Budget 2024 – Empowering Startups and MSMEs, and Doubling Down on DPIs and R&D

This 2024 Budget coming post-election has aroused the most curiosity since the budget of 2014. It is for two reasons that this 2024 Budget is significant as we work towards a Product Nation: Reason 1 is for this budget’s Innovation and related public spending on private innovation and Reason 2 is for the next-generation reforms to create a simpler regulatory environment. It is heartening to note that both items are priority areas.

The continuity of the interim budget announcement of 1 lakh crore for private R&D funding is encouraging enough for the startup ecosystem. Under the Vishvamitra initiative, iSPIRT has been pursuing funding at scale for private sector-led R&D and its commercialization. The announcements of funding research in highly sensitive strategic areas such as Small Modular Nuclear Reactors and setting up a 1000 crore venture capital fund for the Space economy have been on our list of initiatives to advocate for and it is heartening to see the Government address R&D investments in geopolitically sensitive areas. 

The Finance Minister announced, “We will set up a mechanism for spurring private sector-driven research and innovation at commercial scale with a financing pool of 1 lakh crore.” What and how this mechanism will be set up will be critical for enabling R&D in the country to achieve Viksit Bharat 2047.

Among iSPIRT’s top  initiatives is the Stay-in-India checklist, and the request to remove the “Angel Tax” for all classes of investors. The removal of angel tax is the biggest highlight of this budget for the startup ecosystem. The announcement comes after decades of struggle and persuasion. Finally the government has recognised the role of startups in generating employment and has acted in a positive direction. 

There is a huge amount of work pending to reform Ease-of-Doing Business (EoDB) if India is to achieve the set objective of Viksit Bharat 2047. The Finance Minister stating an  intent to “formulate an Economic Policy Framework” to set the “scope of the next generation of reforms for facilitating employment opportunities and sustaining high growth” perhaps speaks about the government’s thinking on it.  

The government’s intention to involve states in ease of doing business (EoDB) efforts is also a very welcome step. We hope the next moves are swift and the government seriously attempts to at least be in the top 10 EoDB destinations globally. This is much needed for MSMEs, Startups, and even to attract FDI in GCCs. The economic survey tabled yesterday also aligns with this thought process. 

“We have successfully used technology for improving productivity and bridging inequality in our economy during the past 10 years” said the budget speech. Public investment in Digital Public Infrastructure (DPI) coupled with innovations by the private sector has been a well-accepted norm now. The Government is serious about using the DPI approach in multiple areas, from agriculture to education, etc. The increased penetration of DPI will eventually help digitalization and penetration of software products in the economy. 

The budget recognising MSME credit as one big area requiring attention has also called for several actions in this direction. One important step is involving PSU Banks to build their in-house capability to assess MSMEs for credit using an MSME’s digital footprint, instead of relying on external assessment. This will encourage banks to develop cash flow based lending on lines of another initiative of iSPIRT – the Open Credit Enablement Network (OCEN) that focuses on information based collateral lending rather than asset based collateral lending which in turn could help in developing a new credit assessment model that evaluates the digital footprints of MSMEs in the economy. 

iSPIRT’s Official Response to the Draft Drone Rules 2021

This is our response to the Draft Drone Rules 2021 published by the Ministry of Civil Aviation on 14 July 2021.

Introduction

The potential commercial benefits that unmanned aviation can bring to an economy has been well established in several countries. A primary and immediate use-case for drones is in Geospatial data acquisition for various applications such as infrastructure planning, disaster management, resource mapping etc. In fact, as argued in the recently announced guidelines for Geospatial data, the availability of data and modern mapping technologies to Indian companies is crucial for achieving India’s policy aim of Atmanirbhar Bharat and the vision for a five trillion-dollar economy.

The current situation in India, however, is that the drone ecosystem is at a point of crisis where civilian operations are possible in theory, but extremely difficult in practice. Because the regulations in place are not possible to comply with, they have led to the creation of a black market. Illegally imported drones are not only significantly faster, cheaper and easier to fly but also far more easily acquired than attempting to go through the red tape of the previous regulations to acquire approved drones. Thus, rather than creating a system that incentivises legal use of drones, albeit imported, we’ve created a system that makes it near impossible for law-abiding citizens to follow the law of the land and discourages them from participating in the formal system. This not only compromises on the economic freedom of individuals and businesses but it also poses a great national security risk as evidenced in the recent spate of drone attacks. If we do not co-opt the good actors at the earliest, we are leaving our airspaces even more vulnerable to bad actors. This will also result in a failure to develop a world-class indigenous drone & counter-drone industry, thus not achieving our goals of an Atmanirbhar Bharat.

The Draft Drone Rules (henceforth the draft) have addressed some of these problems by radically simplifying and liberalising the administrative process but haven’t liberalised the flight operations. Unfortunately, closing only some of the gaps will not change the outcome. The draft rules leave open the same gaps that cause the black market to be preferred over the legal route.

With the three tenets of Ease-of-Business, Safety and Security in mind, it is our view that while the intention behind the draft rules is laudable, we feel that the following areas must be addressed to enable easy & safe drone operations in India:

  1. Remove Requirement of Certificate of Airworthiness: The draft mandates airworthiness certification for drones whereas, no appropriate standards have been developed, thus, making the mandate effectively impossible to comply with.
  2. Lack of Airspace segregation, zoning and altitude restrictions: The draft doesn’t mention any progressive action for permitting drone operations in controlled airspaces.
  3. Business confidentiality must be preserved: The prescribed rules for access to data is not in consonance with the Supreme Court Right to Privacy Judgement
  4. Lack of transparent Import Policy: This results in severe restrictions on the import of critical components thus disincentivizing indigenous development of drones in India
  5. Insurance & Training must be market-driven and not mandated: We must let market forces drive the setting up of specialised training schools & insurance products & once mature they may be mandated & accredited. This will result in the creation of higher quality services & a safer ecosystem.
  6. Fostering innovation and becoming Atmanirbhar:
    A. Encouraging R&D: by earmarking airspace for testing for future drones
    B. Encouraging the domestic drone manufacturing industry: through a system of incentives and disincentivizing imports should be inherent in the Drone Rules.
    C. Recognition of Hobby flying: Hobbyists are a vital part of the innovation ecosystem; however, they are not adequately recognised and legitimized
  7. Encouraging A Just Culture: Effective root cause analysis would encourage a safety-oriented approach to drone operations. Penal actions should be the last resort and dispute resolution should be the focus.
  8. Enabling Increased Safety & Security: NPNT and altitude restrictions would enhance safety and security manifold.
  9. No Clear Institutional Architecture: Like GSTN, NPCI, NHA, ISRO, and others a special purpose vehicle must be created to anchor the long-term success of Digital Sky in India based on an established concept of operations
  10. Lack of a Concept of Operations: Although drone categories have been defined, they have not been used adequately for incremental permissions, as in other countries; rather the draft appears to prefer a blank slate approach. The failure to adopt an incremental approach can arguably be considered as one of the root causes of the drone policy failures till date in India as regulations are being framed for too many varied considerations without adequate experience in any.
1. Airworthiness

In the long term, it is strategically crucial to India’s national interest to develop, own and promulgate standards, to serve as a vehicle for technology transfer and export. The mandatory requirement for certification of drone categories micro and up is the key to understanding why the draft does not really liberalise the drone industry. It would not be too out of place to state that the draft only creates the facade of liberalising drone operations – it is actually as much of a non-starter as the previous versions of regulations.

The standards for issuance of airworthiness certificates have not been specified yet the requirement has been stipulated as mandatory for all operations above nano category in the draft (pts 4-6). However, most of the current commercial operations are likely to happen in the micro and small categories. And for these categories, no standards have been specified by either EASA or FAA. EASA’s approach has been to let the manufacturer certify the drone-based on minimum equipment requirements. On the other hand, It is only fairly recently that the FAA has specified airworthiness criteria for BVLOS operations for a particular drone type of 40kg, and which it expanded to 10 drone types in November. Building standards is an onerous activity that necessitates a sizable number of drones having been tested and criteria derived therefrom. The only other recourse would be adopting standards published elsewhere, and as of date these are either absent (not being mandated in other countries) or actively being developed (cases noted earlier). Given the lack of international precedent, the stipulation for certificate of airworthiness in the draft needs to be eliminated, at least for micro and small category drones.

2. Airspace

One of the major concerns since the early days of policy formulation in India has been the definition of airspace and its control zones. All regulations till date, including the draft, require prior air traffic control approvals for drone operations in controlled zones. However, given that controlled airspace in India starts from the ground level for the controlled zones upto 30 nm around most airports (unlike many other countries where it starts at higher levels), it effectively means no drone operations are possible in the urban centres in the vicinity of airports in India. While the Green/Yellow/Red classification system is a starting point for Very Low-Level airspace classification, the draft does not move to enable the essential segregated airspace for drone operations up to an altitude limit of 500ft above ground level.

3. Business Confidentiality

In the domain of Privacy Law, India has taken significant strides to ensure protection of individual and commercial rights over data. The draft (pt 23.) in its current form seems to be out of alignment with this, allowing government and administrations access to potentially private and commercially sensitive information with carte blanche. The models of privacy adopted in other countries in unmanned aviation are often techno-legal in nature. It is recommended that DigitalSky/UTM-SP network data access be technically restricted to certain Stakeholder-Intent mappings: executing searches for Law Enforcement, audit for the DGCA, aviation safety investigations and for Air Traffic Control/ Management. This would need due elaboration in the detailed UTM policy complemented with a legal framework to penalise illegitimate data access.

4. Insurance

One constant hindrance to compliance is the requirement of liability transfer. While the principle of mitigating pilot and operator liability in this fashion is sound, the ground reality is that as of date, very few insurance products are available at reasonable prices. The reason behind it is that insurance companies have not been able to assess the risks of this nascent industry. Assuming the regulation is notified in its current form (pt 28), arguably affording a clean start at scaling up drone operations, we will continue in this vicious dependency loop in the absence of incentives to either end. Again, market forces will drive the development of this industry with customers driving the need for drone operators to obtain insurance for the respective operations. Therefore it is recommended that initially, insurance should not be mandated for any category or type of drone operations, and instead be driven by market or commercial necessity. Over a period of time, insurance may be mandated within the ecosystem.

Similar feedback has been shared by Insurers: “Though the regulator (aviation regulator) has made mandatory the third party insurance, the compensation to be on the lines of the Motor Vehicles Act is somewhat not in line with international practices,” the working group set up by Insurance Regulatory and Development Authority of India (IRDAI) said.”

5. Training

Currently, there’s a requirement of training with an authorized remote pilot training organization (RPTO) (pt 25), applicable for micro-commercial purposes and above (pt 24). While the intent is right, it should not be mandated at the initial stage. The reality is that there are very few RPTO’s that offer training and the cost of such training is often higher than the cost of the drones themselves, while quality is inconsistent. While the current draft rules try to address this problem, they do this with the assumption that liberalizing the requirements for establishing RPTO’s will solve this problem. While this incentivizes more RPTO’s to be established, it still does not incentivize quality and leaves in place the same bureaucratic process for registration. This has been the experience of the ecosystem so far. While it is certainly reasonable to expect that remote pilots should receive training, the goal of better informed and equipped pilotry is better achieved, at this time, if left to manufacturers and market participants to drive it.

