to be self-sufficient in defence technology. But they chose different paths. In Jan 2004 one went out to acquire four retired aircraft carriers for study, along with purchasing foreign aircraft carrier designs; which resulted in this Asian Dragon commissioning their first Aircraft Carrier in 2012. The Elephant, however, did not invest in any old aircraft carriers or their aircraft designs, but went on to buy out an old Russian Carrier which had to be upgraded to being sea worthy; with the refit alone costing it nearly 2 ½ times the price that was originally agreed. This Asian Elephant – India; still does not have its completely indigenously built ship, whereas the Dragon – China, is building its 2nd.

Our take – India needs to completely focus on Indigenization. India can achieve self-reliance by having control on design IPR, know-how and innovation. Establishing ‘Country Champions’ in each of the critical areas of technology for products today upgrades and future-proofs it. Since the rate of change in this area is comparatively higher, agility is critical. And, this is where engagement with the startup community will help India develop world-class products quickly.

There are four pillars around which this strategy needs to be developed-

  1. Indian Entrepreneurs must focus on Innovation & Design; and eventually prepare the business to scale globally.
  2. The Academia must encourage fundamental research in Warship Building Design and Innovation; and help build and drive models as per world class standards.
  3. Encourage Foreign Investments in Semi-Conductor Fab’s; Component Manufacturing Plants in India; ToT of Mature technologies.
  4. And most Importantly the Govt. needs to address Disabilities faced by the domestic industry and support Polices for R&D and Market Access.

The government needs to fund long-term investment in critical technology development; make existing policies more effective for R&D; reduce the Cost of Money for Industry on Interest Cost; and be open to fund risky R&D in the private and government sector. The Govt. Needs to encourage all R & D/ Technology Development Funds of organizations like DRDO, to be used via Challenge Grants, enabling the startups to be a part of the process to solve various challenges.

Market access is a big pain point for the Startups while dealing with the Govt. The Govt. needs to encourage a level playing field by removing restrictive eligibility conditions like prior experience and turnover to allow the budding domestic Industry to compete. Onerous NCNC conditions should be removed,; trials should be paid for or done post selection; and award of contract should come with strict penalties.

And finally, the government must increase the effectiveness of the “Offset Policy” by encouraging foreign OEM’s to support vendor development for discharging offsets and to appoint a Joint Secretary to address the R&D and market access issues and as well work with the industry to shape technology strategy and its implementation and help them look at the bigger picture.

With over 19,400 Tech startups serving various sectors of which 5000 have been started in 2015 alone, Startups in India are all set to reach over 1,00,000 startups, employing over 3.5 Million and creating over $500 billion in Market Value in this decade. Startups like Tonbo Imaging, Aurora Integrated Systems, Astra Microwave and many others are already helping the Government in solving the various technology problems.

With over $1.78 Trillion being spent in 2014 in Defence, America contributed $610 Billion by far ahead of rest of the world with 35% of the overall spends. The interesting factor is that Countries in Africa, Asia, Middle East and South America contributed to over 43% of Defence Spending at $765 Billion. This figure is going to keep increasing by 6-7% on an annual basis and see the Defence Spending from these countries touching over $1.10 Trillion by 2020. Of the 25 largest defence spenders in the world, 13 were from Asia and Middle East. This is where the opportunity is for India to supply to Africa, Middle East, South America and other friendly Asian Countries.

With the growing soft power of India, this opportunity is for us to leverage. Startups can play a pivotal role for India to leapfrog ahead of others in the defence industry.

Authored by Mohandas Pai & Co-Authored by Nakul Saxena

‘SaaS’ – indirect tax issues in India

It seems there is still time before the Software as a service (SaaS) blooms well in the Indian domestic market. The biggest friction points are relatively low acceptability of online model, lack of quality internet penetration in country side and the unsupportive policy framework e.g. recurring billing, expensive payment gateway solutions and confusing indirect taxation in India. Owing to these bottlenecks, many SaaS companies relocated outside India or open a branch or foreign subsidiary.

iSPIRT has been pursuing a stay-in-India check list with Govt. of India, with following three top taxation issues embedded in it:

  1. Removing confusion between ‘goods’ and ‘service’ tax on Software
  2. Not treating software sales as royalty income and do away with TDS on sale of software
  3. Start taxing online B2C sales by foreign companies

All three are relevant to the Software product Industry. However, the problem of ‘goods’ verses ‘service’ tax is intriguing to be solved and the subject of this article.

