India’s new Software Products Policy marks a Watershed Moment in its Economic History – Can the nation make it count?

India is on the glide path of emerging as one of the economic powerhouses of the world – its economy is ranked sixth in size globally (and slated to climb to second by 2030); it has the fastest growing annual GDP growth rate amongst (major) countries; the country ranked in the world’s top 10 destinations for FDI in 2017-18. With a population of 1.3 billion and a large middle class of ~300 million+, it is one of the most attractive markets globally. Specifically in the digital economy – India has a huge $ 167 billion-sized IT industry; it boasts of a 55% market share in global IT services & outsourcing; 1140 global corporations run their tech R&D centres in India. In the tech startup space, India has attracted Private Equity (PE) & Venture Capital (VC) investments of $33 billion in 2018, and it has over a dozen unicorns (startups with over $1 billion valuations).

These data-points are truly impressive and would make any country proud, but they belie one of the glaring historical paradoxes of the Indian economic story – the sheer absence of world-beating products from India. Ask Indians to name three truly world class, globally loved Indian products or brands – chances are they’ll struggle to name even one. Check out the Global Innovation Index 2018 from the World Intellectual Property Organization (WIPO) – India doesn’t figure in the top 50 countries. Or the Interbrand 2018 Top 100 Global Brands Ranking – there’s no Indian name on that list. Leave aside brick & mortar industries, the Indian IT & Digital sector doesn’t fare any better on this count. IT services, which forms its lion’s share comprises largely of low end, commoditized services or cost arbitrage based outsourcing contracts. Most of the new age tech unicorns in India are based on ideas and business models that are copied from foreign innovators (with some local tweaks) – their outsized valuations are a result of them being the gatekeepers to the large Indian market, rather than from having created path-breaking products from first principles. So the overall trend is that India has a large domestic market, and it is a big supplier of technical brain power on the world stage, but when it comes to building innovative products, we come to a total cropper. This is best reflected in the Infosys Co-Founder, Narayan Murthy’s candid quote – “There has not been a single invention from India in the last 60 years that became a household name globally, nor any idea that led to the earth-shaking invention to delight global citizens”.



The launch of the National Software Products Policy (#NSPS):

It is in this light that the recently rolled out National Software Products Policy (#NSPS) by the Ministry of Electronics & IT (MeitY), Government of India marks a watershed moment. For the very first time, India has officially recognised the fact that software products (as a category) are distinct from software services and need separate treatment. So dominated was the Indian tech sector by outsourcing & IT services, that “products” never got the attention they deserve – as a result, that industry never blossomed and was relegated to a tertiary role. Remember that quote – “What can’t be measured, can’t be improved; And what can’t be defined, can’t be measured”. The software policy is in many ways a recognition of this gaping chasm and marks the state’s stated intent to correct the same by defining, measuring and improving the product ecosystem. Its rollout is the culmination of a long period of public discussions and deliberations where the government engaged with industry stakeholders, Indian companies, multinationals, startups, trade bodies etc to forge it out.

#NSPS will bring into focus the needs of the software product industry and become a catalyst in the formulation of projects, initiatives, policy measures etc aimed at Indian product companies. One of its starting points is the creation of a national products registry that’s based on a schematic classification system. Other early initiatives that will help in operationalizing the policy – setting up of a Software Products Mission at MeitY, dedicated incubators & accelerators for product startups, development of product-focused industrial clusters, preferential procurement by the government from product companies, programs for upskilling and talent development etc.

The Indian IT / Software Industry Landscape:

To understand the product ecosystem, one needs to explore the $ 167 billion-sized Indian IT / Software sector into its constituent buckets. The broad operative segments that emerge are –

1) IT Services & ITES: This is by far the largest bucket and dominates everything else. Think large, mid & small sized services companies throughout the country servicing both domestic & foreign markets. e.g. TCS, Infosys, Mindtree, IBM, Accenture, GE etc
2) Multinationals / Global Development Centers: These are foreign software companies serving Indian markets and/or using India as a global R&D development centre. e.g. Microsoft, Google, Netapps, McAfee, etc
3) Domestic Product Companies: This is a relatively small segment of Indian software product companies selling in domestic or overseas markets e.g. Quickheal, Tally etc.
4) Startups – E-commerce / Transactional services: This is the large, fast-growing segment of startups into direct (or aggregated) transactional businesses like e-commerce, local commerce, grocery shopping, food delivery, ride sharing, travel etc. e.g. BigBasket, Flipkart, Amazon, Grofers, Milkbasket, Swiggy, Dunzo, Uber, Ola, Yulu, Ixigo, MMT etc. You could also include the payment & fintech companies in this bucket – e.g. Paytm, Mobikwik, PhonePe, PolicyBazaar, Bankbazaar etc. This segment has absorbed the maximum PE & VC investments and is poised to become bigger with time.
5) Product Startups – Enterprise / CoreTech / Hardware: This is comprised of companies like InMobi, Zoho, Wingify, Freshdesk, Chargebee, Capillary, electric vehicle startups, drone startups etc. They could be serving Indian or foreign B2B markets.
6) Product Startups – Consumer Internet: This segment is composed of media/news companies, content companies, social & professional networking, entertainment, gaming etc. e.g. Dailyhunt, Inshorts, Sharechat, Gaana, Spotify, YouTube, video/photo sharing apps, Dream11 etc.

(N.B. Off course, this segmentation schema is not water-tight and there could be other ways to slice and/or label it)

Why India lags behind in Software Products?

The global software products industry has a size of $ 413 billion, and it is dominated by US & European companies. India’s share in that pie is minuscule – it is a net importer of $ 7 billion worth software products (India exports software products worth $ 2.3 billion, while it imports $ 10 billion)“Software is eating the world” – entire industry segments are being re-imagined and transformed using the latest developments in cloud computing, artificial intelligence, big data, machine learning etc. In this scenario, it is worth understanding why India seems to have missed the software products bus. The reasons are multifarious, cutting across cultural, economic, market, behavioural and societal factors –

a) The cultural aversion to Risk, Ambiguity & Failure: Indian society has traditionally valued conformity and prepares people not to fail. Our family and educational environments are geared for teaching us to eschew risk-taking and avoid ambiguity. But building products is all about managing risk and failure. When you take a product to market from scratch, you take on multiple types of risk – market risk, execution risk, product risk. For many people in India, this is in stark contrast to their social/attitudinal skills and expectancies they have built up over a lifetime.

b) “Arbitrage” offers the Path of Least Resistance: If you pour water down a heap of freshly dug mud, it will find the path of least resistance and flow along it. Human behaviour is similar – it is conditioned to look for the path of least resistance. And “arbitrage” offers that least resistance path in the IT industry – be it cost arbitrage, labour arbitrage, geographical arbitrage, concept arbitrage et al. The IT services industry leverages the cost arbitrage model via cheaper labour costs. Many of the transactional e-commerce startups in India have used geographical arbitrage to their advantage – once a successful product or model is created in another market, they bring it to India to capitalize on a local first mover advantage, build a large valuation and become the gatekeeper to the market before the (original) foreign innovators arrive in India many years later! But arbitrage means, that while you are taking on market & execution risk, you are not assuming the product risk. These dynamics played out at scale over the years has meant it is easier for a wannabe entrepreneur in India to go the arbitrage way and quickly build out a business using a readymade template than go down the software products path, which has a much longer gestation & higher risks associated with it.

IMHO, this “arbitrage” factor represents the single biggest reason why India has seen a virtual explosion in e-commerce startups, at the expense of product startups. Look around the startup ecosystem and you’ll see all kinds of transactional businesses involving activities like buying, selling, trading etc. Why… this almost reminds of that famous 17th-century quote by Napolean when he described Britain as a “nation of shopkeepers”🙂

c) Tech isn’t enough – you need design, marketing skills: To build great software products, you not only need strong technical abilities but also good design, marketing & branding skills to carve out a compelling product offering. Ask any startup in India – one of their most common problems is the inability to hire good designers and UX professionals. This puts Indian companies at a comparative disadvantage – even if they have the engineers to build the technology, their inability to translate that technology into an appealing user experience often means the difference between success and failure.

d) Lack of “patient” venture capital: This is a complaint you hear often from Indian product startups – the lack of venture capital that’s willing to be patient over the longer gestation cycles software products demand. While there is some truth to it, the more likely explanation is that software product companies present a “chicken & egg problem” for Indian startup investors. Investors are driven by financial returns – if they see returns from product companies, they’ll bet their monies on them. It just so happens, that Indian investors haven’t yet seen venture sized returns from software product companies. Hopefully, this dynamics will even out as the ecosystem grows.

e) Inadequate Domestic Market Potential:
 Many software products are monetized via subscription models, where the market’s ability (and propensity) to explicitly pay for the service is critical for success. Sometimes (SAAS/enterprise) companies try their model in India, only to discover there just aren’t enough paying customers. These startups may then be left with no choice but to either target foreign markets, or in extreme cases just move abroad for business continuity. Thus it has become imperative for the Indian domestic market to grow in size and scale to ensure the viability of product startups.

Platform companies from India are a non-starter: One aspect that needs calling out specifically is the sheer absence of any platform companies from India. Platforms are the next evolutionary step for scaled software product companies – if you get to the stage, where other industry stakeholders start building on top of the plumbing you’ve provided (thereby becoming totally dependent on you), that’s an immensely powerful position to be in e.g. AWS, Android, iOS etc. This factor assumes even greater importance given upcoming trends in AI, machine learning, deep learning, automation, robotics – the companies which emerge as platform providers may offer strategic advantages to the country of their origin. As depicted by the graphic below, India is as yet a non-starter on this count. This is deeply worrying – imagine a scenario 10-15 yrs out, when Indian software companies start dominating the domestic markets and also are a force to reckon with globally, but it’s all built on intellectual property (IP) & platforms created & owned by foreign companies!!