There are currently two types of training – Type training and Airspace training. Type training can be driven by manufacturers in the early days, as is the current practice, and Airspace training can be achieved through an online quiz, based on a Concept of Operations. It is our view that customers of drones will have a natural incentive to seek training for their pilots, thereby creating the market need for better quality training schools. Furthermore, as manufacturers establish higher levels of standardization and commoditization, they will partner with training schools directly to ensure consistent quality. In the upcoming years, as the drone ecosystem grows more mature, it will become reasonable to revisit the need for mandating pilot training at approved training schools, and DGCA may create a program that accredits the various RPTOs.

6. Fostering innovation and becoming Atmanirbhar
6A. R&D

To encourage institutional research and development further, we recommend authorised R&D zones be designated, particularly where low population and large areas (like deserts, etc) are available, some key areas of experimentation being long range and logistics operations which might require exemptions from certain compliance requirements.

6B. Import policy

Rather than simply delegating the entire import policy to DGFT (pt 8), there needs to be a clear statement of the import guidelines in the rules based on the following principles in the current draft:

  1. No barriers for the importation of components and intermediary goods for local assembly, value addition and R&D activities
  2. Disincentivising import of finished drone products, both pre-assembled and Completely Knocked Down. Possible avenues could be imposition of special import duty as part of well-considered policy of “infant industry protection”, a policy used successfully in the recent past in South Korea and is considered a part of the policy of Atmanirbhar Bharat by the Principal Economic Advisor to the PM, Sanjeev Sanyal.
  3. Incentivising investments in the indigenous manufacturing industry by aligning public drone procurement with the Defence Acquisition Procedure (2020) and supplemented by targeted government programs such as PLI schemes and local component requirements, which will help realise the PM’s vision of ‘Make in India’ and “Atmanirbhar Bharat’.
  4. In the long term, developing incentives for assemblers to embed themselves into global value chains and start moving up the value chain by transitioning to local manufacturing and higher value addition in India, to be in line with the PM’s vision of Atmanirbhar Bharat. Some suggestions here would be prioritisation for locally manufactured drones for government contracts, shorter registration validity for non-locally manufactured drones etc.
6C. Hobby Fliers

While research and development within the confines of institutions is often encumbered by processes and resource availability, hobby and model flying has enjoyed a long history in manned aviation as a key type of activity where a large amount of innovation happens. Hobby clubs such as The Homebrew Computer Club, of which Steve Jobs and Wozniak were members, and NavLab at Carnegie Mellon University are instances out of which successful industries have taken off. Far from enabling hobby or recreational fliers, they are not even addressed in the draft, which would only limit indigenous technology development. Legally speaking, it would be bad in law to ban hobby flying activities considering hobby fliers enjoy privilege under the grandfathering rights. A solution could lie in recognising hobbyists & establishing hobby flying green zones which may be located particularly where low population and large areas are available. Alternatively, institution-based hobby flying clubs could be authorised with the mandate to regulate the drone use of members while ensuring compliance with national regulations. The responsibility of ensuring safe flying would rest with these registered hobby clubs as is the case in Europe and USA.

7. Encouraging A Just Culture

Implementation is the key to the success of any policy. One of the key factors in encouraging voluntary compliance is an effective means of rewarding the compliant actors while suitably penalising any intentional or harmful violations. Therefore, arguably, an important step could be to build such rewards and punishments. In the context of aviation safety and security, the key lies in effective investigation of any violation while fostering a non-punitive culture. Effective investigations enable suitable corrective actions whilst minimal penal actions encourage voluntary reporting of infringements and potential safety concerns. ICAO encourages a just and non-punitive culture to enhance safety. Penal actions, if considered essential, should be initiated only after due opportunity and should have no criminal penalties except for deliberate acts of violence or acts harming India’s national security. However, considering the fallout from any unintentional accident as well, there should be adequate means for dispute resolution including adjudication.

8. Enabling Increased Safety & Security

The draft while taking a blank slate approach clearly aims to reduce hurdles in getting drones flying. However, we argue that lack of clarity on several issues or not recognising certain ground realities actually reduces the chance of achieving this. We list the details of these issues in the subsections below.

Points 13-14 acknowledge the existence of non-NPNT (No Permission No Takeoff) compliant drones and makes airworthiness the sole criteria for legally flying, provided such drone models are certified by QCI and are imported before the end of this year and registered with DigitalSky. This is a great step forward, however, keeping in mind the win-for-security that NPNT provides through trusted permissioning and logs, it is recommended that NPNT be phased back in with an adoption period of 6 months from the date of notification.

To bring back a semblance of safety to the thought process and keeping in mind that manned aviation would be operating above 500 ft except for takeoff, landing and emergencies, it would be pragmatic to enforce altitude fencing in addition to two-dimensional fencing going forward. Permissive regulation has the effect of encouraging good and bad actors alike, and this measure ensures the correct footing for the looming problem of interaction between manned and unmanned traffic management systems, where risk of mid-air collisions may be brought back within acceptable limits.

9. Institutional Architecture

The draft indicates that institutions such as QCI and Drone Promotion Council (DPC), along with the Central Government, would be authorised to specify various standards and requirements. However, no details have been specified on the means for notification of such standards as in the case of the Director-General (Civil Aviation) having the powers to specify standards in the case of manned aircraft. Such enabling provisions are essential to be factored in the policy so as to minimise constraints in the operationalisation of regulations e.g. as was observed in the initial operationalisation of CAR Section 3 Series X Part I which did not have a suitable enabling provision in the Aircraft Rules.

Further, effective implementation demands that responsibility for implementation be accompanied by the authority to lay down regulations which is sadly missed out in the draft. In the instant draft, the authority to lay down standards rests with QCI/ DPC but the responsibility for implementation rests with DGCA which creates a very likely situation wherein the DGCA may not find adequate motivation or clarity for the implementation of policy/ rules stipulated by QCI/ DPC.

It is not clear that setting up a DPC would advance policy-making and be able to effect the changes needed in the coming years to accelerate unmanned aviation without compromising safety and security. We argue that for effective policy and making a thriving drone ecosystem, Digital Sky is a unique and vital piece of digital infrastructure that needs to be developed and nurtured. In the domain of tech-driven industries, the track record of Special Purpose Vehicles (SPV) is encouraging in India, the NSDL, NPCI and GSTN being shining examples.

The field of unmanned aviation has its own technical barriers to policy making. Its fast-evolving nature makes it extremely difficult for regulators who might not have enough domain knowledge to balance the risks and benefits to a pro-startup economy such as that of India. With the context formed through the course of this paper, it is our view that an SPV with a charter that would encompass development of a concept of operations, future standards, policy, promotion and industry feedback, would be the best step forward. A key example of success to model on would be that of ISRO, which is overseen by the Prime Minister. This would remove inter-ministerial dependencies by overburdening the existing entrenched institutions.

10. Lack of a Concept of Operations

The difference in thought processes behind this draft and the rules notified on 12th March 2021 is significant and is indicative of the large gap between security-first and an efficiency-first mindsets; keeping in mind that mature policymaking would balance the three tenets. It also points to the lack of a common picture of how a drone ecosystem could realistically evolve in terms of technology capability and market capacity while keeping balance with safety and security. The evolving nature of unmanned aviation requires an incremental risk-based roadmap; the varied interests of its many stakeholders makes reaching consensus on key issues a multi-year effort. To this end, taking inspiration from various sources and focusing on the harsh realities peculiar to India, we are in the process of drafting a Concept of Operations for India.

Concluding remarks

With the goal of raising a vibrant Indian drone ecosystem, we recommend the following actionable steps be taken by policy makers:

Immediate Term – Enabling The Ecosystem

Changes to the draft

  1. Airworthiness Compliance requirements for all drone categories be removed till such standards are published
  2. Hobby flying and R&D Green zones be designated in low risk areas
  3. Guiding principles for Import policy formulation be laid out to incentivise import drone parts and de-incentivise drone models
  4. A privacy model be applied to DigitalSky ecosystem data access that technically restricts abuse while laying a foundation for a legal framework for penalties
  5. Insurance be not mandated for any drone categories
  6. The provision for setting up the Drone Promotion Council be subsumed by a SPV as discussed below
Next six months – Setting the ecosystem up for long-term success

A) NPNT be re-notified as a bedrock requirement for security

B) An SPV outside of entrenched institutions be set up with a charter to

1. Envision India’s concept of aviation operations for the next few decades

2. Formulate Future Policy and institutionalize some aspects of key enablers of operations currently missing in India:

  • Development / update of ConOps
  • Monitor / develop / customize International standards
  • Establish Standards for Airworthiness and Flight Training

3. Develop and operationalise DigitalSky in an open, collaborative fashion with oversight and technical governance mechanisms

4. Redefine control zones and segregate airspace for drone operations

5. Establish an advisory committee with equitable membership of stakeholders

6. Address all charter items of the Drone Promotion Council

Key Authors

1) Amit Garg – [email protected]

2) George Thomas – [email protected]

3) Hrishikesh Ballal – [email protected]

4) Manish Shukla – [email protected]

5) Siddharth Ravikumar – [email protected]

6) Sayandeep Purkayasth – [email protected]

7) Siddharth Shetty – [email protected]

8) Tanuj Bhojwani – [email protected]


About iSPIRT Foundation

iSPIRT (Indian Software Product Industry Round Table) is a technology think tank run by passionate volunteers for the Indian Software Product Industry. Our mission is to build a healthy, globally competitive and sustainable product industry in India.

For more, please visit www.ispirt.in or write to [email protected]


iSPIRT’s Official Response to the Draft Drone Rules 2021 from ProductNation/iSPIRT

Can digital currencies and crypto investors help close India’s SME financing gap?

The internet connected the average Indian to millions of sources of information. Could crypto protocols connect Indians to millions of sources of capital?

To achieve its goal of a five trillion dollar economy by 2025, India needs to close an enormous financing gap for its small and medium-size enterprises (SMEs). It already has important assets with which to attract global capital: the youth of its population, the energy of its tech sector, the growth of its internet connectivity, and the rising acceptance of so-called informational collateral in lieu of traditional physical collateral. But what hasn’t yet been done is to integrate these assets into the new multi-trillion dollar cryptoeconomy, which may have the most risk-tolerant, internationally oriented, growth-seeking pool of investors in the world.

In this piece we begin by reviewing India’s need for SME and startup capital. We then tick through India’s existing assets, with particular focus on informational collateral, which combines the previously separate concepts of due diligence and physical collateral into an internet-friendly financing package. Finally, we discuss why global crypto investors could help meet India’s capital needs.

India’s need for SME and startup financing

India is home to more than 60 million businesses, 10 million of which have unique GST registration numbers, most of them SMEs. However, of the one trillion USD worth of total commercial lending exposure of the banking system, only ~25% of it is provided to SMEs, which are considered less creditworthy than larger corporates or multinationals. This has resulted in a financing gap estimated to be between 250-500 billion USD, where meritorious businesses without national profiles aren’t able to access the capital they need to finance their growth. India’s next trillion in GDP growth depends upon solving this problem, but the incumbent financial system may not have the resources to fix it alone. Despite ever-increasing bank branches, India’s legacy financial system is still slow, costly, and unwieldy for borrowers— in sharp contrast to the databases, online KYC systems and intelligent lending apps of new-age fintech companies. And in addition to this high cost of capital for MSMEs, India also has a low baseline level of financial inclusion.

The baseline issue is being partially addressed with low-frill Jan Dhan accounts, which are providing partial banking support for millions of previously excluded individuals. Many of these Jan Dhan accounts are held by small businesses, entrepreneurs, students and self-employed people in rural India, the same folks who are running India’s SMEs. But these accounts have only inflow data, with outflows typically in cash. Even though cash still plays a big role in the self-organized and informal sectors, it’s not easy to provide business-related financing in cash. The so-called JAM trinity (Jan Dhan accounts, Aadhaar digital identities, and Mobile phones) offers a partial solution for this under-banked population, but it only supports what we might think of as consumer-grade applications like basic peer-to-peer payments and individual savings accounts. Access to capital sufficient to finance a business — a true measure of financial inclusion — is still not yet present for these low-income, mostly feature-phone possessing groups.