From tax perspective, many get carried away with the etymology of ‘Service’ in SaaS and believe service tax is the obvious classification. However, the classification under service alone, can’t be the most advantageous position for SaaS industry in a complex tax regime like India which is riddled with confusions.

This article attempts to explain this confusions of goods verses service tax effecting software product industry where SaaS is a special case in consideration.

Explaining the confusion between Goods V/s Service tax

The Indian tax system today classifies Software in following manner:

1. Treated as goods – has a tariff code associated (ITC HS Code)

  • Pre-packaged on media or paper license or PUK
  • Pre-packaged embedded with hardware

2. Treated a Service

  • Bespoke/Customized software development
  • Rest everything else that is not covered in a) above (SaaS falls here)

Those covered under a) above have a tariff code (ITC/HS Code) associated with them and hence fall under ‘goods’. The pre-packaged category (i.e. the Software products) have following tariff code assigned currently.

HS Code Item Description
4907 00 30 Documents of title conveying the right to use Information Technology software
4911 99 10 Hard copy (printed) of computer software (PUK Card)
8523 80 20 Information technology software on Media

Same pre-packaged software downloaded ‘online’ is covered under service tax and is not treated as ‘goods’. Further, the tax system does not understand other models of SaaS, PaaS etc. All other categories of Software i.e. other than mentioned in a) above are covered under service tax by default under a logic of exclusion (not having covered under the tariff code list).

There is no guarantee that if the Service tax is applied there will not be a goods tax applied. VAT is applied in many cases based on interpretation in a way leading to double taxation. Even large players like Microsoft are not able to circumvent the double taxation. Their SaaS based offering (office365 bundled with exchange and storage on cloud[1]) are taxed differently at different point of times. Sometimes just the service tax and at other times service tax + VAT. You can hear a large number of use cases like this.

According to tax authorities in central government, the problem is solved simply by making goods and service tax rate one. They have solved the riddle by bringing in a notification for paying only one of the two at a given time excise duty/CVD or Service tax. But they have no remedy on states charging VAT. Whenever it is considered that the transaction implies ‘Transfer of right to use goods’ for any purpose (whether or not for a specified period) for cash, deferred payment or other valuable consideration, it is deemed to be a sale under Article 366(29A) of the Constitution of India. As a result Software even when defined as a services gets caught in 29A of (366) and VAT is applied based on how local authorities interpret a transaction.

The root cause of this confusion is that the tax regime has not given place to ‘intangibles’ at par with tangibles. As far as the tangibles trade is concerned, intangibles are treated as ‘goods’ as defined in 366(12) of the Constitution and their sale is covered by sale of goods act 1930. All that is defined as goods cannot be service by definition.

Does GST solve the puzzle?

Some people argue that these ‘good’ v/s ‘services’ tax problems will all vanish when GST is rolled out, based on the argument and assumption that the rate of tax in GST will be one.

GST is a ‘supply’ and ‘destination’ based tax system replacing the concept of manufacturing with concept supply of goods and supply of services. GST will also amalgamate most indirect taxes in existence at center and state. Both Center and state will have power to tax under GST for both goods and services. At present states do not have power to tax services.

One tax rate may be a necessary condition for attaining the neutrality and level playing field but not the sufficient condition.