Some Suggested Action Areas for the National Software Policy:

MeitY in consultation with industry stakeholders is likely to create an implementation roadmap for #NSPS. Here are some specific action points I’d like to call out for inclusion in that roadmap:

Domestic Market Development: As explained earlier, the Indian domestic market needs curated development to reach a potential that makes product startups viable without having to depend on overseas markets. This calls for a series of steps, such as policy support from sectoral regulators, funding support via special go-to-market focused venture capital funds etc. The government could also help by announcing a preferential procurement policy from domestic software product companies. The Government e Marketplace (GeM) can help in institutionalizing these procurement norms.

Creating Early Awareness (Catch ‘em young): Fed by constant news in media about IT services, ITES, BPOs, outsourcing etc the average person in India is likely to be aware of IT services, but not necessarily software products. Many people may have friends and family members who work at TCS, Infosys, Wipro, IBM etc, but the same can’t be said about product companies. Given this scenario, it is important to create early awareness about products in schools, colleges, universities across metros, Tier 1, Tier 2 & 3 towns. Some of the world’s biggest product innovators like Bill Gates, Steve Jobs started writing software before they had reached high school – so if we can catch people young, we actually get a much longer runway to get them initiated into the product ecosystem. If they learn about products after they’ve started working in the industry, or when planning a mid-career shift from services to products, it might be quite late.

Reducing entry barriers for starting Software Product Companies: As shared earlier, one of the big problems in the Indian software product space is that there just aren’t enough entrepreneurs starting up product businesses. E-commerce & transactional services actually absorb (or suck in) a lot of entrepreneurial talent by virtue of having lower barriers to entry. To make a serious dent in products, you need a much larger number of product companies started off the ground. This can happen only by systematically bringing down the entry barriers – driving awareness, providing funding support, providing market development support etc. Advocacy and evangelism by software product industry role models also can help develop confidence and conviction in people to think products instead of services or e-commerce.

Building domestic Software Product Companies atop public goods: Silicon Valley has shown how you can build successful commercial applications on top of public goods (e.g. Uber built on top of GPS, Google maps & mobiles). In a similar way, public goods in India like IndiaStack, or HealthStack can be the base (or the plumbing) over which commercial applications get built for mass scalability. The good news is this trend has already been kickstarted, though its still early days.

This blog was first published at Webyantra.com

Scaling Good Advice In India’s Startup Ecosystem – A Research Paper On PNGrowth Model

In January 2016 iSPIRT ran the largest software entrepreneur school in India, called PNgrowth (short for Product Nation Growth).  The central vision of PNgrowth was to create a model of peer learning where over 100 founders could give each other one-on-one advice about how to grow their startups. With peer learning as PNgrowth’s core model, this enterprise was supported by a volunteer team of venture capitalists, founders, academics, and engineers.  See iSPIRT’s volunteer handbook (https://pn.ispirt.in/presenting-the-ispirt-volunteer-handbook/)

However, unlike a regular “bootcamp” or “executive education” session, the volunteers were committed to rigorously measuring the value of the peer advice given at PNgrowth. We are excited to announce that the findings from this analysis have recently been published in the Strategic Management Journal, the top journal in the field of Strategy, as “When does advice impact startup performance?” by Aaron Chatterji, Solène Delecourt, Sharique HasanRembrand Koning (https://onlinelibrary.wiley.com/doi/10.1002/smj.2987).

TLDR: Here’s a summary of the findings:

1.
 There is a surprising amount of variability in how founders manage their startups.  To figure out how founders prioritized management, we asked them four questions:

“…develop shared goals in your team?”
“…measure employee performance using 360 reviews, interviews, or one-on-ones?”
“…provide your employees with direct feedback about their performance?”
“…set clear expectation around project outcomes and project scope?”

Founders could respond “never,” “yearly,” “monthly,” “weekly,” or “daily.”

Some founders never (that’s right, never!) set shared goals with their teams, only did yearly reviews, never provided targets, and infrequently gave feedback. Other, super-managers were more formal in their management practices and performed these activities on a weekly, sometimes daily, basis. Not surprisingly, the supermanagers led the faster-growing startups.  Most founders, however, were in the middle: doing most of these activities at a monthly frequency.

2. Since PNGrowth was a peer learning based program, we paired each founder (and to be fair, randomly) with another participant. For three intense days, the pairs worked through a rigorous process of evaluating their startup and that of their peer. Areas such as a startup’s strategy, leadership, vision, and management (especially of people) were interrogated. Peers were instructed to provide advice to help their partners.

3. We followed up on participating startups twice after the PNgrowth program. First ten months after the retreat, and then we rechecked progress two years afterwards.

We found something quite surprising: the “supermanager” founders not only managed their firms better but the advice they gave helped their partner too.  Founders who received advice from a peer who was a “formal”  manager grew their firms to be 28% larger over the next two years and increased their likelihood of survival by ten percentage points. What about the founders who received advice from a laissez-faire manager? Their startup saw no similar lift. Whether they succeeded or failed depended only on their own capabilities and resources.

4. Not all founders benefited from being paired up with an effective manager though. Surprisingly, founders with prior management training, whether from an MBA or accelerator program, did not seem to benefit from this advice.

5. The results were strongest among pairs whose startups were based in the same city and who followed up after the retreat. For many of the founders, the relationships formed at PNgrowth helped them well beyond those three days in Mysore.

So what’s the big take away: While India’s startup ecosystem is new and doesn’t yet have the deep bench of successful mentors, the results from this study are promising. Good advice can go a long way in helping startups scale.   iSPIRT has pioneered a peer-learning model in India through PlaybookRTs, Bootcamps, and PNgrowth (see: https://pn.ispirt.in/understanding-ispirts-entrepreneur-connect/).

This research shows that this model can be instrumental in improving the outcomes of India’s startups if done right. If peer-learning can be scaled up, it can have a significant impact on the Indian ecosystem.

India powers up its ‘Software Product’ potential, Introduces National Policy on Software Products (NPSP)

This is an exciting occasion for our indigenous software industry as India’s National Policy on Software Products gets rolled out. This policy offers the perfect framework to bring together the industry, academia and the government to help realise the vision of India as a dominant player in the global software product market.

For ease of reference, let us summarise some of the major things that the policy focuses on

  • Single Window Platform to facilitate issues of the software companies
  • specific tax regime for software products by distinguishing  them from software services via HS code
  • enabling Indian software product companies to set off tax against R&D  credits on the accrual basis
  • creation of a Software Product Development fund of INR 5000 crores to invest in Indian software product companies
  • grant in aid of  INR 500 Crores to support research and innovation on software products
  • encouragement to innovation via 20 Grant Challenges focusing on Education, Healthcare & Agriculture thus further enabling software products to solve societal challenges
  • enabling participation of Indian software companies in the govt. e-marketplace to improve access to opportunities in the domestic market
  • developing a framework for Indian software product companies in government procurement.
  • special focus  on Indian software product companies in international trade development programmes
  • encouraging software product development across a wide set of industries by developing software product clusters around existing industry concentrations such as in automobile, manufacturing, textiles etc.
  • nurturing the software product start-up ecosystem
  • building a sustainable talent pipeline through skilling and training programmes
  • encouraging entrepreneurship and employment generation in tier II cities
  • creating governing bodies and raising funds to enable scaling of native software product companies.

There is good cause for cheer here. The policy offers to address many of the needs of the Software Product Ecosystem. For the first time, HS codes or Harmonised Codes will be assigned to Indian software product companies that will facilitate a clear distinction from ‘Software Services’ facilitating availing of any benefits accruing under the ‘Make in India’ programme. In addition, this will enable Indian software product companies to participate in govt contracts through registration on GeM (Govt. eMarketplace).

Considering that we remain a net importer of software products at present, steps such as the inclusion of Indian software products in foreign aid programmes, setting up of specialised software product incubators in other geographies and promoting our software product capabilities through international exhibitions definitely show intent in the right direction. With a commitment to develop 10000 software product start-ups, with 1000 of them in tier II cities, technology entrepreneurs building IP driven product companies can now look forward to infrastructural and funding support. The policy also aims to go beyond metro-centric development with a commitment to develop tech clusters around existing industry concentrations, enable skilling and drive employment in non-metros and tier II cities while actively encouraging Indian software companies to solve native problems.  

This policy could not have been possible without the vision of the Honourable Minister Shri Ravi Shankar Prasad, and continuous engagement and discussions with Shri Ajay Prakash Sawhney, Rajeev Kumar and Ajai Kumar Garg from MEITY and their team.

We have seen software companies solving native problems do exceptionally well, just look at what Paytm has been able to achieve while driving digital payments in India. There is now an understanding ‘Make in India’ can help us bridge the digital divide given that Indian entrepreneurs have a greater understanding of local issues and the challenges that are unique to us.

Setting up bodies such as the National Software Products Mission in a tripartite arrangement with the industry, academia and govt. to enable creation and monitoring of schemes beneficial to native software product companies is another much-needed step that will create a forum distinct to our software product companies and help give them a strong voice.

We would like to thank Lalitesh Katragadda, Vishnu Dusad, Sharad Sharma, Rishikesha T Krishnan, Bharat Goenka, T.V. Mohandas Pai, Arvind Gupta for their diligent efforts on the continuous dialogue and inputs for the policy.