On the other end of the spectrum from rural SMEs are India’s tech startups. Over the last decade, India has broken into the ranks of global technology and is now the #3 generator of unicorns in the world. Supportive governmental policies, combined with a young, creative, and aspirational workforce has helped reimagine large swathes of the economy including diverse industries such as e-commerce, logistics, SAAS, education, food, healthcare etc. This rise has attracted global equity and loan-funds that could in turn help many start-ups become world beating players in their respective domains. But the startup sector is just as hungry for capital as the rural SMEs, and India’s startup economy is still somewhat disconnected from global venture capitalists and financial markets.

India’s assets: youth, growth, connectivity, and informational collateral

India does have assets with which to close the capital gap. It has a youthful population. It has a fast-growing economy, even given the setbacks of COVID-19. It has an enormous population of hundreds of millions of new internet users. And it has something new, which is the possibility of informational collateral as a sort of combination of traditional concepts of due diligence and physical collateral.

Specifically, the SME funding gap is most pressing for the Indian cash-flow businesses that don’t have the physical assets to take out loans, which are the mainstay of the current, hard-collateral-backed credit system.

One alternative is to use trustworthy digital records to ascertain whether a business is worthy of credit or equity investment. India’s Goods and Services Tax (GST) helps to address this by generating invoice and payment data in a format suitable for credit underwriting and risk analysis. The GST data also enables a small enterprise in a large value system to provide data and visibility across the supply chain; for example, one can track the progress of parts from a small parts supplier to an auto component manufacturer to a large passenger car maker all the way through to distributors, sub-dealers, and retail sales.

The digital version of an SME’s sales and purchase invoices ledger thus amounts to informational collateral on both the company and the larger ecosystem within which it sits, that could become the basis for extending credit, as an alternative to the hard asset or collateral-based financial system. This is similar to how Square Capital and Stripe Capital already function in the West.

In addition to credit-based financing, the trustworthy records furnished by GST’s informational collateral can also support equity or quasi-equity financing, to support growth without increasing debt. These might take the form of direct equity investments in small businesses, or even personal micro-equity investments in individual consultants or students. 

India’s innovation: use new pools of crypto capital to address long-standing financing needs

So, we understand that (a) Indian SMEs need capital, and that (b) IndiaStack’s UPI and Aadhaar can help GST generate informational collateral for potential investors and lenders.


Now the question arises: what class of investors is most willing to use this newfangled type of informational collateral to invest in potentially high-risk businesses outside of the proven venues of America, Europe, East Asia and the large Indian enterprises? Who are the most risk-tolerant, international, forward-looking, class of investors in the world — willing to risk millions of dollars purely on the basis of internet diligence alone?

It may turn out to be the new class of wealthy, globally-minded crypto investors. After all, the 10-year old cryptoeconomy is now worth trillions of dollars, there are more than a hundred million crypto holders around the world, and there are at least fifty crypto protocols valued over one billion dollars, a “unicoin” analog to the traditional tech unicorn. While still small in comparison to global capital markets, a sector worth $2T that is growing at more than 100% per annum could become a much larger piece of the global financial puzzle in short order. This is a new source of risk-tolerant digital capital that could flow into India to help close the SME financing gap, if we can make it an attractive proposition for the global investor.

Specifically, India could offer a viable path to deploy this new crypto wealth in a controlled manner, while solving for SME financial inclusion. Inflows of cryptocurrencies from KYC-ed investors through approved Indian and global exchanges can potentially be allowed into India for the purposes of enhancing SME access to low-cost global capital. GST-registered companies could, for instance, receive capital against their issued e-invoices and other information collateral in special accounts opened via a controlled conduit such as GIFT city, which is one of India’s favored bridges to international markets. The companies benefiting will need to explicitly consent to sharing their information and receiving funds into a new account at system-level while capturing cash flows against invoices for repayment. Inflows of global crypto-capital into Indian SMEs could also enable the rest of the credit system to migrate to informational collateral-based lending. And the special account could eventually be ported to a wallet backed by a national digital currency, such as the proposed digital rupee.

For more detail on this possibility, we invite your attention to Balaji S. Srinivasan’s companion piece on the subject, where he proposes to Add Crypto To IndiaStack. Balaji makes the case for crypto-powered extension of IndiaStack, which broadens IndiaStack from its current mostly domestic remit into an international platform for attracting capital from around the world. He describes several case studies by which the emerging world of decentralized finance or “defi” could help enrich the Indian economy, without competing with the digital rupee. For example, Indian startups could benefit from crypto crowdfunding, Indian SMEs as discussed could access global defi lending pools, and Indian students might even be funded with the emerging concept of personal tokens, like an equity-based version of microfinance. As the former CTO of  Coinbase, the $100B crypto goliath, and a former General Partner at Andreessen Horowitz, the $16B venture capital firm, Balaji’s proposals have technical and social support from the very class of investors we’d seek to attract. At least insofar as they relate to the issue of plugging the SME financing gap, we believe they deserve serious consideration by policymakers in India. 

In short, India has a unique opportunity to close the SME financing gap by attracting the new class of global crypto investors, by using everything the IndiaStack team has helped build over the last decade — particularly UPI, Aadhaar, GST, and the informational collateral they generate —  to help connect the trillion-dollar cryptoeconomy to capital-hungry Indian entrepreneurs.


The blog post is co-authored by Sanjay Phadke, Krishna V Iyer, Pankaj Gupta, Sanjay Jain, Sharad Sharma and Siddharth Shetty.

For any further queries, please write to [email protected]

iSPIRT’s Official Response to Non-Personal Data Governance Framework

A Committee of Experts under the Chairmanship of Shri. Kris Gopalakrishnan has been constituted vide OM No. 24(4)2019- CLES on 13.09.2019 to deliberate on Non-Personal Data Governance Framework. Based on the public feedback/suggestions, the Expert Committee has revised its earlier report and a revised draft report (V2) has been prepared for the second round of public feedback/suggestions. iSPIRT had provided a past response to the previous report and in this blog post contains a response to the revised report

At the iSPIRT Foundation, our view on data laws stems from the following fundamental beliefs: 

  1. Merits of a data democracy (that is, the user must be in charge)
  2. Competitive effects must be well understood, for creation of a level playing field amongst all Indian companies, and some ring-fencing must exist to protect against global data monopolies
  3. Careful design enables both high compliance and high convenience

It is with these perspectives that we have analyzed the revised Non-Personal Data report in our response.

Key Sources of Ambiguity in the NPD Report 

The key sources of ambiguity in the report are: 

  1. Purpose of techo-legal framework for Non Personal Data: The non personal data framework is meant to provide the right legal and technology foundations for world class artificial intelligence to be created out of India for the betterment of financial, health, and other socio-economically important services. The current version of the report sidesteps this completely by constraining the applicability to only “public good” purposes rather than taking a holistic approach to “business & public good purposes” 
  2. Data Business entities need a harmonised definition (given the interplay with data fiduciaries as proposed in the MeitY Personal Data Protection Bill) and clear incentives for participation. The current report relies excessively on regulation & processes for data businesses to achieve the outcome. 
  3. Institutional structure for Data Trustees: The report restricts Data Trustees to government agencies and non-profit organisations; however, in a domain consisting of fast evolving technology by excluding the private sector in offering the base infrastructure creates a severe limitation on the ecosystem of modellers that can be created. 
  4. Technology Architecture: The illustrated technology architecture is unclear around the public infrastructure (through the form of open standards, public platforms, and others) that need to be created & adopted to bring to life the non-personal data ecosystem in an accelerated manner. 

Conclusion

While we’re aligned with the vision of the committee, it’s critical that the above ambiguities are resolved in order to create a strong non-personal data ecosystem created in India. Till these ambiguities are resolved, the recommendations of the Report should not be operationalized.


For any press or further queries, please drop us an email at [email protected]

IGP (Innovative Growth Platform): The Capital Enabler

Two Cs are extremely critical for startups: Capital and Customers. In India, with a population of 1.3B, customers for B2C or B2B2C startups is not an issue. For B2B startups, although the market in India is promising, global markets are still very important.  Capital on the other hand is trickier. The total capital raised by startups India from 2010-2020 is around $100B. In the same period, startups in China have raised 4x and startups in the US have raised 10x the capital raised by startups in India. India needs to have a stronger mechanism to enable more Capital. There is a need to increase Capital availability in India.

IGP platform proposed by SEBI is a very refreshing initiative that aims to address the Capital issue. It provides another great avenue for startups looking to raise series B and beyond. This platform can double the available capital over the next 5 years. It addresses a key pain point of Capital availability for startups raising between INR 70 to INR 200 Cr. There is a chasm in this space- there are early-stage VC funds and there are PE funds for growth companies. However, there is not enough growth stage VC funds in India to fill this gap. IGP has the potential to be the platform to bridge this void.

The design of IGP has been very thoughtful with the key focus is on technology startups. The precursor to IGP was ITP (Institutional Trading Platform). Due to various reasons including the maturity of the startup ecosystem, the response to this platform was tepid. IGP addresses a few key pitfalls of ITP.

IGP restricts the listing to technology-focused companies with a proven Product-Market Fit and entering its growth phase. The revenue of the companies listing on this platform is expected to exceed INR 50 Cr. This will greatly help in mitigating the risk of listing by ensuring a good understanding of Product-Market Fit beforehand.

The governance issues are well balanced – protects the investor interests but at the same time provides enough flexibility for the founders to have control over strategy and execution. The companies listing on this platform cannot be burdened with the same rules of the public markets as they need to be very nimble. A balance between taking risks and moving fast with financial discipline as against governance practices such as quarterly reporting and stability is advised.

As in the case of investments in Alternative Investment Fund, the platform is selective about its investors. The companies listing on this platform need to operate as startups and not as mature companies. The risks are much greater with these companies and hence it is very critical to have investors who understand these risks and who can understand these nuances. 

M&As have been a key hurdle for startups in India. This is one of the key reasons for companies opting to flip. The platform is designed to simplify the process of M&As, post-listing. Simplifying the M&A process encourages corporates and PEs to participate on the platform. However, this spirit should be maintained in the implementation of the platform as well.  This is one of the critical success factors for the platform.

For the Indian startup ecosystem to become one of the major contributors to the economy, key policy changes are needed. IGP is one such platform that has the promise to increase capital availability significantly.  IGP has the added advantage of enabling exits for early stage investors. This increases the liquidity in the market that will further spur the startup ecosystem- a much needed virtuous cycle.

NASDAQ encouraged and enabled technology startups to list because of its adaptability and easier listing and governance guidelines. This accelerated technology startups in the US. IGP has the potential to be that platform in India. India can build products for the world and has the potential to be startup capital, but it needs a perfect storm of- Capital, Liquidity, Policy, Customers, and Entrepreneurs. IGP certainly has the promise to address the Capital and Liquidity aspects. Most importantly it enables Indian startups to stay in India!

When one door closes…

An inspiring effort in response to COVID-19

Last Tuesday, for the first time in recorded history, India pulled the emergency brakes on all of the complex interactions that make up the economy and society of 1.3 Billion Indians.

We’re going to see a lot more cascading effects of bringing almost all economic activity to a sudden and near-complete stop. Some of those effects are already visible and others will reveal themselves over time. One thing that’s easy to predict is that this disaster, like most others, will affect Bharat more than it does India.