Following are some reasons why even one rate GST is insufficient to solve the problem:

  1. GST bill does not take cognizance of the root cause of absent definition of a ‘digital good’ i.e. including ‘intangibles’ at par with tangibles
  2. The value chain of use and consumption of ‘goods’ and ‘services’ are quite different and hence will pose challenge in practice
  3. The tax structuring is not done exclusively for the either software or the digital business. Also, Tax departments are prone to provide differential rates for new industry structures and business models for social needs under pressure of lobbying and differential tax rate may emerge for some segments of the Software Industry segments. The needs to tax new sectors of business and new models of business all arise in bits and pieces and then rules are overplayed above the basic tax structure, thus causing the confusion.
  4. GST legislation is not clear on tax credit system in its completeness e.g. the inclusion of zero-rated supplies
  5. The Clause (29A) of Article 366 has not been deleted in the proposed constitutional amendment and would need to be deleted as this would be redundant under the new concept where sales and deemed sales will be replaced by concept of supply or it may give rise to misuse under some pretext.
  6. Any new statute has to be tested on ground it takes few years to evolve and align with ground reality. GST will be no exceptions.

GST bill has yet to be passed. After the GST bills is passed the rules will be framed under CBEC and it is expected that CBEC to be in its comfort zone will like to use existing frameworks and for Software product industry adoption of existing framework will not be helpful and it is imperative on us to suggest to government remedy for these long existing problems.

Proposed Solution – the need to define “Digital Goods” and “Digital Service”

To remove the root cause of the problem, a clear distinction between a “product” and “service” or “digital goods” and “digital service” is needed.

In the previous blog ‘SaaS’ – the product advantage and need we have argued that the product side in SaaS cannot be ignored. Even the service component in SaaS is about using this digital (intangible) product. Let us understand the product/goods properties that are commercially viable and legally tenable.

iSPIRT has been pursuing application of a frame work “COG-TRIP Test” that can be used to define Software Products as distinct from Software services. A SaaS product can be mapped to the complete COG-TRIP test. Given below is the framework of COG-TRIP.
1. Countability – no of licenses/users/subscribers
2. Ownership and Intellectual Property Rights
3. Qualification as an Intangible Good
4. Tradability: The Software Products (Goods) can be sold through different delivery modes.
5. Right of service/Right of Use
6. Identifiability
7. Production/Development Cost: All software production costs are capitalized and subsequently reported at the lower of unamortized cost or net realizable value

In the legal framework the above definition of “Product” has to be mapped to “Goods” as defined in 366(12) of the Constitution and hence there is need for the definition of “Digital Goods” at par with constitutional provision of “Goods” in article 366(12) which further is related to the Sale of Goods Act 1930. This will also cover the article 366(29A) aspects.

Gradually the world is also moving toward the above proposed scheme of overlaying the existing structure with a clear definition of ‘digital goods’ and ‘digital services’. US has a “digital goods and services fairness act” pending to be passed by congress. Australia has come up with a new digital GST.

The clear definition of ‘digital goods’ and ‘digital services’ definition not only provide the ease of doing business but also the level playing field against the foreign companies under new emerging business models every day.

Concluding notes – Looking for a long term solution

In a previous blog on ‘SaaS’ – the product advantage and need we have made a case for SaaS industry to be a formidable part of the Indian Software product industry (iSPI). For SaaS Industry, the advantage is in favour of getting defined under product (digital goods) category as an industry. This also infers that SaaS itself is a “Product” that provides a services to businesses or consumers who may actually fall in any industry verticals.

The tax is applicable on a transaction and does not get defined based on sector or industry. Once SaaS is recognized as Product (intangible goods) the next issue to be solved is asking for one single clear tax on a transaction be it “goods” or “services” based on the transaction.

Hence three basic requirements for SaaS segment to get a boost are:

  1. SaaS is identified as a product or digital good
  2. There is clear definition of digital goods v/s digital services in tax regime
  3. There is one single and clear tax on one transaction

Tax and trade are much related in promotion of an industry and we hope these concerns will be addressed by Indian government in near future. SaaS can become a segment that can bring India pride and has possibility of emergence of next google from India.