While launching the policy is a great start, its implementation is what we all will have our eyes on. Now is the moment of action. We all look forward to fast-tracking of the various proposed measures under this policy for the benefits to start showing!

Website link to the official policy –  (https://meity.gov.in/writereaddata/files/national_policy_on_software_products-2019.pdf)

References

J​ANUARY​ 15, 2019​ – ​https://tech.economictimes.indiatimes.com/news/internet/india-needs-to-win-the-software-products-race/67533374

DECEMBER 8, 2016​ – ​https://pn.ispirt.in/what-to-expect-from-draft-national-policy-on-software-products/

NOVEMBER 13, 2016​ – ​https://pn.ispirt.in/national-software-policy-2-0-needed/

MAY 10, 2016​ – ​https://pn.ispirt.in/taxation-and-digital-economy/

APRIL 29, 2016​ – ​https://pn.ispirt.in/saas-the-product-advantage-and-need/

JULY 16, 2014​ – ​https://pn.ispirt.in/government-recognizes-the-software-product-industry/

DECEMBER 11, 2013​ – ​https://pn.ispirt.in/three-waves-of-indian-software/

JULY 16, 2013​ – ​https://pn.ispirt.in/smbs-and-indian-software-product-industry-intertwined-fortunes/

JULY 4, 2013​ – ​https://pn.ispirt.in/8-truths-why-it-services-organizations-cannot-do-software-products/

Clipping The Wings Of Angel Tax

 

2000 startups. 100 meetings. 25 articles. 7 years. 3 WhatsApp groups. 2 whitepapers.

1 unwavering ask:

No More Angel Tax.

This evening, when we first got to see the circular from DPIIT/CBDT that formalized key recommendations suggested with respect to Angel Tax or section 56(2)(viib), we admit our minds went blank for a moment. After all, this one document represents the tireless, collaborative efforts of iSPIRT, the entrepreneurial community of India and ecosystem partners like IVCA, Local Circles, IAN, TiE, 3one4 Capital, Blume Ventures etc., and the proactive support from the government. It has been one relentless outreach initiative that has seen us become a permanent fixture at Udyog Bhavan and North Block (I even checked with the guards regarding the possibility of a season pass). My colleagues Sharad Sharma, TV Mohandas Pai, and partners such as Siddharth Pai, Nikunj Bubna, Sreejith Moolayil, Monika, Ashish Chaturvedi and Sachin Taporia deserve a big shout out for their diligent efforts at connecting with various ecosystem partners and initiating a regular cadence of dialogue with the government.

The key takeaways from the circular are as below

  • Blanket exemption for up to INR 25Cr of capital raised by DIPP registered startups from any sources
  • Amendment in the definition of startups in terms of tenure from 7 to 10 years
  • Increase in the revenue threshold for the definition of startups from INR 25Cr to INR 100 Cr
  • Breaking the barrier for listed company investments by excluding high-traded listed companies and their subsidiaries, with a net-worth above INR 100Cr or a Turnover of 250 cr, from section 56(2)(viib)’s ambit

Each of these points is a major win for the startup community. If one looks at the data from the LocalCircles startup survey in January 2019, nearly 96% of startups that had received notices regarding angel tax, had raised below the permissible limit of INR 10cr. Expansion of this limit to INR 25cr is a huge boost and instantaneously removes thousands of startups from the reach of angel tax. There is an effort here to critically analyse, define and differentiate genuine startups from shell corporations. It includes measures such as increase in the revenue and tenure threshold that will not only help startups with respect to the challenges posed by angel tax but also open up eligibility for benefits under Startup India schemes and policies. We have been talking about the need to encourage and protect domestic investments and the government has paid heed to our concerns by introducing accredited investor norms and by breaking the barrier for listed company investments.

Initiated in 2012 by the UPA government, Section 56(2)(viib) or the “angel tax” section has been a relentless shadow on the entrepreneurial ecosystem. It taxed as income any investment received at a premium by an Indian startup. This provision saw many entrepreneurs clash with the tax officials about the true value of their business and pitted unstoppable entrepreneurial zeal against the immovable tax department.

All of us from the policy team at iSPIRT have been at the forefront of this issue since 2015 when we began petitioning the government to exclude startups from section 56(2)(viib) as taxing investments from Indian sources would cripple the startup ecosystem. We laud the government for appreciating the urgency of the situation and prioritizing this issue.

We first had an inkling of things to come at the February 4th, 2019 meeting held by DPIIT. It was unprecedented as it saw a direct dialogue between government and entrepreneurs wherein both sides could better understand the issues facing each other – how section 56(2)(viib) was hampering founder confidence and how it is a needed tool in the government’s arsenal for combatting the circulation of unaccounted funds.

After this, a smaller working group was constituted on February 9th, to review the proposals made by DPIIT to address this issue, in consultation with the CBDT and the startup ecosystem. iSPIRT were part of both meetings and contributed actively to the discussion.

We can now heave a sigh of relief as we have finally achieved to a large extent what we had set out to do. We finally have a solution that ensures genuine startups will have no reason to fear this income tax provision and the CBDT can continue to use it against those attempting to subvert the law.

This could not have been possible without the help of well-wishers in government departments like Mr Nrpendra Misra, Mr Sanjeev Sanyal, Mr Suresh Prabhu, Mr Ramesh Abhishek, Mr Anil Chaturvedi, Mr Rajesh Kumar Bhoot, Mr Anil Agarwal, who patiently met the iSPIRT policy team and helped develop a feasible solution.

At long last, domestic pools of capital will no longer be disadvantaged as compared to foreign sources. At long last, Indian entrepreneurs will no longer have to fear the questioning of the valuations of their businesses and taxation of capital raised.

Who knows, someday we might have a movie on this. On a more serious note, it is a step that will go down in the chronicles of India’s startup story. This puts the startup engine back on track. More importantly, it shows what can be achieved when citizens and the government get together.

By Nakul Saxena and Siddharth Pai, Policy Experts – iSPIRT

An Afternoon With Don Norman In Bengaluru

Are you building products for the everyday user? Is it becoming harder and harder to manage complexity while maintaining usability? How do you design a sustainable system for a complex multi-stakeholder environment? How do you teach a user to use your product with good design? How do you reinvent an established business model in light of rapidly evolving markets and technological possibilities? How do you design a product to be truly human-centric?

If any of these questions sound relevant to you, here’s an opportunity to seek answers on 22nd February in Bengaluru! 

About Don Norman

Dr Don Norman is a living legend of the design world having operated in the field for over 40 years. He has been Vice President of Apple in charge of the Advanced Technology Group and an executive at both Hewlett Packard and UNext (a distance education company). Business Week has listed him as one of the world’s 27 most influential designers. Dr Norman brings a unique mix of the social sciences and engineering to bear on everyday products. At the heart of his approach is human and activity-centred design, combining knowledge of cognitive science, engineering, and business with design.

Presently, he is Director of the recently established Design Lab at the University of California, San Diego where he is also professor emeritus of both psychology and cognitive science and a member of the Department of Electrical and Computer Engineering. He is also the co-founder of the Nielsen Norman Group, an executive consulting firm that helps companies produce human-centred products and services.

ProgrammeTalk

Don will share valuable insights about his interactions with Indian people, products and experiences.

Fireside Chat

An informal discussion with Don about his learnings and experiences spanning his long and illustrious career.

How to participate?

We’re inviting engineers, product managers, designers and everyone else who is building for large scale impact.

If you would like to further your understanding of human-centric design and hear straight from the horse’s mouth, please register here by 18th February. (An invite will be sent out to selected participants by 21st February)

#2 Federated Personal Health Records – The Quest For Use Cases

Last week we wrote about India’s Health Leapfrog and the role of Health Stack in enabling that (you can read it here). Today, we talk about one component of the National Health Stack – Federated Personal Health Records: its design, the role of policy and potential use cases.

Overview

A federated personal health record refers to an individual’s ability to access and share her longitudinal health history without centralised storage of data. This means that if she has visited different healthcare providers in the past (which is often the case in a real life scenario), she should be able to fetch her records from all these sources, view them and present them when and where needed. Today, this objective is achieved by a paper-based ‘patient file’ which is used when seeking healthcare. However, with increasing adoption of digital infrastructure in the healthcare ecosystem, it should now be possible to do the same electronically. This has many benefits – patients need not remember to carry their files, hospitals can better manage patient data using IT systems, patients can seek remote consultations with complete information, insurance claims can be settled faster, and so on. This post is an attempt to look at the factors that would help make this a reality.

What does it take?

There are fundamentally three steps involved in making a PHR happen:

  1. Capture of information – Even though a large part of health data remains in paper format, records such as diagnostic reports are often generated digitally. Moreover, hospitals have started adopting EMR systems to generate and store clinical records such as discharge summaries electronically. These can act as starting points to build a PHR.
  2. Flow of information- In order to make information flow between different entities, it is important to have the right technical and regulatory framework. On the regulatory front, the Personal Data Protection Bill which was published by MeitY in August last year clearly classifies health records as sensitive personal data, allows individuals to have control over their data, and establishes the right to data portability. On the technical front, the Data Empowerment and Protection Architecture allows individuals to access and share their data using electronic consent and data access fiduciaries. (We are working closely with the National Cancer Grid to pilot this effort in the healthcare domain. A detailed approach along with the technical standards can be found here.)
  3. Use of information – With the technical and regulatory frameworks in place, we are now looking to understand use cases of a PHR. Indeed, a technology becomes meaningless without a true application of it! Especially in the case of PHR, the “build it and they will come” approach has not worked in the past. The world is replete with technology pilots that don’t translate into good health outcomes. We, in iSPIRT,  don’t want to go down this path. Our view is that only pilots that emerge from a clear focus on human-centred design thinking have a chance of success.

