iSPIRT works to transform India into a hub for new generation software products, by addressing crucial government policy, creating market catalysts and grow the maturity of product entrepreneurs. Welcome to the Official Insights!
Shri Rajiv Kumar Joint Secretary in-charge of National Policy on Software Products (NPSP 2019) and Senior Director Dr. A K Garg met 20 SaaS companies founders and leader in Chennai on 13th March 2019. At meeting it was discussed that NPSP announced by Government of India on 28th February will soon create a National Software Product Registry, where SaaS companies can register and have access to GEM portal. Also, the procurement process will be suitably amended to allow Govt. departments to procure and use SaaS products. ‘National Software Product Mission (NSPM)’ envisaged in the policy will be setup at Ministry of Electronics and IT (MeitY).
Government has launched NPSP 2019 to focus on Software product ecosystem. iSPIRT has been advocating the cause of SaaS segment in Software products and its importance for India to remain a force to reckon with in Software in next 25 years.
The event was a golden opportunity for SaaS companies Founders and leaders, to provide feedback to and understand from the senior officials in Delhi, about the vision they have to make India a Software product power. Twenty SaaS companies represented in the event.
Speaking on behalf of SaaS founders, Suresh Sambandam, Founder and CEO of OrangeScape said,” Global landscape has changed very fast driven by new technology. We have a 2 trillion Dollar opportunity for SaaS industry. If we get our act right, India can aspire to remain in global game in Software Industry”.
The roundtable was organised by iSPIRT Foundation to facilitate officials to have direct interaction with SaaS industry and understand issues, problems and opportunities in SaaS industry, to enable Government to further carve out schemes/ programs under NPSP 2019 going further.
The amendment made by way of the Aadhaar and Other Laws (Amendment) Bill, 2018 to the Prevention of Money Laundering Act,2002 gives true effect to the intention of the Hon’ble Supreme Court as set out in their judgment of September 2018.
It is clear from the judgment that the objective was to empower the individual and allow for the resident to be able to uniquely identify herself to avail of every service of her choice while ensuring that there are adequate protections for such use under the force of law.
Aadhaar Act Amendment
This is clearly set out in the now amended Section 4(3) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) as follows:
Section 4(3) – Every Aadhaar number holder to establish his identity, may voluntarily use his Aadhaar number in physical or electronic form by way of authentication or offline verification, or in such other form as may be notified, in such manner as may be specified by regulations.
Explanation-For the purposes of this Section, voluntary use of the Aadhaar number by way of authentication means the use of such Aadhaar number only with the informed consent of the Aadhaar number holder.
And further in Section 4(4)-
An entity may be allowed to perform authentication if the Authority is satisfied that the requesting entity is-
Compliant with such standards of privacy and security as may be specified by regulations; and
(i) permitted to offer authentication services under the provisions of any other law made by Parliament; or
(ii) seeking authentication for such purpose, as the Central Government in consultation with the Authority and in the interest of the State may prescribe.
With the above amended provisions, it is clarified that (a) the objective is to ensure that the Aadhaar number holder is empowered to establish her identity voluntarily with informed consent (b) Entities that may be permitted to offer authentication services will do so pursuant to a law made by Parliament or by way of Central Government direction in consultation with the UIDAI and in the interest of the State.
The amendment to the Prevention of Money Laundering Act,2002 (the “PMLA”) seeks to give clear direction to the above-enunciated ideas.
The newly inserted Section 11A of the PMLA provides for the manner in which a Reporting Entity may verify the identity of its clients and beneficial owner (conduct KYC). This is by way of offline verification of Aadhaar or where the Reporting Entity is a banking company- online verification of Aadhaar.
However, it is further clarified (in tandem with the aforesaid amendments to the Aadhaar Act) that upon satisfaction of standards of privacy and security, the Central Government may, in consultation with the UIDAI and appropriate regulator provide for online authentication for Reporting Entities other than banking companies.
And it is further explicitly clarified that in the scenarios as contemplated in this provision, nobody will be denied services for not having an Aadhaar number, i.e: ensuring that the presence of Aadhaar number is not mandatory but purely enables and eases the availing of services.
As next steps on this front, distinct Reporting Entities, including NBFCs, Mutual Fund Houses and other financial institutions need to approach the Central Government with requests for access to online Aadhaar authentication services.
Organisations such as DICE would be useful in mobilising groups of different financial institutions in approaching the relevant regulators and Central Government authorities for Aadhaar authentication access.
Saranya Gopinath is the co-founder of DICE (Digital India Collective for Empowerment)- an industry body representation across emerging technology sectors.
It is a moment of delight at iSPIRT to see Govt. of India setting its focus on “Software Product”, with the announcement of National Policy on Software Products by government of India on 28th February 2019. The policy framed by Ministry of Electronics and Information Technology (MeitY) is aimed to sustain India as a global power in Software industry in emerging technological changes impacting the industry.
A link to PDF document of the NPSP 2019 is given here on MeitY website. https://meity.gov.in/writereaddata/files/national_policy_on_software_products-2019.pdf
Ispirt held a Discussion on NPSP 2019 on 2nd March 2019 with Dr. A. K. Garg, Director MeitY and iSPIRT volunteers Shoaib Ahmed, Amit Ranjan, Nakul Saxena and Sudhir Singh. A vedio of the discussion is placed below.
Given below is the transcript of the main part of the discussion. (We have tried our best to put this but It is not a ditto verbatim transcript but what each participant spoke in essence). It is advised to watch and listen to the video.
Sudhir Singh started the discussion and invited Dr. A.K. Garg to give an overview on the policy.
Dr. A.K. Garg – The policy gives wholistic looks and a single window opportunity. issues involved with HS Code. Three tire effort of building a talent pool. First, Appraising Students at school level that there is a difference between product and services. Second, Dedicated pool of developers dedicated to products. Third, Developing a pool of people who can be mentors
The other aspects we have looked at is, how do we provide dedicated market access to the product space. Unless and until there is a dedicated and early market access, we cannot create opportunities. We have not looked at graduating this from services industry to product industry, but we are looking at a completely new set of eco-system that will created around the product space, that is one thing which is very important and hallmark of this policy.
Sudhir – in the Strategy section 1 that deals with ‘Promoting Software Products Business Ecosystem’ creating ‘Product registry was an important aspect that can be further utilised to create incentives, schemes and programs.
Amit Ranjan – what can not be measured can not be improved, going further on the line, what can not be defined can not be measured. The government is taking a proactive view od first defining what is a Product and then a logical breakdown of that is building the registry, building the classification and codification system. So at least the system recognizes the different dimension and different players in the industry and then once you have a clear understanding of it than you know you can tailor policy and you can do specific thing for specific part and creating this registry will lead to mapping the industry and there after many things could emerge out of the system
Nakul Saxena – One of the main objectives of iSPIRT was to create a special focus on Software products and thanks to people like Mr Garg and Secty MeitY and the Minister that we finally got this out. The HS code creation can help product companies to get preferential inclusion in Government procurements and Software products being included in many of the international agreements, especially where Govt of India gives grant to developing countries.
ShoaibAhmed – Is the definition of Software product clear (referring to the early phase of development of policy when there was lot of debate on this part).
Nakul – the definition on Software product company is that that the company need to be owned 51% by Indian origin person and IP should reside in India.”
Dr. Garg – lot of thinking has gone in to Software product and Software product company. The first and foremost thing is that, it is a very dynamic world and what we have taken is an approach where Software product definition can adjust to changing dynamics. Initially we thought we will not keep any definition, but ultimately, we had to with pressure of various stake holders.
Sudhir – requested Nakul to take up the second Strategy section on Promoting Entrepreneurship & Innovation.
Nakul – One of the important features of the Policy is that Govt. and MeitY will be putting together 20 Grant Challenges to solve for specific eco-system problems in education, agriculture and healthcare. He mentioned that Secretary has asked to quickly start working on the Grant Challenges.
Dr. Garg – Can we crowed source ideas using iSPIRT and Policy Hacks platform.
Nakul – Yes, we can. This is a welcome idea and suggested we can have Policy Hacks session to structure discussions and then invite ideas.
Dr. Garg – (further spoke on skilling) for skill development to suit product space, one has to think product and live with it. We have to think through a program that can create a pool of 10 to 15 thousand product professionals who understand product eco-system can help innovation and creation of new ideas and or mentor product companies. And that will be the most important dimension for creating a product eco-system.
Shoaib – I think that is a wonderful point and a very important point, beyond the technology and is a combination of skills with one being important is understanding of product market and development of these skills is important.
Amit – The way to think about it is that we have to catch people when they are young and I actually see this playout when lot of times when student are in their secondary education, when they are doing their class 10th or 12th, if you are able to educate them at this stage then it takes very early root in their mind. Product system is all about being experimental and all about being failing then retrying and then improving via every attempt. We should educate them about what is a Product how is it different from Services. We do not have lot of Product success stories from India. But educate them and then skill building comes at secondary stage.