Footnotes

[1] Consider a real life used case. I am running an office365 email service, procured through an Indian partner of Microsoft and I pay service tax on the subscription. I went ahead and placed order for a new office365 (same service) for a different domain directly from Microsoft online, the invoice charges me 14.5% service tax as well as 5% VAT. I tried to get a quote from other partner of Microsoft and again I get a quotation for 14.5% service tax and 5% VAT. In the first case I am buying from a partner of Microsoft who is a hosting provider. In second case the partner is a usual Microsoft partner selling their products or services.

Now consider buying office365 (office 2016 1 year subscription) for desk top licenses and there is CVD + VAT, even when it is a mix of offering both Product and Service for online storage and fully installed office pack.

The above used case mentioned above is of the office365 business essential plan has all the components built in the exchange online, access to MS Office products online only, online storage etc. It actually carries the many examples of the MS Office 2016 offered as SaaS model, Exchange offered as an email service and Storage offered as a service.

Disclaimer: The above example is based on real life personal experience of the writer and has nothing to do with iSPIRT.

Lipstick on a pig

It’s to the credit of policymakers that they have steadfastly refused to kiss this pig called ‘software patents’, despite it being dressed up in the lipstick of ‘innovation’.

Lipstick on a pig” is a popular Americanism for making superficial or cosmetic changes that disguise the true nature of a product. The pig in question is the regime of software patents being advocated by some multinational corporations (MNCs) and their highly paid lawyers, while the lipstick is the much abused term—“innovation”.

Ever since the Indian Patent Office (IPO) issued the revised Computer Related Inventions Guidelines, a host of MNCs has been busy trying to lobby the Indian government to overturn these guidelines. At stake is India’s future in the digital age.

Patents are a state-granted monopoly on an invention, for a limited period of time. Those who have been granted these monopolies then get the right to prevent others from using the ideas and methods they have patented. Software developers, and researchers who study innovation, contend that the US, which has the most permissive patenting system in the world, made a huge mistake by bringing software under the ambit of patentability.

James Bessen and Michael Meurer, two Boston University professors, found that almost 38% of all patent litigation in the US is around software. In their book,Patent Failure: How Judges, Bureaucrats, and Lawyers Put Innovators at Risk, the authors explain how software falls within the realm of abstract ideas, and that it is impossible to draw boundaries around abstract ideas.

For example, if a property developer is planning to build a skyscraper on a piece of land, he can do a title search and find out the boundaries to the east, west, north and south of that piece of land. A clear title enables the developer to invest money with peace of mind. However, software being an abstract field, even law-abiding software developers cannot do a conclusive patent search in the areas they are working on, which increases the risk of software development in countries that allow software patents.

The US patent system has come to such a pass that even a respected inventor like Andy Grove of Intel was compelled to say, “The patent product brings financial derivatives to mind. Derivatives have a complex relationship with an underlying asset. While there’s nothing wrong with them in principle, their unfettered use has damaged the financial services industry and possibly the entire economy.” This was right after the financial crisis in 2008 that was caused by housing derivatives.

How did the US patent system go so wrong that one of its most venerated inventors became its harshest critics? In their book, Innovation and Its Discontents: How Our Broken Patent System is Endangering Innovation and Progress, and What to Do About It, two Harvard University professors Adam B. Jaffe and Josh Lerner explain how the 1980s were a time of great concern about US “competitiveness”, as well as a general movement to shrink government and make it more efficient. The government responded to these concerns by making the United States Patent and Trademark Office (USPTO) run more like a business, so that its processes would become easier for inventors. The effect was that patent seekers turned into “clients” and not applicants at USPTO. The authors add that USPTO (much like IPO) has been chronically strained for resources, with patent examiners often having just a dozen hours to assess a patent application.

As a result, the number of patents granted in the US has reached 326,000 in 2015, up from 66,170 in 1980. The flood of poor quality patents in the US has led to a surge in lawsuits, and the rise of patent trolls—organizations that make nothing, and whose sole business is to acquire patents and use them to extract royalty payments from unsuspecting users.