Use cases of Personal Health Records

Clinical Decision Making

Description: Patient health records are primarily used by doctors to improve quality of care. Information about past history, prior conditions, diagnoses and medications can significantly alter the treatment prescribed by a medical professional. Today, this information is captured from any paper records that a patient might carry (which are often not complete), with an over-reliance on oral histories – electronic health records can ensure decisions about a patient’s health are made based on complete information. This can prove to be especially beneficial in emergency cases and systemic illnesses.

Problem: The current fee-for-service model of healthcare delivery does not tie patient outcomes to care delivery. Therefore, in the absence of healthcare professionals being penalised for incorrect treatment, it is unclear who would pay for such a service; since patients often do not possess the know-how to realise the importance of health history.

Chronic Disease Management

Description: Chronic conditions such as diabetes, hypertension, cardiovascular diseases, etc. require regular monitoring, strict treatment adherence, lifestyle management and routine follow-ups. Some complex conditions even require second opinions and joint decision-making by a team of doctors. By having access to a patient’s entire health history, services that facilitate remote consultations, follow-ups and improve adherence can be enabled in a more precise manner.

Problem: Services such as treatment adherence or lifestyle management require self-input data by the patient, which might not work with the majority. Other services such as remote consultations can still be achieved through emails or scanned copies of reports. The true value of a PHR is in providing complete information (which might be missed in cases of manual emails/ uploads, especially in chronic cases where the volume and variety of reports are huge) – this too requires the patient to understand its importance.

Insurance

Description: One problem that can be resolved through patient records is incorrect declaration of pre-existing conditions, which causes post-purchase dissonance. Another area of benefit is claims settlement, where instant access to patient records can enable faster and seamless settlement of claims. Both of these can be use cases of a patient’s health records.

Problem: Claim settlement in most cases is based on pre-authorisation and does not depend solely on health records. Information about pre-existing conditions can be obtained from diagnostic tests conducted at the time of purchase. Since alternatives for both exist, it is unclear if these use cases are strong enough to push for a PHR.

Research

Description: Clinical trials often require identifying the right pool of participants for a study and tracking their progress over time. Today, this process is conducted in a closed-door setting, with select healthcare providers taking on the onus of identifying the right set of patients. With electronic health records, identification, as well as monitoring, become frictionless.

Problem: Participants in clinical trials represent a very niche segment of the population. It is unclear how this would expand into a mainstream use of PHR.

Next steps

We are looking for partners to brainstorm for more use cases, build prototypes, test and implement them. If you work or wish to volunteer in the Healthtech domain and are passionate about improving healthcare delivery in India, please reach out to me at [email protected].

iSPIRT’s Response to Union Interim Budget 2019

Our policy team tracks the interest of Software product industry

INDIA, Bangalore, Feb 1st, 2019 – Proposals for Union budget of 2019 have been announced today by Finance Minister.

Being an interim budget not many announcements were expected. Some of the important announcements that may affect the expansion of the economy, in general, owing to increased income and ease of living in the middle class are as follows:

  1. Within two years tax assessment will be all electronic.
  2. IT return processing just in 24 hours
  3. Rebate on taxes paid for those with an income below 5 lakhs
  4. TDS threshold on interest income by woman on bank/post office deposits raised from Rs. 10,000 to 40,000
  5. Increase in standard deduction from Rs. 40,000 to 50,000
  6. Rollover of Capital gains tax benefit u/s 54 from investment in one house to two houses, for a taxpayer having capital gains up to Rs. 2 crore
  7. Recommendation to GST Council for reducing GST for home buyers
  8. Exemption from levy of tax on notional rent, on unsold inventories, from one year to two years
  9. Many benefits announced for Agriculture and Rural sector

The coining of the phrase “Digital Village” and placing it second on the list of ten-dimension vision statement in budget speech is a welcome step. The statement nudges the next Government to improve access to technology in rural India, a welcome step. We expect “Digital India” and easy and quality access to the internet for every citizen will remain a focus area, irrespective of which government comes to power.

The government has announced a direct cash transfer scheme for farmers. We are happy to see that technologies like the India Stack are being used by policymakers for effective policy-making irrespective of political ideology. Cash transfers promise to be more efficient initiatives that directly benefit our poor without needing them to run from pillar to post trying to prove their identity and eligibility. “Similarly, startups and SMEs remains a focus area in the vision statement. These are very important for a healthy ecosystem built up.

Similarly, focused phrases such as “Healthy India”, “Electric Vehicle” and “Rural Industrialisation using modern digital technologies” are welcome ideas in ten-dimension vision for Indian Software product industry and startup ecosystem.

However, among key issues for Startups and Investments which need to be addressed but have been missed out are Angel tax and Tax parity between listed and unlisted securities. Angel Tax is a very important issue which needs to be addressed conclusively at the earliest. We need to ensure gaps between policy declaration and implementation do not cause entrepreneurs and investors to relocate themselves aboard.

About iSPIRT Foundation

We are a non-profit think tank that builds public goods for Indian product startup to thrive and grow. iSPIRT aims to do for Indian startups what DARPA or Stanford did in Silicon Valley. iSPIRT builds four types of public goods – technology building blocks (aka India stack), startup-friendly policies, market access programs like M&A Connect and Playbooks that codify scarce tacit knowledge for product entrepreneurs of India. visit www.ispirt.in

For further queries, reach out to Nakul Saxena ([email protected]) or Sudhir Singh ([email protected])

Angel Tax Notification: A Step In The Right Direction, But More Needs To Be Done

There have been some notifications which have come out last week, it is heartening to see that the government is trying to solve the matter. However, this is a partial solution to a much larger problem, the CBDT needs to solve for the basic reason behind the cause of Angel Tax (Section 56(2)(viib)) to be able to give a complete long-term solution to Indian Startups.

While the share capital and share premium limit after the proposed issue of share is till 10 crores and helps startups for their initial fundraising, which is usually in the range of Rs 5-10 Cr. Around 80-85% of the money raised on LetsVenture, AngelList and other platforms by startups is within this range, but the government needs to solve for the remaining 15-20% as startups who are raising further rounds of capital, which is the sign of a growing business, are still exposed to this “angel tax”. Instead, the circular should be amended to state that Section 56(2)(viib) will not apply to capital raises up to Rs 10 Cr every financial year provided that the startups submit the PAN of the investors.

The income criteria of INR 50 lakhs and net worth requirement of INR 2 crores is again a move by the government that requires further consideration for the investing community. Therefore, to further encourage investments by Angels or to introduce new Angels to the ecosystem, there is a need to look towards a reduced income criterion of INR 20 Lakhs or a net worth of INR 1 crore, enabling more investors for a healthier funding environment. We also, need to build a mechanism to facilitate investments by corporates and trusts into the startups.

Most importantly, any startup who has received an assessment order under this section should also be able to for the prescribed remedies and submit this during their appeal. They should not be excluded from this circular since its stated scope is both past and future investments. The CBDT should also state that the tax officers should accept these submissions during the appeals process and take it into consideration during their deliberation.

So, to summarise:

  • Section 56(2)(viib) should not apply to any investment below Rs 10 crore received by a startup per year or increase the share premium limit to Rs 25 Crores, from Indian investors provided that the startup has the PAN of the investors
  • Section 56(2)(viib) should not apply to investors who have registered themselves with DIPP as accredited investors, regardless of the quantum of investment
  • The threshold stated should be either a minimum income of Rs 25 lakhs or a net worth of at least Rs 1 crore
  • Any startup who has received an assessment order should be able to seek recourse under this circular during their appeal

Through this circular, the government has reaffirmed its commitment to promoting entrepreneurship and startups in India. With these suggestions, the spectre of the “angel tax” will end up as a footnote in the history of the Indian startup ecosystem.

We look forward to the early resolution of these pending matters. For any suggestions, Do write to us [email protected]

The article is co-authored with Siddarth Pai, Policy Expert – iSPIRT Foundation and Founding Partner – 3one4 Capital.

White Paper On The Analysis Of High Share Premium Amongst Startups In India

“High share premium is not the basis of a high valuation but the outcome of valid business decisions. This new whitepaper by our iSPIRT policy experts highlights how share premia is a consequence of valid business decisions, why 56(2)(viib) is only for unaccounted funds and measures to prevent valid companies from being aggrieved by it”

What lies beyond the horizon: Digital Sky & the future of drones in India

Drones have been around for a long time, going back as far as World War II. For most of their history, they were considered part of the military arsenal and developed and deployed almost exclusively by the military.

However, the past decade has seen a tremendous amount of research and development in the area of using drones for civilian purposes. This has led industry experts to predict that drones will be disrupting some of the mainstay industries of the global economy such as logistics, transportation, mining, construction and agriculture to name a few. Analysts estimate a $100 billion market opportunity for drones in the coming few years  [1]. In spite of the overwhelming evidence in favour of the value created by drones, it has taken quite a few years for the drone industry to take off in a commercial sense globally.

The main reason for this has been the regulatory challenges around what is allowed to fly in the air and where is it allowed to fly. A common theme around the world is the unconventional challenges that old governmental structures have to face as they try to understand and regulate new technologies. Hence the default approach so far for governments has been reactionary caution as they try to control what are, essentially, flying robots in the sky.