Dr. Garg – We do not have to replicate the Silicon valley model and that will never work. We have to think and India specific solution that will work.
Shoaib – We need to create an India eco-system, there are a few success stories which we have in India, we need not copy but which need to be understood.
Sudhir – There are two more points covered in this section of Strategy. One is on common upgradable infrastructure to be created to support startups and software product designers to identify and plug cyber vulnerability. The second being creation of a Centre of Excellence will be set up to promote design and development of software products.
Dr. Garg – the first market in Cyber Security is Govt. So creating a single repository of various Indian Cyber products will help. The other thing could be understanding Indian cyber problems and through Challenge grant on some of these problems.
Sudhir – let us take up the Strategy section on improving access to market. Requested Nakul to start.
Nakul – for Indian Companies to start growing and start scaling it is important getting some anchor customer. The policy has taken care of this aspect for Product companies to get access to anchor customers and then compete within domestic and international market. But the product entrepreneurs have also to be aware how to deal with Govt. RFP.
Dr. Garg – So first two anchor customer are important. In Govt. space we are working on Gem to provide interface to Indian Software product. But we need to think how these product companies tie up with System Integration Companies and their interest are not compromised by Sis. Second thing is awareness building in various Govt. agencies. A young entrepreneur may not be able to get to the right stake holder, how does he get this access is what we need to think through. We will be very happy to get your views on creating access to first market.
Amit – this is a very important point, especially in the context of SaaS companies, there is an unwritten rule that Indian Domestic market is not big enough or pay enough to sustain many of the SaaS startups. And that is why many VCs are suggesting that you can build a SaaS Company of out of India but that is essentially for engineering, product design but the market it self you will have to go overseas. Development of the Indian domestic market is extremely important. One of the factors which will play a role there is kind of graduating these startups up the Quality ladder as well. The buyer will look for best product in market at best price. By focusing on Quality, they can compete with foreign companies. It is very important to break this negative feeling in the Eco-system that if you are SaaS you can not sell in India, you have to go out.
Shoaib – my point is that Quality software and creating a eco-system. Selling Software, servicing Software and manage Software is a complete different eco-system. Making sure that policy supports that and recognizes it, is the first step. I think we have started with that and I am happy to spend more time to contribute on what does it take to do this.
Dr.Garg – if you have a Quality and you do not have a brand it a challenge.
Sudhir – this section again mentioned in Policy creating a Software product registry and connecting this with Gem for government product.
Sudhir – Let us move on to the last strategy section on implementation. I remember that the ‘National Software Product mission’ (NSPM) was proposed by iSPIRT in to the policy. NSPM can play a vital role as it can become an umbrella cover. Using this it may be possible to create many schemes and program. For example, we have a formidable SaaS industry and it may be possible to quickly create a SaaS product registry and use Gem to get access to Government. Once the registry is created may be Govt. can also issue and advisory to state Government to adopt products from this registry.
Dr. Garg – One of the important things is we have to educate the people, and secondly, we have to educate the people on procurement model. Most of the time procurement models are one-time purchase, whereas in a SaaS you have to budget every quarter or every month or it will be pay per use also. Which is a very difficult proposition in Govt. to be approved.
One of this thing that come in to my mind is the entry barrier have to be made easier, e.g. there is lot of activity around e-commerce. Now Govt. is actively going to promote product. The e-commerce system is far more developed, it has lower gestation. You can find few companies having valuation of Billion dollars, but that is not true of Product startups. So, we need to see how do we make entry barrier lower for entrepreneur of product companies, other wise human nature is to go by the path of least resistance. Product takes much longer to build, the gestations are much longer, risk are much higher.
Shoaib – the challenge are to get role models going, to showcase this. Education is some thing we have been talking about from two dimensions, one is the entrepreneur, second is the Indian SME customer or the Indian customer.
The Participants did deliberate further on important of early implementation of NSPM and working on various section of Policy and providing active support from iSPIRT. The discussion was closed with final remarks from the participants. (please listen/watch the Video for further details on final deliberations).
The main Salient features of this policy for benefit of users are as follows:
The visision is to make India a Software product leader in world
In it’s mission – It aims at a ten-fold increase in India’s share of the Global Software product market by 2025, by nurture 10,000 technology startups, upskill 1,000,000 IT professionals and setting-up 20 sectorl technology cluster.
The policy has 5 Strategie to implement the policy.
Strategy are 1 – Intendents to create a congenniel environment for Sofware product business.
An important feature of the policy is creation of a Software product registry of India that can facilitate implementation of schems and programs in future, creation of a HS Code category for Software products.
To boost enterprenure ship, it itends to create a Software Product Development Fund (SPDF) with 1000 Croroe contributed by ministry in a fund of funds format. Remaining coming from private sources.
20 dedicated challenge grants to solve societal challenges.
Readying a talent pool of 10,000 committed software product leaders
Improving access to domestic market for Software product companies and boost international trade for Indian Software products.
Lastly setting up of a “National Software Product Mission (NSPM)” to be housed in MeitY, under a Joint Secretary, with participation from Government, Academia and Industry. NPSM will further drive implementation of the policy and be able to craft schemes and programs for the said purpose.
An important part of announcing the scheme has been done. This has now to be leveraged to create a momementum in Software product. iSPIRT is committed to see the further development of India as a Product Nation.
This is an exciting occasion for our indigenous software industry as India’s National Policy on Software Product gets rolled out. This policy offers the perfect framework to bring together the industry, academia and the government to help realise the vision of India as a dominant player in the global software product market.
For ease of reference, let us summarise some of the major things that the policy focuses on
Single Window Platform to facilitate issues of the software companies
specific tax regime for software products by distinguishing them from software services via HS code
enabling Indian software product companies to set off tax against R&D credits on the accrual basis
creation of a Software Product Development fund of INR 5000 crores to invest in Indian software product companies
grant in aid of INR 500 Crores to support research and innovation on software products
encouragement to innovation via 20 Grant Challenges focusing on Education, Healthcare & Agriculture thus further enabling software products to solve societal challenges
enabling participation of Indian software companies in the govt. e-marketplace to improve access to opportunities in the domestic market
developing a framework for Indian software product companies in government procurement.
special focus on Indian software product companies in international trade development programmes
encouraging software product development across a wide set of industries by developing software product clusters around existing industry concentrations such as in automobile, manufacturing, textiles etc.
nurturing the software product start-up ecosystem
building a sustainable talent pipeline through skilling and training programmes
encouraging entrepreneurship and employment generation in tier II cities
creating governing bodies and raising funds to enable scaling of native software product companies.
There is good cause for cheer here. The policy offers to address many of the needs of the Software Product Ecosystem. For the first time, HS codes or Harmonised Codes will be assigned to Indian software product companies that will facilitate a clear distinction from ‘Software Services’ facilitating availing of any benefits accruing under the ‘Make in India’ programme. In addition, this will enable Indian software product companies to participate in govt contracts through registration on GeM (Govt. eMarketplace).
Considering that we remain a net importer of software products at present, steps such as the inclusion of Indian software products in foreign aid programmes, setting up of specialised software product incubators in other geographies and promoting our software product capabilities through international exhibitions definitely show intent in the right direction. With a commitment to develop 10000 software product start-ups, with 1000 of them in tier II cities, technology entrepreneurs building IP driven product companies can now look forward to infrastructural and funding support. The policy also aims to go beyond metro-centric development with a commitment to develop tech clusters around existing industry concentrations, enable skilling and drive employment in non-metros and tier II cities while actively encouraging Indian software companies to solve native problems.
This policy could not have been possible without the vision of the Honourable Minister Shri Ravi Shankar Prasad, and continuous engagement and discussions with Shri Ajay Prakash Sawhney, Rajeev Kumar and Ajai Kumar Garg from MEITY and their team.
We have seen software companies solving native problems do exceptionally well, just look at what Paytm has been able to achieve while driving digital payments in India. There is now an understanding ‘Make in India’ can help us bridge the digital divide given that Indian entrepreneurs have a greater understanding of local issues and the challenges that are unique to us.
Setting up bodies such as the National Software Products Mission in a tripartite arrangement with the industry, academia and govt. to enable creation and monitoring of schemes beneficial to native software product companies is another much-needed step that will create a forum distinct to our software product companies and help give them a strong voice.
We would like to thank Lalitesh Katragadda, Vishnu Dusad, Sharad Sharma, Rishikesha T Krishnan, Bharat Goenka, T.V. Mohandas Pai, Arvind Gupta for their diligent efforts on the continuous dialogue and inputs for the policy.
While launching the policy is a great start, its implementation is what we all will have our eyes on. Now is the moment of action. We all look forward to fast-tracking of the various proposed measures under this policy for the benefits to start showing!