However, at iSPIRT, we remain impatient optimists for Bharat. It does not suffice for our volunteers to simply predict the future; we want to help create it. When the lockdown hit, we could immediately see that the country’s messy supply chains would be hard-pressed to disentangle essential services from non-essential ones. On the very first day of the lockdown itself, you may have seen videos or news about the police using their lathis on innocent essential service providers like doctors.

This is undeniably tragic, but at its heart is an information and social trust issue inherent in India. When you distil the problem, it comes down to how does the administration identify those travelling for essential-services vs those who are not. Consider this, Swiggy and Zomato alone – who only work on the last mile of one category of food – claim to have a fleet of close to 500,000. For the entire supply chain, even restricted to essential items only, will require authorisations for millions of people and another few million vehicles.

So today, we’re announcing the release of an open-source tool called, ePass. ePass is a tool to help the administration issue digital lockdown passes. These e-Passes are secure and can be verified when needed. iSPIRT got this solution going from zero to launch in less than 4 days. In the following interview, Tanuj Bhojwani speaks with Sudhanshu Shekhar, who led the effort to build the tool and Kamya Chandra, who helped liaison with the Karnataka administration.

Tanuj Bhojwani: Hey Sudhanshu, let’s start with what e-Pass is?

Sudhanshu Shekar: Sure, so the objective is to make sure that those who are on the road providing essential services or regular citizens seeking them can face minimal friction from the authorities.

We imagine a simple 4-step flow

  1. Individuals, such as you or me, or businesses providing essential services, can apply for a pass.
  2. The administration sees these requests digitally, and can authorise them from the backend, either manually or via automated rules.
  3. People can download their digitally signed passes on their devices
  4. The on-ground personnel, such as the police, can verify the curfew pass is valid by scanning it.

We’ve built tools for each part of that flow.

When we started working with the administration, they gave another great suggestion. If the beat officers could provide pre-authenticated “tokens” – like a gift-code, we could make this process even more convenient for some essential service providers. For example, they could distribute tokens to all the informal businesses in a mandi in one go, helping bring the supply-chain back online that much faster.

Tanuj Bhojwani: And you’ve made this open-source. How can a local administration use this?

Kamya Chandra: Everything is a configuration. The administration will have to decide who the approving authorities are. An admin dashboard allows bulk uploads, approvals, tracking statistics of issued passes, etc. It also allows them to configure timings, the validity of the pass, which identity fields are required, etc.

And finally, they have to instruct their beat officers to download the verification app and use it.

Tanuj Bhojwani: so the local government hosts this themselves?

Sudhanshu Shekar: Yes, the governments need to host this themselves, either directly or through a service provider. As iSPIRT, we have only provided the code and will not be providing any managed services. Even the code is open-sourced for others to use and remix as they see fit.

Tanuj Bhojwani: iSPIRT doesn’t work with the Karnataka administration normally, so how did this all happen? How did the team come together?

Sudhanshu Shekar: Sharad called me at 8 pm Tuesday or Wednesday? Maybe it was 8 in the morning. I’m no longer sure. What’s a day anyway? *laughs*

Kamya Chandra: I want to interrupt here and say I am super impressed by Sudhanshu and the rest of the team. No matter how little sleep they got, they didn’t let it affect their judgement or mood. Their decisions were always geared towards what’s the best that’s needed.

Sudhanshu Shekar: Thank you. We’re all just doing what we can.

But basically, on Monday, as Karnataka started enforcing curfew, we realised that people are going to need curfew passes. We started kicking around the idea on Monday, but there was no team. The next night the PM announced a nation-wide lockdown. We knew this was going to be a problem everywhere.

On Wednesday, the Karnataka administration also got in touch with Sharad asking for a similar solution, and they made it clear they need the solution in two days.

Sharad called and said, “I’m going to ask you about something, and you’re going to want to do it, but be really sure and think about it. This is a hard project and has very tight timelines. Everybody will understand if you say no”.

Sharad was right, I did want to do it, so I said yes and immediately got to work. I reached out to several friends and iSPIRT volunteers for help and a few – namely Mayank, Manish, Vibhav, Mohit and Ashok – agreed to help. It was easy to convince everybody, given the importance of fighting COVID. Manish has a few friends in China and was very aware about the seriousness of this situation. We quickly agreed on the basic product outline and started working. Wednesday was a flurry of activity and we got frequent reviews done with the Administration.

We realised we needed an admin console for the police to manage pass issuance. None of us was really an expert in building front-end applications and therefore, I started making calls trying to find an expert. Through referrals, I managed to reach Vishwajeet at 12 pm. I spoke to him about the project, its importance and the strict timelines. I told him we’d fail without him!

Tanuj Bhojwani: So you called a guy you’ve never met and asked him to deliver a complex task, on a ridiculous deadline for no pay nor any certificate or recognition. How did he respond?

Sudhanshu Shekar: He called his office to take a holiday. Vishwajeet sat down, worked for 15 hours straight, and delivered before time!

Kamya Chandra: *laughs* I want to add that this team, which did not know each other, did sleep shifts – including Vishwajeet, who became a volunteer that afternoon. I remember Sudhanshu taking turns with the devs to sleep at night in 2-hour batches just to keep the engine going. I’d run demos with the administration for feedback in the morning, while they all got a little shut-eye. From afternoon, they’d repeat another day and night of development.

Tanuj Bhojwani: Wow, that’s a lot of effort, and what sounds like very little sleep! What was happening on the police end, Kamya? 

Kamya Chandra: Honestly, I went in with a negative impression of the police and administration – because all you see are videos of people being beaten. However, I was very impressed with the few people I was working with. They were very knowledgeable about the challenges they were going to face operationally. Also, it was obvious they were doing their best. The first call I got from them was at 11.45pm!

They made time for our demos, gave excellent, considered feedback on all of it that has definitely helped the product. For example, we added a quick and easy way to verify the ID alongside the QR, so that it can work even if the beat policeman verifying does not have a smartphone.

All of this was happening by a remote team in lockdown. I was in Delhi talking to officers in Karnataka. Other than Sudhanshu, I’ve never met any of the other volunteers! In every other organisation, this kind of a crisis response doesn’t happen as smoothly even if the team knows each other. Anywhere else, it would have been near impossible if the team didn’t know each other.

Tanuj Bhojwani: Oh! I assumed they were all from Bangalore?

Sudhanshu Shekar: No.

 Mayank is in Bundi, a small town in Rajasthan. Kamya is in Delhi. I’m in Indiranagar, Bangalore. Ashok, our design guy, is in Koramangala and Mohit – I have no idea where he stays – I have never met him *everyone laughs*

Kamya Chandra: Knowing everyone’s location is harder, we still don’t know full names! One of the volunteers who helped us test the security of the product was Sasi Ganesan. I spelt his first and last name wrong in the first email I sent to him! He still helped though. On the 4th day of working together, I needed everyone’s last names, I still only knew Sudhanshu’s and Sasi’s!

Compared to the places I’ve worked before, I was surprised to see Pramod send an email with such savage truths. That’s a great example of how radical candour works, why it is in direct opposition to corporate culture.

Tanuj Bhojwani: *laughs* What were the “savage truths” in this email?

Kamya Chandra: To be fair to Pramod, it was more surprising than savage. Pramod said DO NOT GO LIVE (in bold and underline) until security and related aspects weren’t complete. The contents weren’t particularly shocking, but that he sent it to all of us – including people he barely knew. There was no secrecy or pretending to be bigger than we are. All our failures were also publicly available to a team we’ve never worked with before or met. It’s quite a unique experience.

Sudhanshu Shekar: Yeah, we were planning on going live on Friday, and we knew we needed to do security testing before we went live. Pramod’s email was a good one, and all fair asks about security, usability and data retention. He connected us to another iSPIRT volunteer, Sasi Ganesan for help. Ten hours before the scheduled launch, Sasi wrote back with a list of tasks we must do BEFORE we go live. This Thursday night email doubled our todo list. Thankfully, we were able to pull in Bharat, Sireesha and a few others from Thoughtworks to help close these tasks But at the time it felt brutal, we realised this was going to be a very hard few hours.

Kamya Chandra: Yeah, I think this is around the time Rohit started helping us enhance our UX. To me, this email was a clear indication of the high bar every iSPIRT volunteer must meet. Tight timelines or urgent needs are not enough to excuse sloppiness. I am glad we have senior volunteers such as Pramod to keep the bar high.

Tanuj Bhojwani: But I believe this story has a twist?

Kamya Chandra: Well, we did the demos in time, and everyone seemed very impressed. Unfortunately, the Karnataka administration decided to go with someone else. Their decision to go with someone else was disappointing for us.

However, they are policymakers making scale decisions. They probably had to keep many balls in the air and have redundancy. It’s good they have backup plans for backup plans.

They handled it with grace and were very kind about it. They sent a thank you and a commendation letter to each of our volunteers. One of the senior lady officers asked me – do you only take techies? I do not have a computer science degree, but I want to volunteer!

I told her I was an economist too and that she should definitely volunteer.

Sudhanshu Shekar: For me, the toughest part was when I heard the news that our work won’t be going live on Friday like I had promised all these guys. I was really sad. For about an hour, I tried to fight the decision, but then I realised that I would have to do the difficult thing and break the bad news to a bunch of volunteers who’ve slept less than 6 hours total in the last 72 hours.

What happened next is what surprised me the most about this whole thing.

All of them – every single one – took it so well! They all said something to the effect of working on a solution with other volunteers felt better than not working on one and worrying about the lockdown.

I thought this is the end of the line, but it was they who cheered me up and suggested we should open-source it. I was hoping to tell the volunteers to get some rest. Instead, these guys were so passionate that they worked for a couple more days to complete the documentation, which is why we were able to launch ePass today!

Tanuj Bhojwani: Wow. That’s quite a lot of team-spirit for a team that has never even met! So what happens now that this is open-source? How do you expect it will get traction?

Kamya Chandra: The decision to open-source paid off! Even though Karnataka didn’t take ePass, the officers messaged their batchmates and told them about what the volunteers did.

Sudhanshu Shekar: Now, we have demos scheduled with several other state governments as well as a few national ministries. We think this could be live in at least a couple of places soon.

Tanuj Bhojwani: That sounds like a fairy tale ending. Do you have any advice for anyone who is reading this and wants to volunteer?

Kamya Chandra: I used to work at the World Bank in DC, and we were trying to implement national-level digital systems in many countries. When we had technical challenges there, I was often told to get on a video call with iSPIRT volunteers for guidance and inputs. The more I interacted with them, the more I realised there is magic here to learn from. So I gave up my diplomatic passport and got on a plane to Bangalore!

So my advice is that you should try volunteering even if you’re many, many oceans away!

Sudhanshu Shekar: *laughs* I have a more straightforward test than Kamya’s for those who want to volunteer. These are also the three reasons I volunteer.

First, Societal Impact. You feel useful because you get to work on something that genuinely helps people.

Second, exposure to a wide variety of topics – such a different set of problems – you don’t exactly stick to your lane. Hence, you also meet people with very diverse backgrounds and work experiences. Because my peers are not age-bracketed with me, I feel like there are many lessons that I usually would’ve learned in ten years of my career, I’ve learned already at iSPIRT. 

Third, you draw energy from others’ passion. It’s just amazing to go to work with people like this every day. I’ve realised iSPIRT is a self-selecting group – it’s only the people who seek to find it, find it. It is not easy to be a volunteer, because the environment is open and the volunteers are self-driven, people will clearly be able to see if you can walk the talk. When you have people respected in a system not for who they are, but what they do, it is magical for everyone.