However, with electronic costs coming down, the hardware becoming more accessible and the software interpreting data becomes more powerful a number of humanitarian, civilian and industrial application have emerged and as governments across the world are realizing the potential of drones, we are starting to see the first version of regulations being drafted and adopted across the globe.[2]

Closer home India has a relatively adverse approach to drones or more lackadaisical rather. [3]

But as India continues to drive to become a more technology-oriented economy the role of drones in the worlds fastest growing economy and the potential benefits it can bring are hard to ignore.[4]

However, India’s approach to drone regulations cannot be that of other major economies that have the luxury of friendly neighbours and a large network of monitoring apparatus, India has had to take an approach that has to be novel and robust. Something that balances the security landscape while also being designed to allow maximum utilization of the potential that drones offer. Out of this need to both regulate secure how and where a drone can fly and keep multi-ministerial stakeholder interests accounted for was born the Digital Sky, India’s foundational framework for all things drones.

What is the Digital Sky and how does it work?

What the Digital Sky accomplishes beautifully is to fill the institutional void that needs to be collectively fulfilled by so many institutions and make it easier for the industry and consumers to interface with the government legally through one platform. Permission to fly drone no longer requires a 90-day intimation with an arbitrary number of NOCs to be approved by umpteen number of ministerial bodies at the central and federal level. The industry and the public now know one place to interact with in order to register their drone, get recognised as a certified operator and apply for permissions and all concerned government agencies ensure their overarching interests do not interfere with the large-scale adoption of drones.  

There are crucial components required for the Digital Sky concept to work, the most central being that drone operators should not be able to fly drones if they are not approved by the government. To accomplish this the Drone 1.0 regulations revolve around the concept of No-Permission-No-Takeoff (NPNT).

Our maven Tanuj Bhojwani explaining NPNT at the DigitalSky RoundTable on 4 Dec 2018 in Bengaluru

What this implies is that unless a drone has got valid permission for a particular flight through tamper-proof digitally signed permission tokens, it will not be able to take off. The Digital Sky is the platform to automate the processing of these permission tokens as they flow in from different parts of the country without overwhelming the authorities through a flight information management system (one of only three countries to build this nationally after China and the USA). In order for this vision to come true, there will be an enormous change in the way drones are manufactured and operated. Entire new industry verticals around getting existing drones compliant, developing interfaces that interact with the Digital Sky platform and making applications for India’s needs will develop. Hence this begs the question.

How are the current state of the industry are changing with 1.0 regulations

Until the introduction of the regulations companies especially in the UAV operations were doing non-restricted work and end up becoming the jack-of-all-trades. Companies in the manufacturing domain were unclear of who is their target customer and what they needed to build. All the companies in this domain were working with no clarity on the safety and permissions.

With the introduction of the Drone Policy 1.0, there is a buzz which has been created and efforts are being made to understand the regulations by all the entities who are set to gain from it. They understand that there will be a new aspect that needs to cater to i.e. the sense of accountability.

For manufacturer’s The NP-NT mandate will be the most immediate requirement, the most common route to implement the mandate will be through changes to existing firmware architecture. The changes themselves are being driven by open source initiatives with various operators, system integrators and manufacturers contributing to the shift to NP-NT for all major drone platforms in the country. The Digital Sky has inadvertently catalysed the first industry-wide initiative to bring together all members of the ecosystem. Other requirements such as ETA bring in much-needed standardisation in the hardware space, this allows benchmarking of products, easier availability of information about the standards to look out for end users.

For operators, a massive increase in the volume of business is expected as they can now focus on getting certified drones into the air, and not so much on getting approvals. The Digital Sky brings in much-needed certainty and predictability into an industry that will be focused on balancing demand and supply of drone-related operations in a market that has a huge need for drones and their data but limited expertise to acquire and process it. This also puts onus an industry to become security and privacy conscious and insurance agencies will play an important role in this regard. It will also immensely help in changing the thought process of the companies providing services and their customers. Customers will start understanding that they also need to have a defined plan, process and execution instead of a haphazard existing process of execution.

How industry/playground will change over the coming years?

With the introduction on the regulations and a platform like Digital sky enabling the ease of doing business for the companies who are serious stakeholders in this domain, there is no limit to what developments will occur in the coming years. It opens up possibilities for utilization of Drone and its related technologies in Agriculture, Medical, Energy and Infrastructure and transportation.

The existing players will become more mature and more focused. They will understand that with regulations in place a more focused approach is the key to scale. They will look at opportunities to compete with the global market also as the solutions that are developed around the Drone Regulations 1.0 and 2.0 will be key factors that contribute to the Indian ecosystem to becoming a global standard to test, adapt and innovate drone applications and management.

What are the opportunities? What does that mean for the current and new players?

UAV/ Drones as a business was a far-fetched thought for many entrepreneurs and has been a struggling industry in the past in India. Going forward it is guaranteed that it will be one of the biggest markets in the world for UAV as a business. What the regulations and Digital Sky platform will enable is a new levelled playground ground for the UAV companies to initiate good scalable business models both existing and the ones entering new to the sector.

The existing companies with the right resources can now plan to scale their operations and also have the added advantage of doing work for the private sector in India. Due to the restrictive method of operations adapted previously the solutions to private agencies was unavailable. Now going forward the companies will shift their focus from being a B2G entity to a B2B entity. Many new businesses for UAV air traffic management, surveillance, AI and ML-based UAV solutions and deliveries will emerge out of India with technology specific to India.

If you want to join our future roundtable sessions on Digital Sky and more, please register your interest here.

The blog is co-authored by Anurag A Joshi from INDrone Aero systems, Abhiroop Bhatnagar from Algopixel Technologies and Gokul Kumaravelu from Skylark Drones

White Paper On Section 56(2)(viib) And Section 68 And Its Impact on Startups In India

Angel Tax (Section 56(2)(viib)) has become a cause celebre in Indian startup circles due to its broad-reaching ramifications on all startups raising capital.

This paper traces the origin of this section, it’s analysis, impact, how it adversely affects startups. Special mention is also made of the seldom covered Section 68 and it’s used in conjunction with Section 56(2)(viib). The paper also proposes recommendations to ensure that genuine companies are not aggrieved by this while the original intent of the section is preserved.

For any support or query, please write to us at [email protected]

India Financial Services – Disrupt or Be Disrupted

Matrix India recently hosted two firebrands of the financial services world, Mr Sanjay Agarwal, founder AU Small Finance Bank and Mr Sharad Sharma, founder iSPIRT Foundation, Volunteer at India Stack, for a no holds barred discussion at the Matrix Rooftop in Bangalore. Here is an excerpt from the evening and some of our learnings for fin-tech entrepreneurs.

Part 1 of the two-part series features the untold story of AU Bank, in the words of Sanjay Agarwal himself, as below:

Sanjay Agarwal – on his background and early days before starting AU:

“In my early Chartered Accountancy days, I started out by doing audit work, taxation, and managing clients. I had studied hard and was naïve and enthusiastic at that time hoping, to solve the world’s problems. This pushed me to work harder and I had a desire to do something more.

I believe that we are the choices we make. While evaluating various choices, I eliminated all the options that I didn’t want to pursue e.g. to work for a fee or commission and then I started digging deeper on what really interests me – that was when the concept of AU Financiers was formed.

In 1996, as 26 years old, I began approaching HNIs to raise capital, as back then, there were no VCs. I was fortunate to raise INR 10 cr at a 12% hurdle rate and I had to secure the funding with a personal guarantee. But what is the guarantee of the guarantor? No one questioned this at that time. So, I technically became one of the first P2P lenders, and structured a product that didn’t exist– short term, secured and at a 30% rate of interest. That was the start of the AU journey.”

The Early Days of AU:

“I started off AU as a one-man army. I was everything from the treasurer to the collector. Slowly we built our team and rotated the 10 cr of capital to disburse 100 cr of loans – not a single rupee was lost. There were several challenges at that time for e.g., there was no CIBIL score, financial discipline was lacking, people were still learning how to take a loan and repay it and customer ids didn’t even have a photograph. But somehow, we managed.

The period from 1996 to 2002 taught me everything I needed to learn – how to lend, how to collect, how to manage people, read people’s body language, and most importantly how to manage yourself in different situations. I follow all of that until today, and my team also benefits or suffers from those learnings of mine even today. In those 7 years, we would have dealt with 2000 customers out of which 500 defaulted. That was the ratio of defaulters – 25%. But we managed and there were actually no NPL’s.”

Partnering with HDFC Bank

“In 2002, retail credit was beginning to take off, but our HNIs started pulling their money out, as they wanted a higher return. However, at that time, the most premium bank in the country, HDFC Bank, appointed us as their channel partner. The model we followed was very simple – AU was responsible for sourcing the customer, KYC processing and doing on the ground diligence while loans were booked on HDFC’s balance sheet. HDFC is perceived to be a conservative bank, and it is – however, they gave me Rs 400 cr, on a net worth of only Rs 5 cr! They made an exception in our case due to our strong track record, through execution, sound knowledge of the market, and most importantly our integrity.

By 2008, our net worth had increased to Rs 10 crore through internal accruals. At that time, HDFC told us that we can’t give you any more capital, as we were overleveraged, and that we now needed to bring in equity capital if we wanted to grow.”