Last week we wrote about India’s Health Leapfrog and the role of Health Stack in enabling that (you can read it here). Today, we talk about one component of the National Health Stack – Federated Personal Health Records: its design, the role of policy and potential use cases.
A federated personal health record refers to an individual’s ability to access and share her longitudinal health history without centralised storage of data. This means that if she has visited different healthcare providers in the past (which is often the case in a real life scenario), she should be able to fetch her records from all these sources, view them and present them when and where needed. Today, this objective is achieved by a paper-based ‘patient file’ which is used when seeking healthcare. However, with increasing adoption of digital infrastructure in the healthcare ecosystem, it should now be possible to do the same electronically. This has many benefits – patients need not remember to carry their files, hospitals can better manage patient data using IT systems, patients can seek remote consultations with complete information, insurance claims can be settled faster, and so on. This post is an attempt to look at the factors that would help make this a reality.
What does it take?
There are fundamentally three steps involved in making a PHR happen:
Capture of information – Even though a large part of health data remains in paper format, records such as diagnostic reports are often generated digitally. Moreover, hospitals have started adopting EMR systems to generate and store clinical records such as discharge summaries electronically. These can act as starting points to build a PHR.
Flow of information- In order to make information flow between different entities, it is important to have the right technical and regulatory framework. On the regulatory front, the Personal Data Protection Bill which was published by MeitY in August last year clearly classifies health records as sensitive personal data, allows individuals to have control over their data, and establishes the right to data portability. On the technical front, the Data Empowerment and Protection Architecture allows individuals to access and share their data using electronic consent and data access fiduciaries. (We are working closely with the National Cancer Grid to pilot this effort in the healthcare domain. A detailed approach along with the technical standards can be found here.)
Use of information – With the technical and regulatory frameworks in place, we are now looking to understand use cases of a PHR. Indeed, a technology becomes meaningless without a true application of it! Especially in the case of PHR, the “build it and they will come” approach has not worked in the past. The world is replete with technology pilots that don’t translate into good health outcomes. We, in iSPIRT, don’t want to go down this path. Our view is that only pilots that emerge from a clear focus on human-centred design thinking have a chance of success.
Use cases of Personal Health Records
Clinical Decision Making
Description: Patient health records are primarily used by doctors to improve quality of care. Information about past history, prior conditions, diagnoses and medications can significantly alter the treatment prescribed by a medical professional. Today, this information is captured from any paper records that a patient might carry (which are often not complete), with an over-reliance on oral histories – electronic health records can ensure decisions about a patient’s health are made based on complete information. This can prove to be especially beneficial in emergency cases and systemic illnesses.
Problem: The current fee-for-service model of healthcare delivery does not tie patient outcomes to care delivery. Therefore, in the absence of healthcare professionals being penalised for incorrect treatment, it is unclear who would pay for such a service; since patients often do not possess the know-how to realise the importance of health history.
Chronic Disease Management
Description: Chronic conditions such as diabetes, hypertension, cardiovascular diseases, etc. require regular monitoring, strict treatment adherence, lifestyle management and routine follow-ups. Some complex conditions even require second opinions and joint decision-making by a team of doctors. By having access to a patient’s entire health history, services that facilitate remote consultations, follow-ups and improve adherence can be enabled in a more precise manner.
Problem: Services such as treatment adherence or lifestyle management require self-input data by the patient, which might not work with the majority. Other services such as remote consultations can still be achieved through emails or scanned copies of reports. The true value of a PHR is in providing complete information (which might be missed in cases of manual emails/ uploads, especially in chronic cases where the volume and variety of reports are huge) – this too requires the patient to understand its importance.
Description: One problem that can be resolved through patient records is incorrect declaration of pre-existing conditions, which causes post-purchase dissonance. Another area of benefit is claims settlement, where instant access to patient records can enable faster and seamless settlement of claims. Both of these can be use cases of a patient’s health records.
Problem: Claim settlement in most cases is based on pre-authorisation and does not depend solely on health records. Information about pre-existing conditions can be obtained from diagnostic tests conducted at the time of purchase. Since alternatives for both exist, it is unclear if these use cases are strong enough to push for a PHR.
Description: Clinical trials often require identifying the right pool of participants for a study and tracking their progress over time. Today, this process is conducted in a closed-door setting, with select healthcare providers taking on the onus of identifying the right set of patients. With electronic health records, identification, as well as monitoring, become frictionless.
Problem: Participants in clinical trials represent a very niche segment of the population. It is unclear how this would expand into a mainstream use of PHR.
We are looking for partners to brainstorm for more use cases, build prototypes, test and implement them. If you work or wish to volunteer in the Healthtech domain and are passionate about improving healthcare delivery in India, please reach out to me at [email protected].
Our policy team tracks the interest of Software product industry
INDIA, Bangalore, Feb 1st, 2019 – Proposals for Union budget of 2019 have been announced today by Finance Minister.
Being an interim budget not many announcements were expected. Some of the important announcements that may affect the expansion of the economy, in general, owing to increased income and ease of living in the middle class are as follows:
Within two years tax assessment will be all electronic.
IT return processing just in 24 hours
Rebate on taxes paid for those with an income below 5 lakhs
TDS threshold on interest income by woman on bank/post office deposits raised from Rs. 10,000 to 40,000
Increase in standard deduction from Rs. 40,000 to 50,000
Rollover of Capital gains tax benefit u/s 54 from investment in one house to two houses, for a taxpayer having capital gains up to Rs. 2 crore
Recommendation to GST Council for reducing GST for home buyers
Exemption from levy of tax on notional rent, on unsold inventories, from one year to two years
Many benefits announced for Agriculture and Rural sector
The coining of the phrase “Digital Village” and placing it second on the list of ten-dimension vision statement in budget speech is a welcome step. The statement nudges the next Government to improve access to technology in rural India, a welcome step. We expect “Digital India” and easy and quality access to the internet for every citizen will remain a focus area, irrespective of which government comes to power.
The government has announced a direct cash transfer scheme for farmers. We are happy to see that technologies like the India Stack are being used by policymakers for effective policy-making irrespective of political ideology. Cash transfers promise to be more efficient initiatives that directly benefit our poor without needing them to run from pillar to post trying to prove their identity and eligibility. “Similarly, startups and SMEs remains a focus area in the vision statement. These are very important for a healthy ecosystem built up.
Similarly, focused phrases such as “Healthy India”, “Electric Vehicle” and “Rural Industrialisation using modern digital technologies” are welcome ideas in ten-dimension vision for Indian Software product industry and startup ecosystem.
However, among key issues for Startups and Investments which need to be addressed but have been missed out are Angel tax and Tax parity between listed and unlisted securities. Angel Tax is a very important issue which needs to be addressed conclusively at the earliest. We need to ensure gaps between policy declaration and implementation do not cause entrepreneurs and investors to relocate themselves aboard.
About iSPIRT Foundation
We are a non-profit think tank that builds public goods for Indian product startup to thrive and grow. iSPIRT aims to do for Indian startups what DARPA or Stanford did in Silicon Valley. iSPIRT builds four types of public goods – technology building blocks (aka India stack), startup-friendly policies, market access programs like M&A Connect and Playbooks that codify scarce tacit knowledge for product entrepreneurs of India.visit www.ispirt.in
This PolicyHacks recording was done on 2nd January 2018 at 5.30 pm covering a discussion on the proposed rules ( amendment ).
iSPIRT Volunteers, Sanjay Jain, Saranya Gopinath, Venkatesh Hariharan (Venky), Tanuj Bhojwani iSPIRT volunteers and Bhusan, a lawyer from IDFC participated in the discussions with Sudhir Singh.
The main aspects of the draft amendment and its impact on the Software product and Start-ups in tech world in India are covered in the discussions. A transcript of the discussion is given below for read. Or you could choose to listen to the recorded audio/video on you tube embedded below.
The draft rules mainly cover information published by users on intermediaries also referred to as platforms in this discussion. The three broad aspects that draft rules cover are :
Putting higher onus on Intermediaries on objectionable content
High level of compliance and penalties
Enforcing traceability of objectionable content
With above introduction to topic floor was opened for discussions by host Sudhir Singh. Below is the transcript of contribution made by participants ( the transcript may not be complete word by word but follows the semantics of contribution made).
On Question on how the draft rules will impact industry
Sanjay Jain – “Two three element that you have highlighted in there.
First is the definition of the platform player. Intermediaries are broadly defined. They include everybody from telecom players, ISPs, a Social network and even a site like apartment Adda, Baba-jobs, because all of these will have some kind of user generated content, which is being published and shared with others. While the law drafting may have had one type of intermediary in mind, but it actually applies to all of them and as such that is where some of the issue starts.