Under the Patent Cooperation Treaty, if India allows software patents, it will have to give priority to the existing patents that have been filed in other countries. Bessen and Meurer estimate that there are around 4,000 patents on e-commerce and around 11,000 patents on online shopping in the US. If these patents are granted in India, MNCs will have the right to exclude Indian companies from using their claimed inventions. This will slow down the pace of innovation, and nip India’s growing software product ecosystem in the bud.

It is to the credit of Indian policymakers that they have steadfastly refused to kiss this pig called “software patents”, despite it being dressed up in the lipstick of “innovation”. This gives Indian software developers the freedom to innovate without worrying about patent lawsuits.

‘SaaS’ – the product advantage and need

India has all the potential to lead the world in the SaaS segment, yet the largest number of SaaS companies relocate out of India, for want of ease-of-doing-business. SaaS is one of the major blocks in the emerging Software product Industry of India and it needs urgent attention in this digital economy age.

Whether SaaS is a product or service is often debated.

From the perspective of integration of SaaS into the overall policy frame work of the country, it is crucial for us to understand the dynamics of the SaaS business.

This is the first in a series of  blogs to understand the dynamics of  SaaS as a sub-sector within the Software Product Industry. The idea of this blog is not to prove that SaaS is not a service, but to emphasize that it closely relates to the Software Product Industry, and is distinct from the custom built, project/program run or SLA based IT/ITES services Industry. And further, there is a need to include this as a part of the Indian Software Product Industry (iSPI) in order to be in an advantageous position to both  – promote the SaaS business and also to develop an eco-system that is synergistic to all segments of the Software Product Industry.

SaaS has both a product and a service component. The product precedes the service. The service is not just the access but also the elements of all that goes into providing service to a consumer. Whereas customer satisfaction is focal to the service component, the attractively featured product, stability, cutting edge technology, speed and security are focal to the product side. The product needs a continuous investment and development. Product is the flesh and blood of the SaaS business body, and the body needs the air of service, to breath and run. The interplay between the product and the service component of a SaaS offering is important for success.

SaaS – Product advantage side

SaaS as a product or a service is a border line debate. Here are some important pointers to why SaaS has more weight to be classified as a product than a service:

  1. Software-as-a-Service is an online access or delivery model, thus offering a different business model. In most situations, the same Software (with same features) product can also be sold in a Pre-packaged form, delivered and used in an on-premises model.

A software in any form (on media, downloaded online, on premises or accessed online over Intranet or Internet) provides a service to a user but the software itself is a “product” or an “intangible good”. There is no doubt that SaaS is also a pre-packaged software. The distinction is in the delivery model and the business model.

Hence, all three forms i.e. the Pre-packaged software sold on a media, downloaded online and SaaS model possess the properties of ‘digital/intangible goods’. The other models of channel sales and distribution e.g. EULA, paper license and self-generated access PINs, all can apply to any of these three forms.

  1. SaaS is subject to the same IP law and IP right issues as the non-SaaS product is.
  2. SaaS is mostly sold in an MRP format, the price-quantity relation is very clearly defined. MRP is a concept clearly applicable to supply of goods, produced.
  3. The condition ‘license for use’ can be a condition for a service but for a product the license is for “right to use” and as soon as the license is sold to the customer, for a consideration the “right to use” is transferred for the specified period of time. Thus, implying a condition of transfer of “right to use”.
  4. Trade is the most important aspect: Many people assume SaaS means a direct B2C relationship between the SaaS Product Company and the end users. No SaaS company can become global  unless it focuses on the ‘trade’ aspect of the business.

Even direct B2C has to incorporate trade as an important attribute. Microsoft when it sells office365 hosted product is a SaaS company that is trading a bundle of products and an integrated services through its channel partners. Scale can be attained only when a SaaS producer take with him a strong ecosystem of trading partners.

When trade has to be activated as an important attribute of a successful SaaS business, the transfer of ‘right to use’ or trade of ‘right to use’ becomes inevitable. Being a product company carries a built in message to channel partners for trade.

What is traded is the features of product, the ‘goods’ that you sell and the ‘service’ component gets activated only when the end-user interfaces. B2C can either convert in to a B2B2C or B2nb>c.