Growing the balance sheet and partnering right

“I had two choices at that point, I could continue in Jaipur, keep my ambition under control and live comfortably or figure out what else is possible. I chose the latter and this marked the beginning of my partnership with Motilal Oswal. Its easier to raise equity now, back in the day shareholder agreements used to look like loan agreements with min IRR requirements, etc. As luck would have it, a few months after we raised equity, the Lehman Brothers crisis broke out and most banks stopped funding. We were supported once again by HDFC – they were our saviour and I will cherish my relationship with them always. Once the market settled down, having survived this negative environment, there was no looking back.

Our next major investor was IFC. For the entrepreneurs here, I want to say that you have to be selective about your investors, who will help with not just capital – there should be added value they bring to the table apart from money. IFC was giving me 20% lower valuation, but I knew that I didn’t have any lineage to fall back on. As a first-generation entrepreneur, I had to raise money on the strength of my balance sheet and not basis my family name. I knew that partnering with IFC would shift the perception of AU within the industry, especially for PSU banks. After their investment, we grew from one bank relationship with HDFC to 40 bank partnerships. One thing led to another and Warburg Pincus, ChrysCapital, and Kedaara Capital all came on board after that.”

Consistent performance

“From 2008 onwards, we started diversifying from vehicle lending and got into other forms of secured lending like a loan against property, home loans etc. We never tried unsecured lending and never ventured into microfinance or gold finance. Those were very popular products at that time but focusing on what we were good at resulted in a consistently strong performance. We never had a bad year. In the world of finance, the margin of error is very less. If you have a bad year you can almost never come back. Good companies survive regardless of the market condition, you can never blame the market for your company’s poor performance. In 2015-16, we were a successful NBFC, our RoA was close to 3% with an asset base of close to 8,000 crores, with a RoE of 27-28% and everyone was chasing us – the question at that time before us was, what next?”

How we became a bank

“As an NBFC, it is very hard to manage a book of Rs 50,000 cr with the same efficiency and effectiveness as it’s a people dependent business, there are limits to the kind of products you can do and you can’t keep raising capital. Hence, we became a bank because we wanted to be there for the next 100 years and that perpetual platform can only be created through a bank. That is the biggest platform and it is not available at a price. It’s available through your integrity, business plan and execution. Today, we receive Rs 100 cr of money every single day. This is the same person who was struggling to raise Rs 10 cr in 1996, and is now getting money at the speed of Rs 100 cr every day – it feels amazing but there is a lot of responsibility!”

Part 2 of the two-part series features insights from Sharad Sharma:

Recognizing the Athletic Gavaskar moment in Indian Financial Services

“Indian financial services industry is going through its equivalent of the Athletic Gavaskar project of Indian cricket. The motive behind this project was to instil the importance of being athletic to successfully compete in the modern game. A new team was created with the rule that if you are not athletic, you cannot be a part of the team, regardless of other skills that you bring to the table. Virat Kohli eventually became the captain of this team and the results are for everyone to see. Similar yet contrasting stories played out in hockey and wrestling. In hockey, we lost for 20 years because we refused to adapt to the introduction of astroturf. However, in wrestling, the Akhadas in Haryana embraced the move from mud to mat with rigour, and Indian wrestling is already punching above its weight class and hopefully will do even better over time. The idea of sharing this is that similar to sports, sometimes an industry goes through a radical shift. Take the telecom space, for example, if Graham Bell came alive in 1995, he would recognize the telephone system, 20 years later he wouldn’t recognize it at all. The banking industry is going to go through a hockey/wrestling or communications type disruption and a lot of us are working hard to make it happen.”

Infrastructure changes lead to New Playgrounds

“All the banks and NBFCs put together are not serving the real India today. We have 10 million+ businesses that have GST id’s, out of which 8 million+ are big enough to pay GST on a monthly basis, but only 1.2 million have access to NBFC or bank finance. This is a gap that needs to be addressed and it cannot be solved through incremental innovations.

Entrepreneurs and incumbents should learn from what happened in the TV industry when new infrastructure became available. When India went from state-run TV towers in 34 cities to cable and satellite TV in pretty much every town, there was a massive new market that was unlocked that did not want to watch the same Ramayan or Hum Log TV serials. What transpired was an explosion of entertainment products because of the high demand stemming from the new markets and the TV channel players that reinvented their content is thriving today while others that did not, are barely surviving or have shut down.

So where does this leave the bankers? I think it is the biggest opportunity for the right banker who understands this problem, wants to serve this section of the market and is willing to reinvent the way they do their business and take advantage of the new infrastructure that will be available.”

Dual-immersed entrepreneurs have the biggest advantage

“Entrepreneurs who are immersed in the messiness of both the new infrastructure and the old problem are “dual immersed entrepreneurs”. They are the ones that succeed when a market shift is underway. Today this is not happening. Some of our city-bred entrepreneurs are more comfortable with California rather than Bharat. And some of our sales-oriented entrepreneurs are intimidated by the messiness of the new technology infrastructure.”

New Playgrounds need new Gameplay

“In a world where eKYC exists, and we can transfer money through UPI from a phone, and sign documents digitally – we are ready to deliver financial products on the phone and this is the disruption that is required. Access to credit drives the economy and with this new infrastructure, it is now possible to lend to the real India. However, it’s easy to give money, but the ability to get it back and keeping defaults at a minimum is the real trick. Even there we are moving towards seeing a radical improvement. Debt providers now have powers they never had and defaulters are being brought to book. Customers are now incentivized to build their own credit history to get better and lower interest rates over time. A new Public Credit Registry is coming to enable this at scale. But the biggest innovation is related to the dramatic shortening of the tenor. One can structure a one-year loan into 12 monthly loans or 52 weekly loans. This rewards positive customer behaviour and brings about the behaviour change that is needed.

There is no secret sauce here, it requires gumption – like that shown by Reed Hastings, founder of Netflix. He disrupted the TV and home video industry by first having the wisdom to go from ground to cloud and then again when they started developing original content. In both cases, he had little support from the board or investors. If you can reinvent yourself before it becomes necessary, you’re a winner but this is harder to do for a successful company. The legacy of success provides resisters with the clout to block change. The real beneficiary of Aadhaar based eKYC in the telecom world was not the incumbents but Jio – eKYC allowed Jio to acquire customers at an unprecedented scale and they saved INR 5000 crores on KYC costs as well.”

About iSPIRT

iSPIRT is a non-profit think tank that builds public goods for Indian product startup to thrive and grow. iSPIRT aims to do for Indian startups what DARPA or Stanford did in Silicon Valley. iSPIRT builds four types of public goods – technology building blocks (aka India stack), startup-friendly policies, market access programs like M&A Connect and Playbooks that codify scarce tacit knowledge for product entrepreneurs of India.

About AU Small Finance Bank:

AU Small Finance Bank Limited (AU Bank) started in 1996 as a vehicle financing NBFC, AU Financiers and scaled to touch over a million underbanked and unbanked customers across 11 states of North, West and Central India, prior to becoming a bank in April 2017. During this time, AU attracted equity investments from marquee investors such as IFC, Warburg Pincus, Chrys Capital, Kedaara Capital and recently went public when its IPO was oversubscribed ~54 times. Over the years, AU Bank, led by its founder Sanjay Agarwal, has created significant shareholder value with its equity value growing from ~$120 million in 2012 to current market capitalization of ~$3 billion.

Please Note: The blog was first published and authored by Matrix India Team and you can read the original post here: matrixpartners.in/blog

iSPIRT Final Comments on India’s Personal Data Protection Bill

Below represents iSPIRT’s comments and recommendations on the draft Personal Data Protection Bill.  iSPIRT’s overall data privacy and data empowerment philosophy is covered here.  

Table of Contents

Major Comments
1. Include Consent Dashboards
2. Financial Understanding and Informed Consent for all Indians
3. Data Fiduciary Trust Scores Similar to App Store Ratings
4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data
5. Warn of Potential Credit and Reputation Hazards
6. A Right to View and Edit Inferred Personal Data
7. Sharing and Processing of Health Data

Suggestions and Questions

  • Fund Data Rights Education
  • Limit Impact Assessment Requirement
  • Passwords should be treated differently than other Sensitive Personal Data.
  • Does the Bill intend to ban automatic person-tagging in photos and image search of people?
  • Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.
  • Need for an Authority appeal process when data principal rights conflict
  • Do not outlaw private fraud detection
  • Limit record keeping use and disclosure to the Authority and the company itself.
  • Fillings may be performed digitally
  • Request for Definition Clarifications
  • Author Comments
  • Links
  • Appendix – Sample User Interface Screens

Major Comments

1. Include Consent Dashboards

We support the idea of a Consent Dashboard as suggested in the Data Protection Committee Report (page 38) and recommend it to be incorporated in the Bill in Section 26 – Right to Data Portability and Section 30 (2) Transparency.  

We envision all of a user’s personal and inferred data that is known by data fiduciaries (i.e. companies) being exposed on a consent dashboard, provided by a third party consent collector or account aggregator (to use the RBI’s parlance). Below is an example user interface:

This mandate would enable users to have one place – their consent collector-provided dashboard – to discover, view and edit all data about them. It would also allow users to see any pending, approved and denied data requests.

Furthermore, in the event of data breaches, especially when a user’s password and identifier (mobile, email, etc) have been compromised, the breach and recommended action steps could be made clear on the consent dashboard.

Given the scope of this suggestion, we recommend an iterative or domain specific approach, wherein financial data is first listed in a dashboard limited to financial data and for its scope to grow with time.