Second part is that by moving some of the Onus to the platform, and I actually think they have not fully moved the onus to the platform, which is very dicey situation because, they have moved and not moved at the same time. And because, the onus is primarily still on the Govt. to notify to the intermediary, that there is something objectionable and they have to remove it. But, at the same time they have said that intermediary shall develop technological means for identifying all of this, as well. Sometimes there is an assumption that technology can do a lot, and in reality while you can have 99.9% accuracy, you still have those 0.1% and that becomes an issue.
Third part, I wanted to say is cost of compliance goes up considerably. They have put a limit 50 Lakh users in India, though we believe 50 lakh may either be little low. They should go little higher and depending upon type of user generated content they should allow for little graded form of compliance.”
Bhusan, from IDFC Institute – “As a context, these rules have come about are drafted based on earlier rules of 2011 and have some new features like graded approach such as significant intermediary to non-significant intermediary. They have put time lines in terms of response from intermediary and so these rules are being built upon existing set of rules.
There is some short of tightening of the compliance on intermediary e.g. 72 hours of time line for response. If you are a significant intermediary, than you have to be incorporated in India and has to appoint a person who is available 24X7, and you also have to have proactive measure to screen content on your side. Some of this is coming from frustration of getting information from intermediaries.”
On issue of how much these numbers are practical for small players? How to save start-ups?
Sanjay Jain – “Differed assumption is that if you publish any content which is against the law, you are liable. Being an intermediary protects you. If you remember the case of Baje.com, the only protection they got was proving to be an intermediary. Hence, you want to call them (Start-ups) intermediaries but get a better procedural control to stop harassment at hand of low level law enforcement.”
Tanuj came in and quoted the the line after 72 hours, in section 5 it says”as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto.”
According to Tarun, this statement is so broad that any junior level officer can say I got information that someone from Hissar in Haryana is harassing a person and give information of all users in Haryana.
Venky – “I agree with Tarun, we have the laws or the rule meant to be more sharply defined and have sharp implementation guidelines. In this case seems to be pretty loosely framed.”
Sudhir Singh – “There is another issue in draft rules on once in a month information to user, and taking their consent. Any hard compliance of rules is normally easier for large players, they may easily invest and handle with technology but small players and start-ups it is difficult situation to comply.”
Sanjay – “From technology experience we learn that if you make something automated, user ignore it. So, what will happen is this will be implemented by sending one email to every user, once in a month, stating if you don’t comply, we will delete your account from platform.
That’s an email that is going to get ignored. So, it is a very ineffective suggestion. Also, there is an implicit assumption that all users are identifiable, which is not the case always. So, just to implement it you will have to identify users. That may not be a valid requirement.”
Bhusan – “On the point that you need to have more than 5 million users. My question is procedurally how do you even establish that?
Will platform will have to do GPS type of tracking to ensure that and does this not create a privacy risk in itself e.g. I do not know does platforms like Quora know that they have more than 5 million users in India or not. It seems, there is this focus on regulating Big Techs and this 5 Million number really come from that.”
Sanjay – “Basically, anybody can be hosting user generated content. So, lets us say we are on a common platform, and there is a message flowing from me to you. If I violate the law, and let’s say the message is liable of incitement or any other law, then I should be held liable and not the platform.
For that platform needs to be qualified as intermediary, put under safe harbour and intermediary takes on the responsibility of helping the law enforcement. So, we should not take up start-ups out of its ambit. What we have to do is make sure that, the conditions required is that conformance to the standard should not be so terrible that start-up should be excluded.
So, we need to sharpen the requirement they they should be conforming with and make it easy enough for somebody to confirm.”
It is being discussed that Govt. is aiming for higher level of Penalty. What should be our recommendation?
Tanuj – “If you take very young company any short of hit is bad, but if you can put proportion of revenue basis, it will be at least more forward thinking, even if it is not absolutely fair, in some sense more fair of not having that rule or having flat rule. The amendments of changes we should think about of moving the penalty would be not being in favour of arbitrary penalty.”
Tarun added – “Our recommendations should be around sharpening rules, like who can use it who cannot use, what are the accountability measures on them, more than magnitude of these numbers.”
Saranya – “Just to address the Data protection law vis-à-vis intermediary act. The subject matter of Data Protection law is ‘personally identifiable information’, whereas Intermediary act tries to cover ‘all communication in some sense’ and hence, Intermediary act has a longer leash with regard to the person who can take the intermediaries to task.
The criteria of what would be offensive under Intermediary act is very different e.g. encouraging consumption of narcotics. Hence, the criteria that a person can take intermediary to task is extremely wide and needs to be curtailed.”
Bhusan – “There is an inherent subjectivity in these rules and there is need to some short of standard procedures on how these rules are applied by law enforcement agencies across. All that these rules say is – any request has to come in writing and intermediaries have to comply with.”
Venky – “From an implementation perspective we need implementation guideline. Section 5 is so wide that anybody can drive a truck through it.”
How the numbers (e.g. 72 hours period to respond and 50 lakh users) should be defined in a manner that is suits Start-ups who are in the early phase.
Sanjay – “Broadly, we need to identify the places and various numbers to apply proportionally depending upon the size of entity and size of violation, in our feed back to the Government.”
Sanjay also brought in attention to the “Appropriate Govt”, needs to be defined well. He said, “What we want is the Govt. agencies to be defined.”
Bhusan – “This is very standard way of defining. I have not seen any precise definition on specifying agencies in general regulation and I do not see they will start with IT act on this.
Bhusan mentioned another important issue of end-to-end encryption is a more political point rather than national security issue. (refer section 5 last lines).
Sanjay – “This is about tracking and tracing may not be about encryption. The fact, that I sent information to some body is about meta data, it’s not about information itself. This may be clarified better, but is not about end-to-end encryption but about meta data.”
Sanjay further added, “perhaps one clause you could add is to say that the ‘intermediary should be able to do this based on the information it has, if it does not have information, there should be not requirement to maintain information’ e.g. if you take business of mailinator, they don’t keep record of mails sent in and out.”
Bhusan, added “it should not lead to intermediaries having a requirement to do KYC on users.”
Is 50 lakh only to target large platform players?
Sanjay, “my read is they may have thought that way. But in reality a regional ISP or even a small newspaper will fall in to that category.”
“Bhusan, I don’t think it is a number generate by some study, but it seems like they just picked it.”
The discussion was rapped with thanks to all players.
Author note and Disclaimer:
PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system. PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on case to case basis.
PolicyHacks discussions and recordings are intended at issues concerning the industry practitioners. Hence, views expressed here are not the final formal official statement of either iSPIRT Foundation or any other organisations where the participants in these discussions are involved. Media professionals are advised to please seek organization views through a formal communication to authorised persons.
“High share premium is not the basis of a high valuation but the outcome of valid business decisions. This new whitepaper by our iSPIRT policy experts highlights how share premia is a consequence of valid business decisions, why 56(2)(viib) is only for unaccounted funds and measures to prevent valid companies from being aggrieved by it”
Drones have been around for a long time, going back as far as World War II. For most of their history, they were considered part of the military arsenal and developed and deployed almost exclusively by the military.
However, the past decade has seen a tremendous amount of research and development in the area of using drones for civilian purposes. This has led industry experts to predict that drones will be disrupting some of the mainstay industries of the global economy such as logistics, transportation, mining, construction and agriculture to name a few. Analysts estimate a $100 billion market opportunity for drones in the coming few years. In spite of the overwhelming evidence in favour of the value created by drones, it has taken quite a few years for the drone industry to take off in a commercial sense globally.
The main reason for this has been the regulatory challenges around what is allowed to fly in the air and where is it allowed to fly. A common theme around the world is the unconventional challenges that old governmental structures have to face as they try to understand and regulate new technologies. Hence the default approach so far for governments has been reactionary caution as they try to control what are, essentially, flying robots in the sky.
However, with electronic costs coming down, the hardware becoming more accessible and the software interpreting data becomes more powerful a number of humanitarian, civilian and industrial application have emerged and as governments across the world are realizing the potential of drones, we are starting to see the first version of regulations being drafted and adopted across the globe.
Closer home India has a relatively adverse approach to drones or more lackadaisical rather. 
But as India continues to drive to become a more technology-oriented economy the role of drones in the worlds fastest growing economy and the potential benefits it can bring are hard to ignore.
However, India’s approach to drone regulations cannot be that of other major economies that have the luxury of friendly neighbours and a large network of monitoring apparatus, India has had to take an approach that has to be novel and robust. Something that balances the security landscape while also being designed to allow maximum utilization of the potential that drones offer. Out of this need to both regulate secure how and where a drone can fly and keep multi-ministerial stakeholder interests accounted for was born the Digital Sky, India’s foundational framework for all things drones.
What is the Digital Sky and how does it work?