Tanuj Bhojwani: That is very true. Thank you for the chat!

Like Sudhanshu says, Volunteering at iSPIRT is hard and definitely not for everyone. However, if one or more of these reasons resonate with you, you should read the volunteers handbook to learn more about balloon volunteering.

Union Budget 2020 – iSPIRT Recommendations

India is among the top startup ecosystems in the world with home to 50,000+ startups and 3,500+ funded startups growing at a rapid pace at 30 per cent. While the future outlook of the Indian startup ecosystem is definitely promising, further accelerated growth can happen only if the government introduces more startup-friendly policies, other than the existing support under ‘Startup India’.

With Budget 2020 less than two months away, the startup ecosystem is hoping to get a major boost with respect to the following measures:

  • Improve ease of doing business for startups.
  • Attract domestic and foreign investors.
  • Increase working capital flow for startups.

iSPIRT has made a 13-point recommendation list for Budget 2020 with respect to the above-mentioned measures:

1. Remove the TDS payment for DPIT registered Startups

Currently, payments to DPIT registered startups are subject to Tax Deduction at Source (TDS) of 10% under section 194J. It takes at least 1-2 years for startups to get refunds after filing of their returns, which blocks their working capital for that time period. 

2. Harmonise the Tax Rate and Holding Period between Listed and Unlisted Securities of Startups 

The higher holding period and higher tax rate disincentivise investments into startups from Indian sources. Globally, no such differentiation exists.

This recommendation seeks:

  • Reduction of the holding period for unlisted securities to 12 months from the current 24 months.
  • Levy of a lower tax rate of 10% on the sale of unlisted securities.
  • Removal of the “superrich” surcharge of 25%/37% on the sale of unlisted securities.

3. Change in the taxation of ESOPs for Startups:

The existing definition of Rule 3(8)(iii) of the Income Tax Rules, 1962 does not take into consideration the discrepancies in the determination of ‘Fair Market Value’.

The new recommendation seeks amendment to this rule as as per Rule 11UA(1)(c)(b), provided such fair market value shall not be less than the exercise price.”

4. Clarification on the February 19th, 2019 DPIIT circular on “Angel Tax” with regard to Form 2

This circular states that the exemption lapses in the case the startup has or will invest or conduct any of the activities below for a period of 7 years after investment, inter alia:

  • Make capital contributions to other entities, 
  • Make investments in shares and securities, 
  • Give loans and advances (except in the case of lending startups

The recommendation seeks an amendment to this notification

  • Extend the “business model” test applicable to all the other investments mentioned in Form 2 to all points mentioned therein
  • Allow Startups to make Loans and Advances in the ordinary course of business provided that the PAN of the recipient is reported
  • Allow startups to invest into shares and securities and make capital contributions provided that such downstream investments do not make further investments into any of the other points listed in Form 2

5. Allow for AIF expenses to be capitalised/passed-through

Expenses of an AIF can add up to up to 25%-30% of its corpus during the lifetime of a scheme, making a large chunk of the fund is a “dead-loss”.

The new recommendation seeks AIF expenses to be capitalised as the Cost of Acquisition or allowed to be set off against the income.

6. Classification of securities held by AIFs as Capital Assets by amending section 2(14) of the Income Tax Act, 1961.

There is still friction between the startups, investors and income tax department with respect to taxation of short-term gain from the sale of securities under AIF.

The new recommendation seeks an amendment to Section 2(14) as “any securities held by a Foreign Institutional Investor or AIF which has invested in such securities in accordance with the regulations made under the SEBI. 

7. Pass-Through Status for CAT III AIFs

Unlike CAT I and CAT II AIFs, CAT III AIFs do not have pass-through tax status, rendering their income to be taxed at the maximum marginal rate for their income earned, regardless of the tax status of the underlying investor.

The new recommendation seeks an amendment to Section 115UB and Section 10(23FBA) by including CAT III AIFs.

8. Allow Universities and Public Trusts to invest in AIFs

Currently, investments are allowed in SEBI registered Mutual Funds or notified Mutual Funds set up by a public sector bank or a public sector financial institution.

The new recommendation seeks an amendment to this section to include ‘Units of an Alternative Investment Fund registered with the Securities and Exchange Board of India”

9. Notify all SEBI registered AIFs as “long-term specified assets” under section 54EE

Section 54EE was introduced on April 1, 2016, to give capital gains exemption of Rs 50 lakhs for any gains invested into “long-term specified assets”, defined as “a unit or units, issued before the 1st day of April 2019, of such fund as may be notified by the Central Government in this behalf

So far, the Central Government hasn’t notified any such funds, so no tax-payer has been able to avail of this benefit.

The new recommendation seeks issuance of a Central Government notification to notify all SEBI registered AIFs as “long-term specified assets” under section 54EE and announce measures to extend this to April 1, 2025.

10. Time-bound response from the Inter-Ministerial Board (IMB) and allowing all startups to reapply

The IMB has not been effective yet in timely responses to startups.

The new recommendation proposes DPIIT to issue a notification stating that:

  • IMB will respond in 60 days from the date of submission by the Startup.
  • Startups who were denied IMB recognition prior to February 19th, 2019 can re-apply for IMB recognition once again under the new criteria.

11. Exempt Software product Companies from Softex

Software product exporters are required to file SOftex form to report the inward remittance on export invoices in convertible foreign currency. However, Software products have a publicly listed MRP/List price and hence do not require any valuation.

The new recommendation seeks RBI to exempt software product companies from filing Softex and create a separate category of Purpose code for disposal of inward remittances by authorised dealers.

12. Creation of aHSN code for Software Product Startups

Under the GST regime, all IT Software has been treated as “Service”.  Yet, there exists HSN codes and SAC codes both. 

It is recommended that an HS code classification for specific categories can be issued using the last 2 digits (first 6 Digits being defined under international system). 

13. R&D Credits for Software Product Companies 

As startups and young software product companies don’t have taxable profits, they are unable to take advantage of current R&D tax benefits that involve setting off R&D expenses against taxable profits. To overcome this limitation, they should be allowed a deferred tax credit for up to 7 years after the R&D investment.

You can read about Budget Representation 2020 in detail here.

Indian Software Product Registry – All That Product Companies Need to Know

Earlier this year, National Policy on Software Products was rolled out to create a robust, participatory framework to bring together industry, government and academia on a common platform to make India as a global hub for software products development. This is a much-needed initiative to provide holistic and end-to-end support to the Indian software product ecosystem. The registry is the first step among many towards solving the real problems of the industry and nurturing the software product companies. If done right, this initiative will have immense potential and far-reaching impact to benefit the industry.

Under this policy, one of the key initiatives is the set-up of the Indian Software Product Registry (ISPR) through industry ownership. It is a collaborative platform which will act as national coordination, facilitation and inter-connected centre for all activities related to the Indian software product ecosystem.

The main purpose of this policy is to focus towards the promotion of Indian software products which are defined as under for implementation:

  • Indian Company: As per sub-section 26 of section 2 of the Income Tax Act, 1961, “Indian company” means a company formed and registered under the Companies Act, 1956 or Companies Act, 2013,  provided that the registered office or, as the case may be, principal office of the company, corporation, institution, association or body in all cases is in India.
  • Indian Software Product Company (ISPC):  An ISPC is defined as an Indian company in which 51% or more shareholding is with Indian citizen or person of Indian origin and is engaged in the development, commercialisation, licensing and sale /service of software products and has IP rights over the software product(s).

ISPR aims to create a platform to enable discovery of Indian Software Product Companies and their products while simultaneously giving automatic access to the Government e-Marketplace (GeM) platform. This will enable the government to identify Indian companies as part of their buying process. However, more work on specific allocation of government buying and redeveloping of RFP’s in government for products will also be initiated so that the government can finally buy Indian products.

Secondly, by listing on exchange on ISPR will enable MEITY to get a better understanding of the industry so that specific product-related interventions like recurring payments for SaaS companies, credits for R&D to enable Indian companies to invest in research and development, and facilitation of Indian software product industry for providing fiscal incentives, if any, at a later stage among others will also be achieved.

Thirdly, ISPR will also enable Indian Software Product Companies to list their products here and connect to buyers across the world. Since this is a government-backed platform, it provides a high level of trust and authenticity in the global market. 

Indian Software Product Companies can register here.  For any more queries, please feel to reach out on [email protected].

Angel Tax Notification: A Step In The Right Direction, But More Needs To Be Done

There have been some notifications which have come out last week, it is heartening to see that the government is trying to solve the matter. However, this is a partial solution to a much larger problem, the CBDT needs to solve for the basic reason behind the cause of Angel Tax (Section 56(2)(viib)) to be able to give a complete long-term solution to Indian Startups.

While the share capital and share premium limit after the proposed issue of share is till 10 crores and helps startups for their initial fundraising, which is usually in the range of Rs 5-10 Cr. Around 80-85% of the money raised on LetsVenture, AngelList and other platforms by startups is within this range, but the government needs to solve for the remaining 15-20% as startups who are raising further rounds of capital, which is the sign of a growing business, are still exposed to this “angel tax”. Instead, the circular should be amended to state that Section 56(2)(viib) will not apply to capital raises up to Rs 10 Cr every financial year provided that the startups submit the PAN of the investors.

The income criteria of INR 50 lakhs and net worth requirement of INR 2 crores is again a move by the government that requires further consideration for the investing community. Therefore, to further encourage investments by Angels or to introduce new Angels to the ecosystem, there is a need to look towards a reduced income criterion of INR 20 Lakhs or a net worth of INR 1 crore, enabling more investors for a healthier funding environment. We also, need to build a mechanism to facilitate investments by corporates and trusts into the startups.

Most importantly, any startup who has received an assessment order under this section should also be able to for the prescribed remedies and submit this during their appeal. They should not be excluded from this circular since its stated scope is both past and future investments. The CBDT should also state that the tax officers should accept these submissions during the appeals process and take it into consideration during their deliberation.

So, to summarise:

  • Section 56(2)(viib) should not apply to any investment below Rs 10 crore received by a startup per year or increase the share premium limit to Rs 25 Crores, from Indian investors provided that the startup has the PAN of the investors
  • Section 56(2)(viib) should not apply to investors who have registered themselves with DIPP as accredited investors, regardless of the quantum of investment
  • The threshold stated should be either a minimum income of Rs 25 lakhs or a net worth of at least Rs 1 crore
  • Any startup who has received an assessment order should be able to seek recourse under this circular during their appeal

Through this circular, the government has reaffirmed its commitment to promoting entrepreneurship and startups in India. With these suggestions, the spectre of the “angel tax” will end up as a footnote in the history of the Indian startup ecosystem.

We look forward to the early resolution of these pending matters. For any suggestions, Do write to us [email protected]

The article is co-authored with Siddarth Pai, Policy Expert – iSPIRT Foundation and Founding Partner – 3one4 Capital.

White Paper On Section 56(2)(viib) And Section 68 And Its Impact on Startups In India

Angel Tax (Section 56(2)(viib)) has become a cause celebre in Indian startup circles due to its broad-reaching ramifications on all startups raising capital.

This paper traces the origin of this section, it’s analysis, impact, how it adversely affects startups. Special mention is also made of the seldom covered Section 68 and it’s used in conjunction with Section 56(2)(viib). The paper also proposes recommendations to ensure that genuine companies are not aggrieved by this while the original intent of the section is preserved.

For any support or query, please write to us at [email protected]

iSPIRT Final Comments on India’s Personal Data Protection Bill

Below represents iSPIRT’s comments and recommendations on the draft Personal Data Protection Bill.  iSPIRT’s overall data privacy and data empowerment philosophy is covered here.  