  1. The Software Products of modern age may be a combination  of complex scientific or commercial applications with a mix of data, voice, video, images, texts, document files.

A combination of one can produce another. SaaS therefore, cannot be limited to the strict periphery of a ‘computer program’ or ‘information technology software’ but graduate to be a ‘digital good’ that forms the basis of a ‘digital economy’.

  1. Considerable capital is invested in R&D, product development and product improvisations on continual basis in any SaaS based product. The differentiation is achieved in Product side by bundling the differential features. The Differentiation in service side is also incidental to the robustness, user friendliness, ease of use, security and most importantly the together the quality of product itself.

Hence, even when the service side is so important to the SaaS business, the Q-o-S itself depends heavily on the quality of the SaaS Product.

The Software Product and SaaS Industry in India

The global Software Product Industry is estimated to reach $1.2 trillion by 2025. The Indian Software product industry today is about 5% of the total exports. The total revenue of software product industry in India is $6.1 billion today. Indian Software Product Industry by conservative 10% estimate will be $100+ billion by 2025.

According to the Google-Accel Report  the SaaS business in India is about $600+ million and will be $10 billion by 2025, which makes it 1% of the entire Software product estimates.

IDC has a higher forecast which says, by 2018, 27.8% of the worldwide enterprise applications market will be SaaS-based, generating $50.8 billion where SaaS revenue is forecast to grow at 17.6% CAGR. 27.8% translates to approximately one third of worldwide enterprise applications market.

If a combination of all these numbers are to be believed, the global SaaS market in 2025 at a CAGR of 17.5% will be $157 Billion. If the share of SaaS (27.8% of global enterprise app market) comes true and is retained the SaaS business in 2025 will be much higher than $157 Billion.

The domestic market in India is not strong enough. Most SaaS players are presently targeting the matured global markets with matured online acceptance and internet penetration. The online acceptance in India is also on rise and the rising e-commerce industry speaks volumes about it.

The Domestic market is going to get further strengthened due to various factors in coming times. “Digital India” will increase internet penetration as well as improved bandwidth accessible to consumers. A drive for cashless economy will push large number of SMEs. “India Stack” will enable large number of SaaS products. Government buying will increase in SaaS space with acceptability of cloud and opex business models.

In view of the above, India can certainly aspire to be at a much more than $10 billion by 2025. India will need to harness its prowess to aim at 15% global SaaS market and hence aspire to cross the $20 billion mark by 2025, which is double of the Google-Accel report which seems to focus just the SMB market.

Pursuing the Policy for Software Products

The above mentioned targets require a serious look at the country level “strategy” and developing a complete eco-system that can help the SaaS industry boom in India.

This requires consolidating Software product as an Industry with SaaS as an important vertical block and accordingly a need for following:

  1. Focused policy by Govt. of India
  2. Aligned trade and tax regimes
  3. Participative Industry action by various agencies on ground

iSPIRT has been following action at various levels on all of the above.

The National policy frameworks provide recognition to an Industry sector or sub-sector as well as provide a strategic frame work for growth of this Industry. There are two major Industrial policy frameworks.

  1. The IT Policy is primarily catering to the IT Services industry and has mixed agenda.
  2. National Policy for Electronic (hardware). The focus of this policy is to promote electronic products.

There is no national level policy focused on Software products.

To further this objective, iSPIRT is pursuing a National Policy for Software Products (NPSP). SaaS naturally forms a part of this proposed NPSP within the realms of Software products industry. Included part of these plans is the trade and tax specific issues with Govt. of India on reforming and making these regimes futuristic to compete in the world trade and ease of doing business in India.

One of the results of this active follow up on Govt. policy has been the Startup policy. SaaS has one of the biggest tractions in the Software Product startup space. SaaS startup is closest to the Software product startup in terms of issues and challenges faced.

Conclusion note

Both the product and the service side of SaaS cannot be ignored. Even the service component in SaaS is about using this digital (intangible) product. Both  – the product is intangible and also the service it provides is intangible  – just as any other enterprise on premises software product. Yet, product is an overwhelming part, right from stage when SaaS is conceived.