What the Digital Sky accomplishes beautifully is to fill the institutional void that needs to be collectively fulfilled by so many institutions and make it easier for the industry and consumers to interface with the government legally through one platform. Permission to fly drone no longer requires a 90-day intimation with an arbitrary number of NOCs to be approved by umpteen number of ministerial bodies at the central and federal level. The industry and the public now know one place to interact with in order to register their drone, get recognised as a certified operator and apply for permissions and all concerned government agencies ensure their overarching interests do not interfere with the large-scale adoption of drones.
There are crucial components required for the Digital Sky concept to work, the most central being that drone operators should not be able to fly drones if they are not approved by the government. To accomplish this the Drone 1.0 regulations revolve around the concept of No-Permission-No-Takeoff (NPNT).
What this implies is that unless a drone has got valid permission for a particular flight through tamper-proof digitally signed permission tokens, it will not be able to take off. The Digital Sky is the platform to automate the processing of these permission tokens as they flow in from different parts of the country without overwhelming the authorities through a flight information management system (one of only three countries to build this nationally after China and the USA). In order for this vision to come true, there will be an enormous change in the way drones are manufactured and operated. Entire new industry verticals around getting existing drones compliant, developing interfaces that interact with the Digital Sky platform and making applications for India’s needs will develop. Hence this begs the question.
How are the current state of the industry are changing with 1.0 regulations
Until the introduction of the regulations companies especially in the UAV operations were doing non-restricted work and end up becoming the jack-of-all-trades. Companies in the manufacturing domain were unclear of who is their target customer and what they needed to build. All the companies in this domain were working with no clarity on the safety and permissions.
With the introduction of the Drone Policy 1.0, there is a buzz which has been created and efforts are being made to understand the regulations by all the entities who are set to gain from it. They understand that there will be a new aspect that needs to cater to i.e. the sense of accountability.
For manufacturer’s The NP-NT mandate will be the most immediate requirement, the most common route to implement the mandate will be through changes to existing firmware architecture. The changes themselves are being driven by open source initiatives with various operators, system integrators and manufacturers contributing to the shift to NP-NT for all major drone platforms in the country. The Digital Sky has inadvertently catalysed the first industry-wide initiative to bring together all members of the ecosystem. Other requirements such as ETA bring in much-needed standardisation in the hardware space, this allows benchmarking of products, easier availability of information about the standards to look out for end users.
For operators, a massive increase in the volume of business is expected as they can now focus on getting certified drones into the air, and not so much on getting approvals. The Digital Sky brings in much-needed certainty and predictability into an industry that will be focused on balancing demand and supply of drone-related operations in a market that has a huge need for drones and their data but limited expertise to acquire and process it. This also puts onus an industry to become security and privacy conscious and insurance agencies will play an important role in this regard. It will also immensely help in changing the thought process of the companies providing services and their customers. Customers will start understanding that they also need to have a defined plan, process and execution instead of a haphazard existing process of execution.
How industry/playground will change over the coming years?
With the introduction on the regulations and a platform like Digital sky enabling the ease of doing business for the companies who are serious stakeholders in this domain, there is no limit to what developments will occur in the coming years. It opens up possibilities for utilization of Drone and its related technologies in Agriculture, Medical, Energy and Infrastructure and transportation.
The existing players will become more mature and more focused. They will understand that with regulations in place a more focused approach is the key to scale. They will look at opportunities to compete with the global market also as the solutions that are developed around the Drone Regulations 1.0 and 2.0 will be key factors that contribute to the Indian ecosystem to becoming a global standard to test, adapt and innovate drone applications and management.
What are the opportunities? What does that mean for the current and new players?
UAV/ Drones as a business was a far-fetched thought for many entrepreneurs and has been a struggling industry in the past in India. Going forward it is guaranteed that it will be one of the biggest markets in the world for UAV as a business. What the regulations and Digital Sky platform will enable is a new levelled playground ground for the UAV companies to initiate good scalable business models both existing and the ones entering new to the sector.
The existing companies with the right resources can now plan to scale their operations and also have the added advantage of doing work for the private sector in India. Due to the restrictive method of operations adapted previously the solutions to private agencies was unavailable. Now going forward the companies will shift their focus from being a B2G entity to a B2B entity. Many new businesses for UAV air traffic management, surveillance, AI and ML-based UAV solutions and deliveries will emerge out of India with technology specific to India.
iSPIRT has been actively engaged in pursuing the favourable policy for the Cloud Telephony sector in Telecom Industry, an amalgamation of the various IT and Communications technologies.
National Digital Communication Policy has been announced recently and it is encouraging to see the announcements in the policy on some common issues to do with Startup ecosystem and digital communication aspects of the Cloud Telephony Players.
We are expecting the Department of Telecom (DOT) to further work on implementation and framing of rules and regulation in light of policy in near future. Despite many positive directional changes, there is a need to develop a regulatory framework for the Cloud Telephony players. Cloud Telephony players are adding value to communication and hence to the economy in several innovative ways. In addition, they also add a good revenue stream to licenses Telecom Service Providers (TSPs).
A recording of this discussion is given below. Please feel free to click and watch. (About 20 seconds lost in the opening frame, apologises for the error)
The main point covered in the discussion is summed up below as are the some of our recommendations and good work is done (while the Policy was in the draft stage and during various consultation processes), which have been reflected in the policy under respective sections as under:
1.1.(f) – Encourage and facilitate sharing of active infrastructure by enhancing the scope of Infrastructure Providers (IP) and promoting and incentivising the deployment of common sharable, passive as well as active, infrastructure
1.1.(g).iv. – Allowing benefits of convergence in areas such as IP-PSTN switching.
Both of these are encouraging moves however it is to be seen how further rules and framework make easy for Small and Startup companies to use them without licensed TSPs creating a barrier for them.
1.1.(j) – By encouraging innovative approaches to infrastructure creation and access including through resale and Virtual Network Operators (VNO)
This is a very encouraging announcement for the Cloud Telephony startups.
2.1. (c ) iv. – Improving the Terms and Conditions for ‘Other Service Providers’, including definitions, compliance requirements and restrictions on inter-connectivity
2.1.(c ).viii. – Creating a regime for fixed number portability to facilitate one nation – one number including portability of toll-free number, Universal Access numbers and DID numbers
Again very encouraging but needs some boost up. Audiotex regime must go most speakers feel and all the players in Cloud telephony are treated as ASP. These provisions will help cloud telephony to deliver better value propositions in their offerings.
2.2.(a) iv: – Encourage use of Open APIs for emerging technologies
2.2. (b) – Promoting innovation in the creation of Communication services and network infrastructure by Developing a policy framework for ‘Over The Top’ (OTT) services.
2.2.(f) ii. – Enabling a light touch regulation for the proliferation of cloud-based systems
2.2.(f).iii. – Facilitating Cloud Service Providers to establish captive fibre networks.
A welcome move to encourage Open APIs. However, licenses TSP should be given one standard that is governed by DOT to implement any APIs that let them monitor cloud telephony or ASPs on their network, instead of allowing them to create a regime of their own.
Generally, an OTT policy is recommended in reforming the sector. However, OTT framework should not be mixed with ASP or Cloud Telephony providers. It is better to keep a distinction between the two.
2.4.(a).ii: – Promoting participation of Start-ups and SMEs in government procurement
2.4.(b). – Reducing the entry barriers for start-ups by reducing the initial cost and compliance burden, especially for new and innovative segments and services.
Acceptance of these issues is very encouraging. The Government can be a very big user of the Cloud Telephony industry also. And we hope this will turn out to be a winning proposition for the Cloud Telephony industry in near future.
Whereas this policy announcement reflects a positive change, it is yet to be seen how DOT look at Cloud Telephony and provides it with a recognition as a sub-sector with easy and proper regulatory framework for same.
Note: The above article is co-authored by Gurumurthy Konduri of Ozonetel with Sudhir Singh of iSPIRT
Data protection and privacy have been a topic of hot debates and discussion in recent times in India. It had become extremely important as India is progressing to a be a “Digital economy” to address this issues relating to the use of personal data.
iSPIRT has been in forefront of developing Consent Framework and called as Data Protection & Empowerment Architecture (DEPA). The Account Aggregator Policy of RBI revolves around this consent architecture.
Whereas the bill is of interest to almost all the sectors of the economy, it is extremely important for businesses in Information Technology sector and especially in Software product Industry to understand the law as it is seeded and further as it evolves.
The bill has many aspects to it in the legal framework. It is not possible to cover the entire understanding of the bill in one blog. We have attempted to cover some salient features that may be important for the Software Product Industry as well as how it contacts with the techno-legal aspects of DEPA as it stands in financial sector, perhaps to be replicated in other important sectors of the economy.
This blog is again posted in a Question and answer format both as a video and as a transcript of the video. You can use the one you like.
Questions have been asked by iSPIRT volunteer and Policy expert Mr Sudhir Singh and answered by Supratim Chakraborty (Data Privacy and Protection expert from Khaitan & Co.) and Siddharth Shetty (leading the DEPA initiative at iSPIRT).