Table of Contents

Major Comments
1. Include Consent Dashboards
2. Financial Understanding and Informed Consent for all Indians
3. Data Fiduciary Trust Scores Similar to App Store Ratings
4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data
5. Warn of Potential Credit and Reputation Hazards
6. A Right to View and Edit Inferred Personal Data
7. Sharing and Processing of Health Data

Suggestions and Questions

  • Fund Data Rights Education
  • Limit Impact Assessment Requirement
  • Passwords should be treated differently than other Sensitive Personal Data.
  • Does the Bill intend to ban automatic person-tagging in photos and image search of people?
  • Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.
  • Need for an Authority appeal process when data principal rights conflict
  • Do not outlaw private fraud detection
  • Limit record keeping use and disclosure to the Authority and the company itself.
  • Fillings may be performed digitally
  • Request for Definition Clarifications
  • Author Comments
  • Links
  • Appendix – Sample User Interface Screens

Major Comments

1. Include Consent Dashboards

We support the idea of a Consent Dashboard as suggested in the Data Protection Committee Report (page 38) and recommend it to be incorporated in the Bill in Section 26 – Right to Data Portability and Section 30 (2) Transparency.  

We envision all of a user’s personal and inferred data that is known by data fiduciaries (i.e. companies) being exposed on a consent dashboard, provided by a third party consent collector or account aggregator (to use the RBI’s parlance). Below is an example user interface:

This mandate would enable users to have one place – their consent collector-provided dashboard – to discover, view and edit all data about them. It would also allow users to see any pending, approved and denied data requests.

Furthermore, in the event of data breaches, especially when a user’s password and identifier (mobile, email, etc) have been compromised, the breach and recommended action steps could be made clear on the consent dashboard.

Given the scope of this suggestion, we recommend an iterative or domain specific approach, wherein financial data is first listed in a dashboard limited to financial data and for its scope to grow with time.

2. Financial Understanding and Informed Consent for all Indians

We applaud the Bill’s Right to Confirmation and Access (Chapter IV, Section 24):

The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

That said, we’ve found in practice that it’s difficult to appreciate the implications of digital policies on users until real user interfaces are presented to end users and then tested for their usability and understanding. Hence, we’ve put together a set of sample interfaces (see Appendix) that incorporate many of the proposed bill’s provisions and our recommendations. That said, much more work is needed before we can confidently assert that most Indians understand these interfaces and what they are truly consenting to share.

The concepts behind this bill are complicated and yet important. Most people do not understand concepts such as “revocable data access rights” and other rather jargon-filled phrases often present in the discussion of data privacy rights. Hence, we believe the best practices from interface design must be employed to help all Indians – even those who are illiterate and may only speak one of our many non-dominant languages – understand how to control their data.

For example, multi-language interfaces with audio assistance and help videos could be created to aid understanding and create informed consent.  Toll-free voice hotlines could be available for users to ask questions. Importantly, we recognize that the interfaces of informed consent and privacy control need rigorous study and will need to evolve in the years ahead.

In particular, we recommend user interface research in the following areas:

  • Interfaces for low-education and traditionally marginalized communities
  • Voice-only and augmented interfaces
  • Smart and “candy-bar” phone interfaces
  • Both self-serving and assisted interfaces (such that a user can consensually and legally delegate consent, as tax-payers do to accountants).

After user interface research has been completed and one can confidently assert that certain interface patterns can be understood by most Indian adults, we can imagine that templated designs representing best practices are recommended for the industry, much like the design guidelines for credit card products published by US Consumer Financial Protection Bureau or nutritional labelling.

3. Data Fiduciary Trust Scores Similar to App Store Ratings

We support the government’s effort to improve the trust environment and believe users should have appropriate, easy and fast ways to give informed consent & ensure bad actors can’t do well. Conversely, we believe that the best actors should benefit from a seamless UI and rise to the top.

The courts and data auditors can’t be the only way to highlight good, mediocre and bad players. From experience, we know that there will be a continuum of good to bad experiences provided by data fiduciaries, with only the worst and often most egregious actions being illegal.

People should be able to see the experiences of other users – both good and bad – to make more meaningful and informed choices. For example, a lender that also cross-sells other products to loan recipients and shares their mobile numbers may not be engaging in an illegal activity but users may find it simply annoying.

Hence, we recommend that data fiduciary trust scores are informed with user-created negatives reviews (aka complaints) and positive reviews.

In addition to Data Auditors (as the Bill envisions), user created, public ratings will create additional data points and business incentives for data fiduciaries to remain in full compliance with this law, without a company’s data protection assessment being the sole domain of its paid data auditors.

We would note that crowd sourced rating systems are an ever-evolving tech problem in their own right (and subject to gaming, spam, etc) and hence, trust rating and score maintenance may be best provided by multiple market actors and tech platforms.

4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data

…so 3rd party actors and civil society can act on behalf of users.

A privacy framework will not change the power dynamics of our society overnight. Desperate people in need of money will often sign over almost anything, especially abstract rights. Additionally, individual citizens will rarely to be able to see larger patterns in the behaviour of lenders or other data fiduciaries and are ill-equipped to fight for small rewards on behalf of their community.  Hence, we believe that user ratings and complaint data about data fiduciaries must be made available in machine-readable forms to not only to the State but to third-parties, civic society and researchers so that they may identify patterns of good and bad behaviour, acting as additional data rights watchdogs on behalf all of us.

5. Warn of Potential Credit and Reputation Hazards

We are concerned about the rise of digital and mobile loans in other countries in recent years. Kenya – a country with high mobile payment penetration and hence like India one that has become data rich before becoming economically rich – has seen more than 10% of the adult population on credit blacklists in 2017; three percent of all digital loans were reportedly used for gambling. These new loan products were largely made possible by digital money systems and the ability of lenders to create automated risk profiles based on personal data; they clearly have the potential to cause societal harm and must be considered carefully.

Potential remedies to widespread and multiple loans are being proposed (e.g. real-time credit reporting services), but the fact that a user’s reputation and credit score will be affected by an action (such as taking out a loan), most also be known and understood by users. E.g. Users need to know that an offered loan will be reported to other banks and if they don’t pay they will be reported and unable to get other loans.

Furthermore, shared usage-based patterns – such as whether a customer pays their bills on time or buys certain types of products – must be available for review by end users.

6. A Right to View and Edit Inferred Personal Data

The Machine Learning and AI community have made incredible strides in computers’ ability to predict or infer almost anything. For example, in 2017, a babajob.com researcher showed the company could predict whether a job seeker earned more or less than Rs 12000 / month with more than 80% accuracy, using just their photo.  She did this using 3000 job seeker photos, 10 lines of code and Google’s TensorFlow for Poets sample code.  Note the project was never deployed or made publicly available.

As these techniques become ever more commonplace in the years to come, it’s reasonable to assume that public facing camera and sensor systems will be able to accurately infer most of the personal data of their subjects – e.g. their gender, emotional state, health, caste, religion, income – and then connect this data to other personally identifiable data such as a photo of their credit card and purchase history. Doing so will improve training data so that systems become even more accurate. In time, these systems – especially ones with large databases of labelled photos – like the governments’, popular social networks’ or a mall’s point of sale + video surveillance system – truly will be able to precisely identify individuals and their most marketable traits from any video feed.

Europe’s GDPR has enshrined the right for people to view data inferred about them, but in conjunction with the idea of a third party consent dashboard or Account Aggregator (in the RBI’s case), we believe we can do better.

In particular, any entity that collects or infers data about an individual that’s associated with an identifier such as an email address, mobile, credit card, or Aadhaar number should make that data viewable and editable to end users via their consent dashboard.  For example, if a payment gateway provider analyses your purchase history and infers you are diabetic and sells this information as a categorization parameter to medical advertisers, that payment gateway must notify you that it believes you are diabetic and enable you to view and remove this data. Google, for example, lists these inferences as Interests and allows users to edit them:

Using the Consent Dashboard mentioned in Major Comment 1, we believe users should have one place where they can discover, view and correct all personal and inferred data relevant to them.

Finally, more clarity is needed regarding how data gathered or inferred from secondary sources should be regulated and what consent may be required. For example, many mobile apps ask for a user’s consent to read their SMS Inbox and then read their bank confirmation SMSs to create a credit score. From our view, the inferred credit score should be viewable by the end user before it’s shared, given its personal data that deeply affects the user’s ability to gain usage of a service (in this case, often a loan at a given interest rate).

7. Sharing and Processing of Health Data

The Bill requires capturing the purpose for data sharing:

Chapter II, point 5:

“Purpose limitation.— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.”

In the healthcare domain, collecting the purpose for which the data is being shared might itself be quite revealing. For example, if data is being shared for a potential cancer biopsy or HIV testing, the purpose might be enough to make inferences and private determinations about the patient and say deny insurance coverage. On the other hand, stating high-level, blanket purposes might not be enough for future audits. A regulation must be in place to ensure the confidentiality of the stated purpose.  

The Bill has a provision for processing sensitive personal data for prompt action:

Chapter IV, point 21:

“Processing of certain categories of sensitive personal data for prompt action. — Passwords, financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary— (a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal; (b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or (c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.”

While this is indeed a necessity, we believe that a middle ground could be achieved by providing an option for users to appoint consent nominees, in a similar manner to granting power of attorney. In cases of emergency, consent nominees such as family members could grant consent on behalf of the user. Processing without consent could happen only in cases where a consent nominee is unavailable or has not been appointed. This creates an additional layer of protection against misuse of health data of the user.

Suggestions and Questions

Fund Data Rights Education

We believe a larger, public education program may be necessary to educate the public on their data rights.

Limit Impact Assessment Requirement

Section 33 – Data Protection Impact Assessment —

  • Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section. …
  • On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as may be issued by the Authority.

We believe that the public must be protected from egregious data profiling but this provision does not strike an appropriate balance with respect to innovation. It mandates that companies and other researchers must ask government permission to innovate around large scale data processing before any work, public deployments or evidence of harm takes place. We believe this provision will be a large hinderance to experimentation and cause significant AI research to simply leave India. A more appropriate balance might be to ask data fiduciaries to privately create such an impact assessment but only submit to the Authority for approval once small scale testing has been completed (with potential harms better understood) and large scale deployments are imminent.

Passwords should be treated differently than other sensitive personal data.

Chapter IV – Section 18. Sensitive Personal Data. Passwords are different than other types of Sensitive Personal Data, given that they are a data security artifact, rather than a piece of data that is pertinent to a person’s being. We believe that data protection should be over-ridden in extraordinary circumstances without forcing companies to provide a backdoor to reveal passwords. We fully acknowledge that it is useful and sometimes necessary to provide backdoors to personal data – e.g. one’s medical history in the event of a medical emergency – but to require such a backdoor for passwords would likely introduce large potential security breaches throughout the entire personal data ecosystem.  

Does the Bill intend to ban automatic person-tagging in photos and image search of people?

Chapter I.3.8 – Biometric Data – The Bill defines Biometric Data to be:

“facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;”

The Bill includes Biometric Data in its definition of Sensitive Personal Data (section 3.35) which may only be processed with explicit consent:

Section 18. Processing of sensitive personal data based on explicit consent. — (1) Sensitive personal data may be processed on the basis of explicit consent

From our reading, we can see a variety of features available today around image search and person tagging being disallowed based on these provisions. E.g. Google’s image search contains many facial images which have been processed to enable identification of natural persons. Facebook’s “friend auto-suggestion” feature on photos employs similar techniques. Does the Bill intend for these features and others like them to be banned in India? It can certainly be argued that non-public people have a right to explicitly consent before they are publicly identified in a photo but we feel the Bill’s authors should clarify this position. Furthermore, does the purpose of unique identification processing matter with respect to its legality?  For example, we can imagine mobile phone-based, machine learning algorithms automatically identifying a user’s friends to make a photo easier to share with those friends; would such an algorithm require explicit consent from those friends before it may suggest them to the user?

Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.

Chapter IV – Section 25.4 – Right to correction, etc

Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

We believe the mandate on a data fiduciary to notify all relevant entities of a personal data change is too great a burden and is better performed by a consent dashboard, who maintains which other entities have a valid, up-to-date consent request to a user’s data. Hence, upon a data change, the data fiduciary would update the consent dashboard of the change and then the consent dashboard would then notify all other relevant entities.

It may be useful to keep the user in this loop – so that this sharing is done with their knowledge and approval.

Need for an Authority appeal process when data principal rights conflict

Section 28.5 – General conditions for the exercise of rights in this Chapter. —  

The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

This portion of the law enables a data fiduciary to deny a user’s data change request if it believes doing so would harm another data principal. We believe it should not be up to the sole discretion of the data fiduciary to determine which data principal rights are more important and hence would like to see an appeal process to the Data Protection Authority made available if a request is refused for this reason.

Do not outlaw private fraud detection

Section 43.1 Prevention, detection, investigation and prosecution of contraventions of law

(1) Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.

We worry the above clause would effectively outlaw fraud detection research, development and services by private companies in India. For instance, if a payment processor wishes to implement a fraud detection mechanism, they should be able to do so, without leaving that task to the State.  These innovations have a long track record of protecting users and businesses and reducing transaction costs. We recommend a clarification of this section and/or its restrictions to be applied to the State.

Limit record keeping use and disclosure to the Authority and the company itself.

Section 34.1.a. Record – Keeping –

The data fiduciary shall maintain accurate and up-to-date records of the following

(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;

We expect sensitive meta-data and identifiers will need to be maintained for the purposes of Record Keeping; we suggest that this Record Keeping information be allowed but its sharing limited only to this use and shared only with the company, its Record Keeping contractors (if any) and the Authority.

Fillings may be performed digitally

Section 27.4 – Right to be Forgotten

The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

The Bill contains many references to filing an application;  we’d suggest a definition that is broad and includes digital filings.

This also applies to sections which include “in writing” – which must include digital communications which can be stored (for instance, email).

Request for Definition Clarifications

What is “publicly available personal data”?

  • Section 17.2.g – We believe greater clarity is needed around the term “publicly available personal data.“ There questionably obtained databases for sale that list the mobile numbers and addresses of millions of Indians – would there thus be included as a publicly available personal data?
  • We’d recommend that DPA defines rules around what is publicly available personal data so that it is taken out of the ambit of the bill.  
  • The same can be said for data where there is no reasonable expectation of privacy (with the exception that systematic data collection on one subject cannot be considered to be such a situation)

Clarity of “Privacy by Design”

Section 29 – Privacy by Design

Privacy by Design is an established set of principles (see here and in GDPR) and we would like to see the Bill reference those patterns explicitly or use a different name if it wishes to employ another definition.

Define “prevent continuing disclosure”

Section 27.1 – Right to be Forgotten

The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary…

We request further clarification on the meaning of  “prevent continuing disclosure” and an example use case of harm.

Define “standard contractual clauses” for Cross-Border Transfers

Section 41.3.5 – Conditions for Cross-Border Transfer of Personal Data

(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this subsection to any other person or entity.

We would like to standard contractual clauses clearly defined.

Define “trade secret”

Section 26.2 C – Right to be Forgotten

compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.

We request further clarification on the meaning of  “trade secret” and an example of the same.

Author Comments

Compiled by iSPIRT Volunteers:

  • Sean Blagsvedt – sean _@_ blagsvedt.com
  • Siddharth Shetty – siddharth _@_ siddharthshetty.com
  • Anukriti Chaudharianukriti.chaudhari _@_ gmail.com
  • Sanjay Jain – snjyjn _@_ gmail.com

Links

Comments and feedback are appreciated. Please mail us at [email protected].

Appendix – Sample User Interface Screens

Link: https://docs.google.com/presentation/d/1Eyszb3Xyy5deaaKf-jjnu0ahbNDxl7HOicImNVjSpFY/edit?usp=sharing

******

Policy Hacks On India’s Digital Sky Initiative 1.0

On August 27, 2018, India announced its much-awaited Civil Aviation Regulations (CAR) for drones. The new CAR had many improvements on the original draft published last year, but most important was the introduction of Digital Sky, a technology platform that would handle the entire process of regulating the registration and permissions for all Remotely Piloted Aircraft Systems above the nano category, i.e. any remote controlled or automated flying object – multi-rotor or fixed-wing, electric or IC-engine. These set of regulations along with the announcement of Digital Sky drone policy represent the government’s “Drone Policy 1.0”.

What this policy isn’t?

From the outset, one of the largest criticisms of the draft was its seeming omission of beyond visual line of sight flights, as well as those of fully-autonomous operations. Combined with a ban on delivery of items, it would seem like the government is pre-emptively clamping down on some of the most promises of Unmanned Aerial Vehicles before they even begin.

But on close inspection, the Ministry of Civil Aviation has made an interesting & what looks to be a promising decision in naming this policy as “1.0”. Through the various public comments made by the Minister of State for Civil Aviation, Jayant Sinha, it can be gathered that there is a phased-approach being adopted for the planning and implementation of the government’s strategy for unmanned aerial vehicles.

The more complex commercial operations will be rolled out atop the digital platform, allowing the government to test the waters before allowing potentially risky operations.

At iSPIRT, we appreciate this data-driven, innovation-friendly yet safety-first approach that has been inherent to all of civil aviation.

What does the policy say?

The policy lays out a general procedure for registering, and taking permissions to fly for every type of remotely piloted aircraft system (RPAS). A good summary of the regulations themselves, what you need to fly, what you can and cannot do is given here. We will be focussing this blog post on demystifying Digital Sky and the surrounding technology – How it works, what it does and what should private players be doing about it.

What is Digital Sky?

Digital Sky is essentially a barebones Unmanned Aircraft Traffic Management system. An Unmanned Traffic Management is to drones what ATC is to aircraft. Most countries are looking to external UTM providers to build and run this digital enabling infrastructure. The government of India, in continuing its digital infrastructure as public goods tradition, has decided to build and run its own UTM to ensure that this critical infrastructure system remains committed to interoperability and is free from the risks of vendor capture in the long run. Digital Sky is the first version of such a UTM for managing drone flights in both controlled as well as uncontrolled airspaces.

For consumers, Digital Sky essentially constructed of three layers. The three layers are Online Registrations, Automated Permissions and Analytics, Tracking and Configurable Policies.

Online Registrations are the layers that onboard operators, pilots, RPAS and manufacturers on to the Digital Sky Platform. It will be a fully digital process, and applicants can track their applications online. All registered users will have an identity number, including the RPAS, which will get a Unique Identification Number (UIN). There is a private key attached to the UIN allowing the drone to prove it is who it claims to be through digital signatures.

Automated Permissions is the transaction layer that digitizes the process of seeking airspace clearance. Using Open APIs or a portal provided by the government, drones can directly seek permissions by specifying the geographic area, time of operations & pilot registration id, signed with the UIN of drone. In response to the API call or portal request, an XML file digitally signed by the DGCA is generated. This XML response is called the Permission Artefact.

All RPAS sold in India under the new policy must carry firmware that can authenticate such a Permission Artefact. Further, they must confirm that the flight parameters of the current mission match those given in the authenticated Permission Artefact. If these parameters do not match, the RPAS must not arm. This condition is referred to simply as No Permission, No Takeoff or NPNT. Thus, the requirement is that any RPAS (except nano) operated in India should be NPNT compliant. We will cover what it means to be NPNT compliant in part two of this series.

To deal with areas of low connectivity, this authenticated request can be carried prior to the flight itself, when connectivity is available. The Permission Artefact can be stored, carried and read offline by an NPNT-compliant RPAS with a registered UIN. Thus flight operations in remote or low-connectivity areas will not be severely impacted. While this seems tedious, it promises to be a lot easier than the draft regulations, which required the filing of flight plans 60 days in advance.

Digital Sky will classify all existing airspace into three colour-coded zones: Green Zones are where drones are pre-authorized to fly, but must still obtain a permission artefact to notify the local authorities of their intent to fly. On applying for permission, a permission artefact is returned instantly. Red Zones are where drone operations are forbidden from taking place. This includes areas such as airports, borders and other sensitive areas. Amber Zones are areas restricted by appropriate reasons as mentioned in the CAR where additional permissions are required. These requests are also initiated and managed through the Digital Sky Platform

Analytics, Tracking & Configurable (ATC) Policies is a shorthand for the regulatory functions that the DGCA will carry out to regulate the use of airspace by unmanned aircraft. It involves functions such as the classification of Red, Amber & Green zones, deconfliction of overlapping flights, incident response, etc.

The MoCA has articulated its desire for an ecosystem-driven approach to building out the drone industry. From an earlier draft of the No Permission No Takeoff technical document shared with manufacturers, it is expected that this layer of Digital Sky will be opened up to private players labelled as Digital Sky Service Providers (DSPs). We will cover more about Digital Sky Service Providers in part three of this series.

Conclusion

Digital Sky appears to be a move towards a more data-driven, phased-approach to policy and regulation for emerging technology. It is a global first and offers a truly forward-looking approach compared to most other nations.

For operators, in the long term, a formal system leads to an eco-system of authorised players, increase in trust, and rise of a legitimate industry. 

Note:  We have been actively following the Digital Sky policy development, Intend to bring in Part two of this blog after an active role out and implementation starts.

Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products

‘Digital India’ is one of the flagship programmes of the Government of India (GoI) with an aim to transform the country into a digitally empowered economy. Given the massive push that the government is giving to this programme, some radical changes have taken place across the country at both the public as well as at the government level in terms of digitization. However, it is also a reality that the growing digitization has increased vulnerability to data breaches and cyber security threats.

According to the Indian Computer Emergency Response Team (CERT-In), more than 22,000 Indian websites, including 114 government portals were hacked between April 2017 and January 2018, including the Aadhaar data leak in May 2017. These incidents clearly emphasized a strong need for cyber security products to tackle the threat to India’s digital landscape. In fact, last year, the Union Ministry of Electronics & Information Technology (MeitY) had directed all ministries to spend 10% of their IT budgets on cyber security and strengthen the Government’s IT structure in the wake of cyber threats.

Now, in order to be prepared for cyber breaches, the government entities need sophisticated security products and solutions. Currently, there is a heavy reliance on the foreign manufacturers to source these products as there are a handful of domestic players operating in this space. MeitY had issued a draft notification in June 2017 stating its preference to procure domestic cyber security products and give further impetus to the government’s flagship programme ‘Make in India’, thereby also boosting income and employment in the country.

The good news is that now the government has mandated ‘Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products’ policy which was released on July 2, 2018. With this policy in place, the local manufacturers will get the much required clarity and support to produce cyber security products. As the participation of domestic players increases in the cyber security industry, it will not only make the digital economy stronger and safer for the nation, but also enhance the ability of the suppliers to compete at a global business level. At the same time, it will also give an opportunity to foreign players to invest in the Indian cyber security product manufacturers which in turn will enable India to channel more FDI into the economy.

Let’s take a look at the key highlights of this policy are:

What is the objective?