The issues of product development, funding, marketing, trade and taxation are all common to the Software Product Industry.

In view of the above, it is advantageous for the SaaS Industry to position itself as a product-based service providing industry.  This will help build an integrative Software Product industry of India, which can develop global products in all segments enterprise, on premises, mobile apps, cloud and SaaS based, even as we keep progressing towards building SaaS as new generation Industry.

SaaS will be the segment to reckon with as India emerges into a Software Product Nation in next decade.

References

[1] Google Accel Report – SaaS India, Global SMB Market, $50B in 2025 Public Version 1.1 – 7 March 2016. http://www.slideshare.net/AccelIndiaVC/google-accel-report-saasinindia-public-version-11-7-march-2016.

2 IDC report reference. http://www.forbes.com/sites/louiscolumbus/2014/12/20/idc-predicts-saas-enterprise-applications-will-be-a-50-8b-market-by-2018/#1de5d71295ae

3 Startup India http://startupindia.gov.in/

The Dark Secret of India’s Start-up Boom

The Modi Government has made bold moves on the world stage. Its now time to make one at home!

By Mohandas Pai & Sharad Sharma

New-age startups are making waves. Flipkart has redefined retail. Ola is changing how we travel by taxis. PayTm is at the threshold of disrupting banks. Forus Health is attacking blindness with gusto. Eko is bringing financial inclusion to millions. Team Indus is on its way to land a rover on the moon. Nowfloats is bringing lakhs of businesses online. Pick any sector, even agriculture, and you’ll find a new-age startup gamely trying to bring about change.

These new-age startups are not like our traditional small businesses. They are peculiar in many respects. For one, they don’t play safe. They take on incumbents that are many times their size. They seek out David versus Goliath battles. They have a ‘panga’ mindset where our traditional small businessman was all about ‘dhanda’. This craziness in their DNA makes them wonderful change agents. No wonder, these new startups are transforming India from within.

We are blessed to have these new-age startups. It turns out that this new species of small businesses thrives only in a few places in the world. The most famous locale is, of course, Silicon Valley. Europe, unfortunately, is a veritable desert. South America has only Chile as a small oasis. Asia, however, looks really promising. Israel became a startup hub first, then China and now India. We are now the third largest startup ecosystem in the world.

But there is something dark about India’s startup boom. Six of the eight Unicorns have domiciled themselves outside India-in Singapore or US. In 2014, 54% of all new-age startups raising money chose to domicile outside India. Last year this number grew. It is estimated to have crossed 75%! This points to a big problem.

You might wonder why it matters where Flipkart is domiciled. For starters, when Flipkart has its IPO, Indian citizens won’t get a chance to participate in it. Worse, the intellectual property of these redomiciled companies moves to their new home. But the worst is that the money that the founders and investors make at the time of an IPO or an M&A goes to their foreign bank accounts and tends to stay there. It stymies the creation of Rupee risk-capital system in India. It makes are startups almost fully dependent on foreign capital leaving most of them starved and under-capitalized in their early years.

Startup India is an opportunity to stop the exodus. It turns out that only 34 issues, across Ministry of Finance, RBI, Ministry of Corporate Affairs and Ministry of Commerce, need to be tackled. Work has been underway on them since 23rd Oct and 60% of the issues seem to be on their way to a resolution. But this 60% fix is a recipe for failure. Unless all the 34 items are resolved, exodus will not abate. Just one friction point is enough to send the startup to Singapore, where, a welcome band awaits.

Anything that we do in Startup India without addressing the issues on the Stay-in-India Checklist is a gift to Singapore. The Modi Government has made bold moves on the world stage. Its now time to make one at home!

Mohandas Pai was the CFO and then the head of HR at Infosys. He is now Chairman, Aarin Capital Partners.

Sharad Sharma was the CEO of Yahoo India R&D. He is a co-founder of iSPIRT, a non-profit think tank that wants India to be a product nation.