What are the most important aspects of the bill?
Supratim answered, “What we have seen is through this draft bill, there is an attempt to establish the relationship of trust between the data subject and data controller. The nomenclature has been changed in this bill and It is data fiduciary and data principles. It puts a lot of onus on the data fiduciary to take care of data care protection.”
“There are several important aspects of the bill that needs attention such as localisation of data, cross-border transfer and also some other aspects such as privacy by design, transparency requirement, security safeguard, breach notification, grievance redressal mechanism, the requirement of Data protection officer, record keeping requirements”, as elaborated Supratim.
Is there some restriction on data fiduciary? Is the state exempted?
Supratim said, “this bill is equally applicable to private parties and the Government unlike earlier provisions of section 43A and 72A of IT ACT. 43A will be scrapped after this bill comes into existence. There has been a lot of debate on this aspect of bringing Govt. under the purview of the law.”
Is right to be forgotten covered in a similar way as GDPR?
Supratim explained, “Our Govt. has looked at this in a more business-friendly way by covering the right to be forgotten by provisioning that any further dissemination of data should be stopped, once the data principal chooses to withdraw the consent or ask for the right to be forgotten.”
He described four governing aspect that explains how to determine the aspect of keeping Data local, as described below.
You could have certain pockets of personal data that can be transferred outside.
There could be certain pockets of data that could be transferred outside but a serving copy of the data has to be within the country
The third category is sensitive personal data ambit of sensitive personal data which has been widened considerably compared to what we saw under the 43A of IT ACT. For this, if sent out of
The fourth category is data that cannot be sent outside country at all.
“On Cross border transfer of data in addition to ‘consent’ there has to be standard contractual clauses (approved/prescribed by authority) or the transfer to a jurisdictions is approved by the central government”, he further explained.
What is the Data Protection Authority?
Supratim answered, “In the draft bill this seems to be all encompassing all powerful authority from rulemaking to advisory to enforcement. Therefore it is important to see how this really shapes up. In “IT Act”, section 43 A and 72A were largely there to cover the aspects of data privacy but enforcement and implementation.”
What are other important aspects to consider?
“There are many aspects but let us touch upon two given below”, said Supratim.
One is the requirement of having notices in multiple languages, which is not a very hard obligation the way it has been put. But in a country like India for say an e-commerce platform imaging the cost that one has to incur for putting multiple language notices. Also, we need to see are we able to really address the point of informed consent through this, because you also have a section of people who may be illiterates. Justice Srikrishna report suggest that we should have short videos or graphical representation which make it very easy for someone to understand the critical aspects of privacy.
Another important aspect is applicability of the law. This law is applicable to all processing that is happening in India and also to foreign bodies. Section 2(2) talks about applicability to foreign bodies, the first part says that “in connection with any business carried out in India”. This means a global platform that is accessible from India has to have the entire requirement of this law.
Are we going in direction of GDPR?
Supratim answered, “Whereas we are trying to follow the Gold standard and many countries are trying to follow the path set by GDPR, India is quite different country and we are not following everything the way it is in GDPR, we have to be mindful of our requirements. But the idea is slowly and surely reach a zone where we can have our laws quite akin to laws of matured jurisdictions.”
How does Bill address iSPIRT DEPA initiative?
Siddharth, sees this draft bill as a unique India first approach. He feels that apart from addressing privacy and data protection aspects it empowers Indians on having control on the use of their data for better financial services, better health services, education etc.
Siddharth goes on to explain that at iSPIRT for past 3-4 years we have been working at Consent layer of IndiaStack or Consent framework and it is great to see that bedrock of draft bill is actually based on consent and in that way it is somewhat similar to GDPR. But, one of the biggest problem they are facing in EU today is it is very difficult to operationalise consent. It is for the first time India has a unique infrastructure to operationalise consent.
“DEPA is nothing but a set of two tools that helps to operationalise consent, explains Siddharth.
One is known as Digital Locker system which allows to the federated exchange of data and second is known as electronic data consent, which is nothing but an electronic representation of user Consent.
“This means, if you want to share or allow your data from some provider to say another consumer, then you must be able to express what date you want to share with whom for what time period in some codified manner. This codified information or consent is known as consent artefact”, says Siddharth further.
As explained by Siddharth, the ‘consent artefact’ became a national standard in 2016 adopted by four financial sector regulator RBI, PFRDA, IRDA and SEBI and they adopted it for their entire eco-system.
Based on consent artefact every individual has an access to financial data and has a mechanism to share that data to gain access to a loan or any other services provider. This has been through an institutional mechanism called Account aggregator.
Siddharth further elaborated that, “the ‘Account aggregator’ (AA) is a class of entities known as data access fiduciaries. The AA unlike other parts of world decouples the institution that collecting consent from an institution that either consuming data or providing data. In EU e.g. as per of PSP2 directive the account information service provider which consumes data is also responsible for collecting the data.”
In India, 3 AA have been approved. Technical standard drafts are also out for ecosystem. And through AA you actually have an entity that’s working toward creating an informed consent experience. Going forward just like UPI you receive your consent for a payment, through AA you will have an entity that helps you provide and control consent. Based on Financial sector we have proposed a similar concept to TRAI for the telecom sector and health sector to NITI Ayog.
Has the AA concept been addressed in the bill?
Siddharth explains further, “The bill makes bedrock of most processing of data based on consent. AA model is nothing but your consent collector or Consent manager. Every data principle they have outlined right to confirmation and access, right to correction, most importantly the right to data portability. As a data principle from data fiduciary, you have the right to request and port machine structured non-reputable transaction history or any other user-generated data to other service providers. AA is nothing but a framework to operationalise this right.”
He further explained that in the report preceding the bill, they talk about a concept consent dashboard. AA is nothing but a consent dashboard. They had 2 tech innovation consent dashboard and data dashboard. You can log consent flows and data flows.
Will, there be consent dashboards concept like AA in other sectors also or will there be one single point authority under DPA?
Siddharth, “it would be a combination of both. If you see the draft bill, it allows sectoral regulators to write rules. For data the falls under private data sets category such as data pertaining to social media etc, DPA would prescribe an standard.”
The report talks about that dashboard can be maintained by each data fiduciary or it can be a common dashboard that everyone else agrees and follows. If you look at the account aggregator dashboard it is a common dashboard for the entire financial sector. But for social media companies can follow their won dashboards.
For any Software product companies that does not lie in any of the regulated sector can create their own consent dashboards, where the user can come see their dashboard correct their data, port the data, manage their consent.
Unlike the IT act, this regulation will have a direct bearing on any businesses processing data irrespective of being in a Software product or other domain. And hence there is a need to be attentive. How right is this aspect?
“Yes, the ambit increases quite a bit. Wherever there is sensitive personal data interface involved, the level of compliance requirement has gone up several times. In the IT Act, there was a mention of personal data in section 72A. The present draft bill does not talk about the deletion of 72A. The draft bill have a parallel mechanism set out in the IT Act”, mentioned Supratim.
Siddharth, “it is just not limited to compliance, this law unlocks the whole host of business models around data sharing around consented data sharing that you haven’t yet seen in any other country and it will be really interesting to space to see what companies get a build out there.”
Question from Participants.
What is the definition of data processing? Or what is the differentiation between Data Storage and Data Processing. E.g. if you are an email service provider, is it Data Storage or Data Processing? (asked by Chintan)
Supratim answered, “definition of data processing is extremely wide enough to make businesses fall in to ‘data processing category’ without being a processor.”
What is the timeline? (Asked by Chintan)
MeitY has asked for public comments by 10th of September on the draft bill, thereafter it will be presented to parliament and after promulgation, there will be more work in framing Authority, the rules by DPA etc. The law is not expected to be in implementable form only after 18 Months or so, minimum.
What happens to the Existing customer? Do we go back to them and get their consent? (Karthik)
Supratim answered, “whilst the it is not a retrospective legislation, if you continue processing without taking consent, you will fall foul of the requirement of law.”
Are there any fines defined here? (Karthik)
Yes, it has been taken care. Just like other aspects the draft bill he highly inspired by GDPR on this aspect also. We have 4% and 2% of annual turnover. There are 2 buckets 4% and 15 Cr and other is 2% and 5 Crore.
Do we need to appoint an DPO?
“There is a segregation which has been made of has significant Data Fiduciary under certain conditions will have to have DPO. Also, this law has an immense amount of significant rulemaking power, answered Supratim.
Hence, it will be seen in future how rules are framed by Authority. So, it has to be seen how business friendly the authority remains in rulemaking e.g. section 43A in IT ACT gave rule making power to define what is sensitive data and information and set out what is reasonable practices and procedure. In the rule made in future, we saw a plethora of requirements set out, over legislated and sometimes badly drafted.