Cyber Security being a strategic sector, preference shall be provided by all procuring entities to domestically manufactured/produced cyber security products to encourage ‘Make in India’ and to promote manufacturing and production of goods and services in India with a view to enhancing income and employment

Who are the procuring entities?

Ministry or department or attached or subordinate office of, or autonomous body controlled by the Government of India (GoI) which includes government companies.

Who qualifies to be a ‘local supplier’ of domestically manufactured/produced cyber security products?

A company incorporated and registered in India as governed by the applicable Act (Companies Act, LLP Act, Partnership Act etc.) or startup that meets the definition as prescribed by DIPP, Ministry of Commerce and Industry Government of India under the notification G.S.R. 364 (E) dated 11th April 2018 and recognized under Startup India initiative of DIPP.

 AND

Revenue from the product(s) in India and revenue from Intellectual Property (IP) licensing should accrue to the aforesaid company/startup in India.

How big is the government opportunity?

There is a huge government opportunity waiting to be leveraged, especially because MeitY had asked all ministries to spend 10% of their IT budgets on cyber security.

What are the key benefits of the policy to the local supplier?

The main benefits of the policy that local suppliers can avail are:

  • Procurement of goods from the local supplier if the order value is Rs.50 lacs or less.
  • For goods that are divisible in nature and the order value being more than Rs.50 lacs, procurement of full quantity of goods from the ‘local’ supplier if it is L1 (refer the note below). If not, at least 50% procurement from the local supplier subject to the local suppliers’ quoted price falling within the margin of purchase preference.
  • For goods that are not divisible in nature and the order value being more than Rs50 lacs, the procurement of the full quantity of goods from the local supplier if it is L1. If not, then the local supplier will be invited to match the L1 bid and the contract will be awarded to the local supplier on matching the L1 price.
  • The cyber security products notification shall also be applicable to the domestically manufactured/produced cyber security products covered in turnkey/system integration projects. In such cases the preference to domestically manufactured/produced cyber security products would be applicable only for the value of cyber security product forming part of the turnkey/ system-integration projects and not on the value of the whole project.

Note: L1 means the lowest tender or lowest bid or lowest quotation received in a tender, bidding process or other procurement solicitation as adjudged in the evaluation process as per the tender or other procurement solicitation.

How do I get my cyber security product listed to start getting the benefits of this policy?

You need to get your product evaluated and approved by the empowered committee of the government.

The ‘Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products’ policy is a commendable step in the direction of providing a robust leap to ‘Digital India’ and ‘Make in India’ programmes.

Get complete details about the policy here. You can also reach the author for more details @ [email protected]

About Author:

Ashish Tandon, Founder & CEO – Indusface

Ashish Tandon a first-generation entrepreneur with a rare combination of strong technology understanding and business expertise has successfully lead and exited several ventures in the areas of security, internet services and cloud based mobile and video communication solutions. Under his leadership as founder & CEO, Indusface a bootstrapped, fast growing and profitable company, has been recognized as an award-winning Application Security company with over 1000+ global customers and a multi-million $ ARR. He is also closely associated with the government and industry bodies of India in drafting of the various Software Product & Security related acts, regulations & policies. Connect with him on LinkedIn or Twitter.

Data Privacy and Empowerment in Healthcare

Technology has been a boon to healthcare. Minimally-invasive procedures have significantly increased safety and recovery time of surgeries. Global collaboration between doctors has improved diagnosis and treatment. Rise in awareness of patients has increased the demand for good quality healthcare services. These improvements, coupled with the growing penetration of IT infrastructure, are generating huge volumes of digital health data in the country.

However, healthcare in India is diverse and fragmented. During an entire life cycle, an individual is served by numerous healthcare providers, of different sizes, geographies, and constitutions. The IT systems of different providers are often developed independently of each other, without adherence to common standards. This fragmentation has the undesirable consequence of the systems communicating poorly, fostering redundant data collection across systems, inadequate patient identification, and, in many cases, privacy violations.

We believe that this can be addressed through two major steps. Firstly, open standards have to be established for health data collection, storage, sharing and aggregation in a safe and standardised manner to keep the privacy of patients intact. Secondly, patients should be given complete control over their data. This places them at the centre of their healthcare and empowers them to use their data for value-based services of their choice. As the next wave of services is built atop digital health data, data protection and empowerment will be key to transforming healthcare.

Numerous primary health care services are already shifting to smartphones and other electronic devices. There are apps and websites for diagnosing various common illnesses. This not only increases coverage but also takes the burden away from existing infrastructures which can then cater to secondary and tertiary services. Data shared from devices that track steps, measure heartbeats, count calories or analyse sleeping patterns can be used to monitor behavioural and lifestyle changes – a key enabler for digital therapeutic services. Moreover, this data can not only be used for monitoring but also for predicting the onset of diseases! For example, an irregular heartbeat pattern can be flagged by such a device, prompting immediate corrective measures. Thus, we see that as more and more people generate digital health data, control it and utilise it for their own care, we will gradually transition to a better, broader and preventive healthcare delivery system.

In this context, we welcome the proposed DISHA Act that seeks to Protect and Empower individuals in regards to their electronic health data. We have provided our feedback on the DISHA Act and have also proposed technological approaches in our response. This blog post lays out a broad overview of our response.

As our previous blog post articulates the principles underlying our Data Empowerment and Protection Architecture, we have framed our response keeping these core principles in mind. We believe that individuals should have complete control of their data and should be able to use it for their empowerment. This requires laying out clear definitions for use of data, strict laws to ensure accountability and agile regulators; thus, enabling a framework that addresses privacy, security and confidentiality while simultaneously improving transparency and interoperability.

While the proposed DISHA Act aligns broadly with our core principles, we have offered recommendations to expand certain aspects of the proposal. These include a comprehensive definition of consent (open standards, revocable, granular, auditable, notifiable, secure), distinction between different forms of health data (anonymization, deidentification, pseudonymous), commercial use of data (allowed for benefit but restricted for harm) and types and penalties in cases of breach (evaluation based on extent of compliance).

Additionally, we have outlined the technological aspects for implementation of the Act. We have used learnings from the Digital Locker Framework and Electronic Consent Framework (adopted by RBI’s Account Aggregator), previously published by MeitY. This involves the role of Data Fiduciaries – entities that not only manage consent but also ensure that it aligns with the interests of the user (and not with those of the data consumer or data provider). Data Fiduciaries only act as messengers of encrypted data without having access to the data – thus their prime task remains managing the Electronic Data Consent. Furthermore, we have highlighted the need to use open and set standards for accessing and maintaining health records (open APIs), consented sharing (consent framework) and maintaining accountability and traceability through digitally verified documents. We have also underscored the need for standardisation of data through health data dictionaries, which will open up the data for further use cases. Lastly, we have alluded to the need to create aggregated anonymised datasets to enable advanced analytics which would drive data-driven policy making.

We look forward to the announcement and implementation of the DISHA Act. As we move towards a future with an exponential rise in digital health data, it is critical that we build the right set of protections and empowerments for users, thus enabling them to become engaged participants and better managers of their health care.

We have submitted our response. You can find the detailed document of our response to DISHA Act below

Policy Hacks Session on GDPR & DEPA

Here are concerns and curiosity about European Union General Data Protection Regime (GDPR) and there is a related issue in India being covered under Data Empowerment and Protection Architecture (DEPA) layer of India Stack being vigorously followed at iSPIRT.

iSPIRT organised a Policy Hacks session on these issues with Supratim Chakraborty (Data Privacy and Protection expert from Khaitan & Co.), Sanjay Khan Nagra (Core Volunteer at iSPIRT and M&A / corporate expert from Khaitan & Co) and Siddharth Shetty (Leading the DEPA initiative at iSPIRT).

Sanjay Khan interacted with both Siddharth and Supratim posing questions on behalf of Industry.

A video of the discussion is posted here below. Also, the main text of discussion is given below. We recommend to watch and listen to the video.

GDPR essentially is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

Since it affects all companies having any business to consumer/people/individual interface in European Union, it will be important to understand this legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

Supratim mentioned in the talk that GDPR is mentioned on following main principles.

  1. Harmonize law across EU
  2. Keep pace with technological changes happening
  3. Free flow of information across EU territory
  4. To give back control to Individual about their personal data

Siddharth explained DEPA initiative of iSPIRT. He mentioned that Data Protection is as important as Data empowerment. What this means is that individual has the ability to share personal data based on one’s choice to have access to services, such as financial services, healthcare etc. DEPA deal with consent layer of India Stack.

This will help service providers like account aggregators in building a digital economy with sufficient control of privacy concerns of the data. DEPA essentially is about building systems so that individual or consumer level individual is able to share data in a protected manner with service provider for specified use, specified time etc. In a sense, it addresses the concern of privacy with the use of a technology architecture.

DEPA is being pursued India and has nothing to do with EU or other countries at present.

For more details on DEPA please use this link here http://indiastack.org/depa/

Sanjay Khan poses a relevant question if GDPR is applicable even on merely having a website that is accessible of usable from EU?

Supratim explains, GDPR applicable, if there is involvement of personal data of the Data subjects in EU. Primarily GDPR gets triggered in three cases

  1. You have an entity in EU,
  2. You are providing Goods and services to EU data subjects whether paid for or not and
  3. If you are tracking EU data subjects.

Many people come in the third category. The third category will especially apply to those websites where it is proved that EU is a target territory e.g. websites in one of the European languages, payment gateway integration to enable payments in EU currency etc.

What should one do?

Supratim, further explains that the important and toughest task is data management with respect to personal data. How it came? where all it is lying? where is it going? who can access? Once you understand this map, then it is easier to handle. For example, a mailing list may be built up based on business cards that one may have been collected in business conferences, but no one keeps a track of these sources of collections. By not being able to segregate data, one misses the opportunity of sending even legitimate mailers.

Is a data subject receives and gets annoyed with an obnoxious email in a ‘subject’ that has nothing do with the data subject, the sender of email may enter into the real problem.

Siddharth mentioned that some companies are providing product and services in EU through a local entity are shutting shops.

Supratim, mentions that taking a proper explicit and informed consent in case of email as mentioned GDPR is a much better way to handle. He emphasised the earlier point of Data mapping mentioned above, on a question by Sanjay khan. Data mapping, one has to define GDPR compliant policies.

EU data subjects have several rights, edit date, port data, erase data, restrict data etc. GDRP has to be practised with actually having these rights enabled and policies and processed rolled out around them. There is no one template of the GDPR compliant policies.

Data governance will become extremely important in GDPR context, added Siddharth. Supratim added that having a Data Protection officer or an EU representative may be required as we go along in future based upon the complexity of data and business needs.

Can it be enforced on companies sitting in India? In absence of treaties, it may not be directly enforceable on Indian companies.  However, for companies having EU linkages, it may be a top-down effect if the controller of a company is sitting there.

Sanjay asked, how about companies having US presence and doing business in EU. Supratim’s answer was yes these are the companies sitting on the fence.

How about B2B interactions? Will official emails also be treated as personal? Supratim answers yes it may. Again it has to be backed by avenues where data was collected and legitimate use. Supratim further mentions that several aspects of the law are still evolving and idea at present is to take a conservative view.

Right now it is important to start the journey of complying with GDPR, and follow the earlier raised points of data mapping, start defining policy and processes and evolve. In due course, there will be more clarity. And if you are starting a journey to comply with GDPR, you will further be ready to comply with Indian privacy law and other global legal frameworks.

“There is no denying the fact that one should start working on GDPR”, said Sanjay. “Sooner the better”, added Supratim.

We will be covering more issues on Data Protection and Privacy law in near future.

Author note and Disclaimer: PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system. PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on the case to case basis.