The rules will go through an evolutionary cycle. Hence, the legislation has to be tested over a period of time as it unfolds, after crystallisation of this draft promulgation by parliament in to an ACT and rules being made after that on different aspects.
PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system.
PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on the case to case basis.
If you are facing an issue, we recommend you take expert professional advice on the case to case basis.
We intend to provide the best transcripts in the text part of the blog. However, it may not be an exact replica and maybe approximation, more standardised, normalised or moderated version of the expert view presented in the video.
iSPIRT has been pursuing with MietY, application of PMA for all Indian Software Products to promote the Indian Software product industry and it is heartening to note that at least one important sub-sector of Cybersecurity has caught the Government’s attention.
iSPIRT organised a PolicyHacks session to understand this policy announcement with Ashish Tandon Founder & CEO of Indusface and Mohan Gandhi of Entersoftsecurity.
You can watch the discussion with Ashish and Mohan at below given YouTube video, in a question and answer format with Sudhir Singh.
What are the essential features of this Policy?
Ashish described the main features stating that this is a policy that is going to help boost Cybersecurity products in India. Govt. of India identified areas that require boosting ‘make in India’ products for the sensitive areas of cybersecurity.
Is there a way product companies can register or Government is going to keep a registry of ‘made in India’ products?
Ashish explains the policy has provided for the formation of a committee that will further provide for a process for empanelment of Indian Cybersecurity products and Indian Cybersecurity product companies with some defined key aspects that would qualify for empanelment.
Ashish further explained that as the empanelment aspects are decided there may also come up with a process for testing and meeting standards and quality norms etc.
Are there are enough product companies in ‘Cyber Security’ space for empanelment?
Mohan Gandhi answered that there are several product companies, but this policy should further strengthen the ‘make in India’ aspect and companies based out of India with deep tech product can look at getting this advantage of this policy.
Whether the Policy will be applicable to “productized services”?
Ashish answered, that this policy is applicable to the only product and at best give preference to made in India products in turnkey projects wherein a large project cybersecurity product is involved.
How will this policy help Start-up companies in Indian Market?
Mohan mentioned, that one interesting thing about this policy is that, it clearly talks about intellectual property. There is a need to register and prove that the IP belongs to India. It will encourage small companies to register the IP and leverage the Indian IP even when they are selling abroad.
Is there enough clarity exist on process and enplanement etc.?
Ashish feels the policy has already prescribed setting up of an empowered committee who will look at these aspects and it is MeitY that will be responsible for doing this.
Ashish further also elaborated that this Policy will get further push once some companies start getting empanelled and processes and rules are framed under MeitY by the empowered committee.
In concluding remarks, both Ashish and Mohan felt that Cybersecurity ecosystem will get a boost by this policy as the policy is furthering the cause by advising Government departments for preferring Indian products. With Digital economy on anvil, there should be a huge demand in Government and Public sector enterprises for cybersecurity. Cybersecurity product market is today dominated by players from the US, Europe and Israel.
The policy has to be pushed hard to further encourage and coupled with StartupIndia policy, there should be all-out effort to promote the Indian Cybersecurity product companies.
Here are concerns and curiosity about European Union General Data Protection Regime (GDPR) and there is a related issue in India being covered under Data Empowerment and Protection Architecture (DEPA) layer of India Stack being vigorously followed at iSPIRT.
iSPIRT organised a Policy Hacks session on these issues with Supratim Chakraborty (Data Privacy and Protection expert from Khaitan & Co.), Sanjay Khan Nagra (Core Volunteer at iSPIRT and M&A / corporate expert from Khaitan & Co) and Siddharth Shetty (Leading the DEPA initiative at iSPIRT).
Sanjay Khan interacted with both Siddharth and Supratim posing questions on behalf of Industry.
A video of the discussion is posted here below. Also, the main text of discussion is given below. We recommend to watch and listen to the video.
GDPR essentially is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
Since it affects all companies having any business to consumer/people/individual interface in European Union, it will be important to understand this legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
Supratim mentioned in the talk that GDPR is mentioned on following main principles.
Harmonize law across EU
Keep pace with technological changes happening
Free flow of information across EU territory
To give back control to Individual about their personal data
Siddharth explained DEPA initiative of iSPIRT. He mentioned that Data Protection is as important as Data empowerment. What this means is that individual has the ability to share personal data based on one’s choice to have access to services, such as financial services, healthcare etc. DEPA deal with consent layer of India Stack.
This will help service providers like account aggregators in building a digital economy with sufficient control of privacy concerns of the data. DEPA essentially is about building systems so that individual or consumer level individual is able to share data in a protected manner with service provider for specified use, specified time etc. In a sense, it addresses the concern of privacy with the use of a technology architecture.
DEPA is being pursued India and has nothing to do with EU or other countries at present.
Sanjay Khan poses a relevant question if GDPR is applicable even on merely having a website that is accessible of usable from EU?
Supratim explains, GDPR applicable, if there is involvement of personal data of the Data subjects in EU. Primarily GDPR gets triggered in three cases
You have an entity in EU,
You are providing Goods and services to EU data subjects whether paid for or not and
If you are tracking EU data subjects.
Many people come in the third category. The third category will especially apply to those websites where it is proved that EU is a target territory e.g. websites in one of the European languages, payment gateway integration to enable payments in EU currency etc.
What should one do?
Supratim, further explains that the important and toughest task is data management with respect to personal data. How it came? where all it is lying? where is it going? who can access? Once you understand this map, then it is easier to handle. For example, a mailing list may be built up based on business cards that one may have been collected in business conferences, but no one keeps a track of these sources of collections. By not being able to segregate data, one misses the opportunity of sending even legitimate mailers.
Is a data subject receives and gets annoyed with an obnoxious email in a ‘subject’ that has nothing do with the data subject, the sender of email may enter into the real problem.
Siddharth mentioned that some companies are providing product and services in EU through a local entity are shutting shops.
Supratim, mentions that taking a proper explicit and informed consent in case of email as mentioned GDPR is a much better way to handle. He emphasised the earlier point of Data mapping mentioned above, on a question by Sanjay khan. Data mapping, one has to define GDPR compliant policies.
EU data subjects have several rights, edit date, port data, erase data, restrict data etc. GDRP has to be practised with actually having these rights enabled and policies and processed rolled out around them. There is no one template of the GDPR compliant policies.
Data governance will become extremely important in GDPR context, added Siddharth. Supratim added that having a Data Protection officer or an EU representative may be required as we go along in future based upon the complexity of data and business needs.
Can it be enforced on companies sitting in India? In absence of treaties, it may not be directly enforceable on Indian companies. However, for companies having EU linkages, it may be a top-down effect if the controller of a company is sitting there.
Sanjay asked, how about companies having US presence and doing business in EU. Supratim’s answer was yes these are the companies sitting on the fence.
How about B2B interactions? Will official emails also be treated as personal? Supratim answers yes it may. Again it has to be backed by avenues where data was collected and legitimate use. Supratim further mentions that several aspects of the law are still evolving and idea at present is to take a conservative view.
Right now it is important to start the journey of complying with GDPR, and follow the earlier raised points of data mapping, start defining policy and processes and evolve. In due course, there will be more clarity. And if you are starting a journey to comply with GDPR, you will further be ready to comply with Indian privacy law and other global legal frameworks.
“There is no denying the fact that one should start working on GDPR”, said Sanjay. “Sooner the better”, added Supratim.
We will be covering more issues on Data Protection and Privacy law in near future.
Author note and Disclaimer: PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system. PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on the case to case basis.
GST regime has brought a new dimension to treatment of Indirect taxation in Exports.
Prior to GST era, the export invoice had no Indirect tax mentions. So also, the indirect tax returns had nothing to do with Exports.
After GST implementation, to make the GST truly value added and consumption-based tax a concept of Zero-Rate supply was introduced. This made it necessary for exporters to account for indirect tax (GST) at time of exports.
An exporter has to adopt either of the two below given methods.
Export with IGST Paid – include and pay IGST at time of export to Govt. on invoice value and later get refund or
Export under LUT without payment of IGST – File a letter of Undertaking (LUT) with GST department and raise zero IGST export invoices and get refund of GST paid on inputs at later date.
Note: Before October 2017 there was also a requirement to sign a Bond (backed by bank Guarantee) if the value of exports for an enterprise in previous years were less than Rs. 1 Crore and sign a LUT if previous year exports were more than Rs. 1 crore. The requirement to sign a BOND has been done away with and all the BONDS signed until October 2017 will be treated as LUT, format and paper work being almost similar.
As working capital gets blocked if the IGST route is adopted (exporter pays IGST and then file for refund again and again on each billing cycle), not many may have adopted this route. Hence, A good number of Software exporters filed Bonds or LUTs with GST department early at start of GST regime.
The tax refunds can be claimed every month. However, for most small exporters it may be useful to file tax refund claims once at end of financial year. This will keep administrative burden low and also the cost of tax management low, while seeing a handsome refund amount in one go.
This write-up is meant to simplify issues of GST refund in exports for entrepreneurs i startups including SaaS and Software products.
Why is refund applicable on Exports?
First thing to understand is that under GST regime (unlike previous VAT and service tax) exports and imports are subject to IGST (in lieu of CGST+SGST), which is a tax applicable on Inter-state supplies. GST law treats exports and imports at par with inter-state trade to make exporters account for IGST.
Second thing to understand is whereas exports are covered under IGST (inter-state supplies), the exports are treated as “Zero Rates” supplies i.e. such supplies will have zero indirect tax incidence finally. The tax incidence of Indirect tax is normally on the final consumer of goods and services. Since, in exports the final consumer of goods or services is located outside India, the consumption happens outside the country. To maintain competitiveness of exports from country and to align with tariff structures in place before GST implementation, the indirect tax has to be zero (excepting a list of goods that are subject to tax). The exports and supplies to SEZ (deemed exports) have been treated as Zero-rate supplies.
Third thing to understand is the GST is a value added tax. This can be understood from old VAT regime, also. A supply of goods or service when passes from original manufacturer to end consumer through various trading channels, it’s value increases at every point. If A sales a good for Rs. 100 and charges GST of Rs. 18 the cost becomes Rs.118 to B, now B may sale same at Rs. 125 to C the final consumer. The GST will now be Rs. 22.5 and final cost to C will be Rs. 147.50. B however gets an input credit of Rs. 18 and pays Rs. 4.5 tax (Rs. 22.5- Rs. 18).
Now, if B is an exporter and C is a client abroad, B has an option to adopt one of the two routes described above.
Route 1 – B can raise an export invoice with IGST paid of Rs. 22.5. Client C is charged Rs. 125 (in equivalent foreign currency) but IGST of 22.5 is paid to GST department in India. B then files for a claim of entire GST amount of Rs. 22.5.
Route 2 – B can file a LUT with GST department and raise an invoice with IGST zero and Rs. 125 (in equivalent foreign currency). Now either at month end or within a period of 2 years B can ask for refund of IGST that B has paid when procuring supplies from A of Rs. 18. This Rs. 18 is called unutilised input credit.
Refund of unutilised input is available as the final goods are consumer by client C in foreign territory and C is not subject to payment of indirect tax. Hence the tax accumulated by exporter B from his previous suppliers (can’t be born by the exporter) and should be refunded.
Had the consumer C been in domestic tariff area i.e. within the territory of India, the final value added tax on supplies would have been born by the consumer.
An exporter can claim unutilized input credit on all the inputs required in production of final product or service exported.
How can exporters claim utilised tax credit (GST) refund?
As per Section 54(3) of the CGST Act, 2017, refund can be claim of unutilised input tax credit can be done at the end of any tax period (tax return period) i.e. a taxpayer can claim refund on monthly basis.
As per the provisions of GST Law, Refunds to be granted to the dealer electronically on the basis of application in RFD-01. However, due to the non-availability online process, as per notification No.39/2017-Central Tax, dt. 13-10-2017 exporters can file manual refund claims to the jurisdictional officers.
A New form RFD-01A introduced to be filed manually by the exporters to facilitate early Refunds vide Circular no.17/2017 dated 15-11-2017.
For those adopting IGST paid route, the processes is more simpler and 90% of tax is supposed refunded within 7 days of filing. This writeup assume most exports barring petty exporters have adopted LUT route.
This write-up is not meant to describe a detailed process, but highlight the need to file for refunds by exporters if not filed yet, instead of letting the input tax credit to be passed on to next year. This will help channelize funds recouped in to business cycle for next year.
In order to file for refund an exporter needs to have filed all required returns on GST portal and should have records of all purchase invoices, export invoices raised, and the bank certificates of remittances received against export invoices.
For those who are suppling to Special economic Zones (SEZs) the process is similar to exports, except there will be documents and certification to be sought from SEZ units and local jurisdictional officer.
As the financial year end closes, all such exporters who have filed a LUT or BOND should be gearing up to seek GST refunds, if not done already.
GST regime started with lot of confusion for small exporter. Many issues have been resolved and many are yet to be resolved. GST is a much better regime in terms of taxation. However, a fully featured matured and fully digital GST regime will be much more beneficial for exporters. We hope in next financial year we can see roll out of a fully digital GST with near zero interference from officials and manual applications.
“I propose a series of measures to deter the generation and use of unaccounted money. To this end, I propose:
Increasing the onus of proof on closely held companies for funds received from shareholders as well as taxing share premium in excess of fair market value.”
When ex-Finance Minister Pranab Mukherjee introduced angel tax in 2012, it created an uproar in the fledgeling startup and angel investor community. While the purpose of this section was to reduce money laundering by imposing the hefty tax rate of 30.9 percent, it had several inadvertent consequences.
There were several cases of money laundering by Jaganmohan Reddy that were caught by the Enforcement Directorate, who revealed that people had “paid bribes to Reddy in the form of investments at exorbitant premiums in his various companies to the tune of Rs 779.50 crores apart from making payment of Rs 57 crores to him in the guise of secondary purchase of shares and donation of Rs 7 crores to the YSR Foundation”.
To prevent such abuses of the law, the government clamped down and stated that any unjustified share premium given by a private company would be taxed as income in their hands. But to catch one culprit, they threw the book at many innocents. The relevant law known as section 56(2)(viib) of the Income Tax Act came to be known as the angel tax section. Many startups which are private companies and had issued shares at a premium to angel investors ended up facing notices from the tax authorities under this section. This premium is treated as income in their hands, classified as “income from other sources” and taxed at the maximum marginal rate of tax.
The ‘Startup India’ initiative changed all that. Under the stewardship of the Honourable Prime Minister, startups became a focus area. As per the ten points in the Action Plan, if a startup was registered post- April 1, 2016, then the angel tax was not applicable to the startups. The move had helped startups operating in that area, but a problem still existed for startups that were incorporated before 2016. In fact, in December 2017, many startups received notices and orders for the Financial Year 2013-14. A few entrepreneurs who faced income tax notice hassles launched an e-petition called Change.org in January 2018 so that the government could take some concrete action in Budget 2018.
iSPIRT has taken up the matter with MoF and DIPP on the same. We had made some representations to MoF specifically before the budget. In the budget, the Finance Minister made a statement on continued assistance to the Angel Ecosystem. Due to rigorous efforts that went into sharing of information by these startups, we have recently seen MoF making the welcome announcement.
As per the latest announcement, angel tax would not be applicable on startups which are incorporated before 2016, fulfil the criteria under Startup India Policy and have been granted angel funding up to Rs10 crores. It is believed that at least 300 startups will get a breather from angel tax. The government is also likely to establish a separate committee for the recognition of startups that meet these criteria.
In a further relief to startups, the Finance Secretary Hasmukh Adhia also announced that income tax officers would not take precipitate action and will proceed only after the first set of appeals decided in appellate cases. The exact phrase they used was “no coercive action”, which helped many startups heave a collective sigh of relief. All pending appeals by March 31, 2018, will be quickly addressed.
If you are a startup and need further guidance on angel tax, you should follow the steps below:
If you are a startup as per DIPP definition, then get your DIPP certification. All startups which may have raised funding post-April 2016 and are registered with DIPP will not have angel tax applicable to them.
If you are a startup which has received income tax notices for years before 2016 and is still eligible to register as a startup, then please register yourself with DIPP. You can share the registration certificate and relevant notifications with the assessing income tax officer to get an exemption from angel tax.
If you are a startup which has received income tax notices for years after 2016, then please repeat step 2 mentioned above and then appeal against the order. It is important that due process is followed so that the redressal measures taken by the tax authorities can come into effect.
These startups do not have to pay 20% of the tax order at the time of appeal as this has been a one-time exception granted till 31st March 2018 to avoid hurting the sentiments of the startup ecosystem. You can share the order with iSPIRT.
Also, pursuant to our meeting with MoF, we have been assured that the income tax officers in the various jurisdictions have been directed to exercise leniency on this till the new taxation regime for angel and venture capital investors comes into place, as announced by the Finance minister in his budget speech. The officers are aware of the hardships that startups now face and are doing their best to mitigate this within the ambit of the current law.
DIPP and MoF are also in the process of allowing a waiver to the earlier startups facing the angel tax issue, provided the investment made is under Rs 10 crores and subject to an Inter-Ministry board approving the same. This should happen in the next 5-10 days.
We will encourage all startups which have received notices and orders under Section 56 to follow the above steps to chart their way across the new announcements.
Please forward your orders to [email protected] enabling us to use these orders to take a strategic view to policy to help with this issue in the long term.