2. Financial Understanding and Informed Consent for all Indians

We applaud the Bill’s Right to Confirmation and Access (Chapter IV, Section 24):

The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

That said, we’ve found in practice that it’s difficult to appreciate the implications of digital policies on users until real user interfaces are presented to end users and then tested for their usability and understanding. Hence, we’ve put together a set of sample interfaces (see Appendix) that incorporate many of the proposed bill’s provisions and our recommendations. That said, much more work is needed before we can confidently assert that most Indians understand these interfaces and what they are truly consenting to share.

The concepts behind this bill are complicated and yet important. Most people do not understand concepts such as “revocable data access rights” and other rather jargon-filled phrases often present in the discussion of data privacy rights. Hence, we believe the best practices from interface design must be employed to help all Indians – even those who are illiterate and may only speak one of our many non-dominant languages – understand how to control their data.

For example, multi-language interfaces with audio assistance and help videos could be created to aid understanding and create informed consent.  Toll-free voice hotlines could be available for users to ask questions. Importantly, we recognize that the interfaces of informed consent and privacy control need rigorous study and will need to evolve in the years ahead.

In particular, we recommend user interface research in the following areas:

  • Interfaces for low-education and traditionally marginalized communities
  • Voice-only and augmented interfaces
  • Smart and “candy-bar” phone interfaces
  • Both self-serving and assisted interfaces (such that a user can consensually and legally delegate consent, as tax-payers do to accountants).

After user interface research has been completed and one can confidently assert that certain interface patterns can be understood by most Indian adults, we can imagine that templated designs representing best practices are recommended for the industry, much like the design guidelines for credit card products published by US Consumer Financial Protection Bureau or nutritional labelling.

3. Data Fiduciary Trust Scores Similar to App Store Ratings

We support the government’s effort to improve the trust environment and believe users should have appropriate, easy and fast ways to give informed consent & ensure bad actors can’t do well. Conversely, we believe that the best actors should benefit from a seamless UI and rise to the top.

The courts and data auditors can’t be the only way to highlight good, mediocre and bad players. From experience, we know that there will be a continuum of good to bad experiences provided by data fiduciaries, with only the worst and often most egregious actions being illegal.

People should be able to see the experiences of other users – both good and bad – to make more meaningful and informed choices. For example, a lender that also cross-sells other products to loan recipients and shares their mobile numbers may not be engaging in an illegal activity but users may find it simply annoying.

Hence, we recommend that data fiduciary trust scores are informed with user-created negatives reviews (aka complaints) and positive reviews.

In addition to Data Auditors (as the Bill envisions), user created, public ratings will create additional data points and business incentives for data fiduciaries to remain in full compliance with this law, without a company’s data protection assessment being the sole domain of its paid data auditors.

We would note that crowd sourced rating systems are an ever-evolving tech problem in their own right (and subject to gaming, spam, etc) and hence, trust rating and score maintenance may be best provided by multiple market actors and tech platforms.

4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data

…so 3rd party actors and civil society can act on behalf of users.

A privacy framework will not change the power dynamics of our society overnight. Desperate people in need of money will often sign over almost anything, especially abstract rights. Additionally, individual citizens will rarely to be able to see larger patterns in the behaviour of lenders or other data fiduciaries and are ill-equipped to fight for small rewards on behalf of their community.  Hence, we believe that user ratings and complaint data about data fiduciaries must be made available in machine-readable forms to not only to the State but to third-parties, civic society and researchers so that they may identify patterns of good and bad behaviour, acting as additional data rights watchdogs on behalf all of us.

5. Warn of Potential Credit and Reputation Hazards

We are concerned about the rise of digital and mobile loans in other countries in recent years. Kenya – a country with high mobile payment penetration and hence like India one that has become data rich before becoming economically rich – has seen more than 10% of the adult population on credit blacklists in 2017; three percent of all digital loans were reportedly used for gambling. These new loan products were largely made possible by digital money systems and the ability of lenders to create automated risk profiles based on personal data; they clearly have the potential to cause societal harm and must be considered carefully.

Potential remedies to widespread and multiple loans are being proposed (e.g. real-time credit reporting services), but the fact that a user’s reputation and credit score will be affected by an action (such as taking out a loan), most also be known and understood by users. E.g. Users need to know that an offered loan will be reported to other banks and if they don’t pay they will be reported and unable to get other loans.

Furthermore, shared usage-based patterns – such as whether a customer pays their bills on time or buys certain types of products – must be available for review by end users.

6. A Right to View and Edit Inferred Personal Data

The Machine Learning and AI community have made incredible strides in computers’ ability to predict or infer almost anything. For example, in 2017, a babajob.com researcher showed the company could predict whether a job seeker earned more or less than Rs 12000 / month with more than 80% accuracy, using just their photo.  She did this using 3000 job seeker photos, 10 lines of code and Google’s TensorFlow for Poets sample code.  Note the project was never deployed or made publicly available.

As these techniques become ever more commonplace in the years to come, it’s reasonable to assume that public facing camera and sensor systems will be able to accurately infer most of the personal data of their subjects – e.g. their gender, emotional state, health, caste, religion, income – and then connect this data to other personally identifiable data such as a photo of their credit card and purchase history. Doing so will improve training data so that systems become even more accurate. In time, these systems – especially ones with large databases of labelled photos – like the governments’, popular social networks’ or a mall’s point of sale + video surveillance system – truly will be able to precisely identify individuals and their most marketable traits from any video feed.

Europe’s GDPR has enshrined the right for people to view data inferred about them, but in conjunction with the idea of a third party consent dashboard or Account Aggregator (in the RBI’s case), we believe we can do better.

In particular, any entity that collects or infers data about an individual that’s associated with an identifier such as an email address, mobile, credit card, or Aadhaar number should make that data viewable and editable to end users via their consent dashboard.  For example, if a payment gateway provider analyses your purchase history and infers you are diabetic and sells this information as a categorization parameter to medical advertisers, that payment gateway must notify you that it believes you are diabetic and enable you to view and remove this data. Google, for example, lists these inferences as Interests and allows users to edit them:

Using the Consent Dashboard mentioned in Major Comment 1, we believe users should have one place where they can discover, view and correct all personal and inferred data relevant to them.

Finally, more clarity is needed regarding how data gathered or inferred from secondary sources should be regulated and what consent may be required. For example, many mobile apps ask for a user’s consent to read their SMS Inbox and then read their bank confirmation SMSs to create a credit score. From our view, the inferred credit score should be viewable by the end user before it’s shared, given its personal data that deeply affects the user’s ability to gain usage of a service (in this case, often a loan at a given interest rate).

7. Sharing and Processing of Health Data

The Bill requires capturing the purpose for data sharing:

Chapter II, point 5:

“Purpose limitation.— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.”

In the healthcare domain, collecting the purpose for which the data is being shared might itself be quite revealing. For example, if data is being shared for a potential cancer biopsy or HIV testing, the purpose might be enough to make inferences and private determinations about the patient and say deny insurance coverage. On the other hand, stating high-level, blanket purposes might not be enough for future audits. A regulation must be in place to ensure the confidentiality of the stated purpose.  

The Bill has a provision for processing sensitive personal data for prompt action:

Chapter IV, point 21:

“Processing of certain categories of sensitive personal data for prompt action. — Passwords, financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary— (a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal; (b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or (c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.”

While this is indeed a necessity, we believe that a middle ground could be achieved by providing an option for users to appoint consent nominees, in a similar manner to granting power of attorney. In cases of emergency, consent nominees such as family members could grant consent on behalf of the user. Processing without consent could happen only in cases where a consent nominee is unavailable or has not been appointed. This creates an additional layer of protection against misuse of health data of the user.

Suggestions and Questions

Fund Data Rights Education

We believe a larger, public education program may be necessary to educate the public on their data rights.

Limit Impact Assessment Requirement

Section 33 – Data Protection Impact Assessment —

  • Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section. …
  • On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as may be issued by the Authority.

We believe that the public must be protected from egregious data profiling but this provision does not strike an appropriate balance with respect to innovation. It mandates that companies and other researchers must ask government permission to innovate around large scale data processing before any work, public deployments or evidence of harm takes place. We believe this provision will be a large hinderance to experimentation and cause significant AI research to simply leave India. A more appropriate balance might be to ask data fiduciaries to privately create such an impact assessment but only submit to the Authority for approval once small scale testing has been completed (with potential harms better understood) and large scale deployments are imminent.

Passwords should be treated differently than other sensitive personal data.

Chapter IV – Section 18. Sensitive Personal Data. Passwords are different than other types of Sensitive Personal Data, given that they are a data security artifact, rather than a piece of data that is pertinent to a person’s being. We believe that data protection should be over-ridden in extraordinary circumstances without forcing companies to provide a backdoor to reveal passwords. We fully acknowledge that it is useful and sometimes necessary to provide backdoors to personal data – e.g. one’s medical history in the event of a medical emergency – but to require such a backdoor for passwords would likely introduce large potential security breaches throughout the entire personal data ecosystem.  

Does the Bill intend to ban automatic person-tagging in photos and image search of people?

Chapter I.3.8 – Biometric Data – The Bill defines Biometric Data to be:

“facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;”

The Bill includes Biometric Data in its definition of Sensitive Personal Data (section 3.35) which may only be processed with explicit consent:

Section 18. Processing of sensitive personal data based on explicit consent. — (1) Sensitive personal data may be processed on the basis of explicit consent

From our reading, we can see a variety of features available today around image search and person tagging being disallowed based on these provisions. E.g. Google’s image search contains many facial images which have been processed to enable identification of natural persons. Facebook’s “friend auto-suggestion” feature on photos employs similar techniques. Does the Bill intend for these features and others like them to be banned in India? It can certainly be argued that non-public people have a right to explicitly consent before they are publicly identified in a photo but we feel the Bill’s authors should clarify this position. Furthermore, does the purpose of unique identification processing matter with respect to its legality?  For example, we can imagine mobile phone-based, machine learning algorithms automatically identifying a user’s friends to make a photo easier to share with those friends; would such an algorithm require explicit consent from those friends before it may suggest them to the user?

Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.

Chapter IV – Section 25.4 – Right to correction, etc

Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

We believe the mandate on a data fiduciary to notify all relevant entities of a personal data change is too great a burden and is better performed by a consent dashboard, who maintains which other entities have a valid, up-to-date consent request to a user’s data. Hence, upon a data change, the data fiduciary would update the consent dashboard of the change and then the consent dashboard would then notify all other relevant entities.

It may be useful to keep the user in this loop – so that this sharing is done with their knowledge and approval.

Need for an Authority appeal process when data principal rights conflict

Section 28.5 – General conditions for the exercise of rights in this Chapter. —  

The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

This portion of the law enables a data fiduciary to deny a user’s data change request if it believes doing so would harm another data principal. We believe it should not be up to the sole discretion of the data fiduciary to determine which data principal rights are more important and hence would like to see an appeal process to the Data Protection Authority made available if a request is refused for this reason.

Do not outlaw private fraud detection

Section 43.1 Prevention, detection, investigation and prosecution of contraventions of law

(1) Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.

We worry the above clause would effectively outlaw fraud detection research, development and services by private companies in India. For instance, if a payment processor wishes to implement a fraud detection mechanism, they should be able to do so, without leaving that task to the State.  These innovations have a long track record of protecting users and businesses and reducing transaction costs. We recommend a clarification of this section and/or its restrictions to be applied to the State.

Limit record keeping use and disclosure to the Authority and the company itself.

Section 34.1.a. Record – Keeping –

The data fiduciary shall maintain accurate and up-to-date records of the following

(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;

We expect sensitive meta-data and identifiers will need to be maintained for the purposes of Record Keeping; we suggest that this Record Keeping information be allowed but its sharing limited only to this use and shared only with the company, its Record Keeping contractors (if any) and the Authority.

Fillings may be performed digitally

Section 27.4 – Right to be Forgotten

The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

The Bill contains many references to filing an application;  we’d suggest a definition that is broad and includes digital filings.

This also applies to sections which include “in writing” – which must include digital communications which can be stored (for instance, email).

Request for Definition Clarifications

What is “publicly available personal data”?

  • Section 17.2.g – We believe greater clarity is needed around the term “publicly available personal data.“ There questionably obtained databases for sale that list the mobile numbers and addresses of millions of Indians – would there thus be included as a publicly available personal data?
  • We’d recommend that DPA defines rules around what is publicly available personal data so that it is taken out of the ambit of the bill.  
  • The same can be said for data where there is no reasonable expectation of privacy (with the exception that systematic data collection on one subject cannot be considered to be such a situation)

Clarity of “Privacy by Design”

Section 29 – Privacy by Design

Privacy by Design is an established set of principles (see here and in GDPR) and we would like to see the Bill reference those patterns explicitly or use a different name if it wishes to employ another definition.

Define “prevent continuing disclosure”

Section 27.1 – Right to be Forgotten

The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary…

We request further clarification on the meaning of  “prevent continuing disclosure” and an example use case of harm.

Define “standard contractual clauses” for Cross-Border Transfers

Section 41.3.5 – Conditions for Cross-Border Transfer of Personal Data

(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this subsection to any other person or entity.

We would like to standard contractual clauses clearly defined.

Define “trade secret”

Section 26.2 C – Right to be Forgotten

compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.

We request further clarification on the meaning of  “trade secret” and an example of the same.

Author Comments

Compiled by iSPIRT Volunteers:

Links

Comments and feedback are appreciated. Please mail us at [email protected].

Appendix – Sample User Interface Screens

Link: https://docs.google.com/presentation/d/1Eyszb3Xyy5deaaKf-jjnu0ahbNDxl7HOicImNVjSpFY/edit?usp=sharing

******

Policy Hacks On India’s Digital Sky Initiative 1.0

On August 27, 2018, India announced its much-awaited Civil Aviation Regulations (CAR) for drones. The new CAR had many improvements on the original draft published last year, but most important was the introduction of Digital Sky, a technology platform that would handle the entire process of regulating the registration and permissions for all Remotely Piloted Aircraft Systems above the nano category, i.e. any remote controlled or automated flying object – multi-rotor or fixed-wing, electric or IC-engine. These set of regulations along with the announcement of Digital Sky drone policy represent the government’s “Drone Policy 1.0”.

What this policy isn’t?

From the outset, one of the largest criticisms of the draft was its seeming omission of beyond visual line of sight flights, as well as those of fully-autonomous operations. Combined with a ban on delivery of items, it would seem like the government is pre-emptively clamping down on some of the most promises of Unmanned Aerial Vehicles before they even begin.

But on close inspection, the Ministry of Civil Aviation has made an interesting & what looks to be a promising decision in naming this policy as “1.0”. Through the various public comments made by the Minister of State for Civil Aviation, Jayant Sinha, it can be gathered that there is a phased-approach being adopted for the planning and implementation of the government’s strategy for unmanned aerial vehicles.

The more complex commercial operations will be rolled out atop the digital platform, allowing the government to test the waters before allowing potentially risky operations.

At iSPIRT, we appreciate this data-driven, innovation-friendly yet safety-first approach that has been inherent to all of civil aviation.

What does the policy say?

The policy lays out a general procedure for registering, and taking permissions to fly for every type of remotely piloted aircraft system (RPAS). A good summary of the regulations themselves, what you need to fly, what you can and cannot do is given here. We will be focussing this blog post on demystifying Digital Sky and the surrounding technology – How it works, what it does and what should private players be doing about it.

What is Digital Sky?

Digital Sky is essentially a barebones Unmanned Aircraft Traffic Management system. An Unmanned Traffic Management is to drones what ATC is to aircraft. Most countries are looking to external UTM providers to build and run this digital enabling infrastructure. The government of India, in continuing its digital infrastructure as public goods tradition, has decided to build and run its own UTM to ensure that this critical infrastructure system remains committed to interoperability and is free from the risks of vendor capture in the long run. Digital Sky is the first version of such a UTM for managing drone flights in both controlled as well as uncontrolled airspaces.

For consumers, Digital Sky essentially constructed of three layers. The three layers are Online Registrations, Automated Permissions and Analytics, Tracking and Configurable Policies.

Online Registrations are the layers that onboard operators, pilots, RPAS and manufacturers on to the Digital Sky Platform. It will be a fully digital process, and applicants can track their applications online. All registered users will have an identity number, including the RPAS, which will get a Unique Identification Number (UIN). There is a private key attached to the UIN allowing the drone to prove it is who it claims to be through digital signatures.

Automated Permissions is the transaction layer that digitizes the process of seeking airspace clearance. Using Open APIs or a portal provided by the government, drones can directly seek permissions by specifying the geographic area, time of operations & pilot registration id, signed with the UIN of drone. In response to the API call or portal request, an XML file digitally signed by the DGCA is generated. This XML response is called the Permission Artefact.

All RPAS sold in India under the new policy must carry firmware that can authenticate such a Permission Artefact. Further, they must confirm that the flight parameters of the current mission match those given in the authenticated Permission Artefact. If these parameters do not match, the RPAS must not arm. This condition is referred to simply as No Permission, No Takeoff or NPNT. Thus, the requirement is that any RPAS (except nano) operated in India should be NPNT compliant. We will cover what it means to be NPNT compliant in part two of this series.

To deal with areas of low connectivity, this authenticated request can be carried prior to the flight itself, when connectivity is available. The Permission Artefact can be stored, carried and read offline by an NPNT-compliant RPAS with a registered UIN. Thus flight operations in remote or low-connectivity areas will not be severely impacted. While this seems tedious, it promises to be a lot easier than the draft regulations, which required the filing of flight plans 60 days in advance.

Digital Sky will classify all existing airspace into three colour-coded zones: Green Zones are where drones are pre-authorized to fly, but must still obtain a permission artefact to notify the local authorities of their intent to fly. On applying for permission, a permission artefact is returned instantly. Red Zones are where drone operations are forbidden from taking place. This includes areas such as airports, borders and other sensitive areas. Amber Zones are areas restricted by appropriate reasons as mentioned in the CAR where additional permissions are required. These requests are also initiated and managed through the Digital Sky Platform

Analytics, Tracking & Configurable (ATC) Policies is a shorthand for the regulatory functions that the DGCA will carry out to regulate the use of airspace by unmanned aircraft. It involves functions such as the classification of Red, Amber & Green zones, deconfliction of overlapping flights, incident response, etc.

The MoCA has articulated its desire for an ecosystem-driven approach to building out the drone industry. From an earlier draft of the No Permission No Takeoff technical document shared with manufacturers, it is expected that this layer of Digital Sky will be opened up to private players labelled as Digital Sky Service Providers (DSPs). We will cover more about Digital Sky Service Providers in part three of this series.

Conclusion

Digital Sky appears to be a move towards a more data-driven, phased-approach to policy and regulation for emerging technology. It is a global first and offers a truly forward-looking approach compared to most other nations.

For operators, in the long term, a formal system leads to an eco-system of authorised players, increase in trust, and rise of a legitimate industry. 

Note:  We have been actively following the Digital Sky policy development, Intend to bring in Part two of this blog after an active role out and implementation starts.

Why the SC ruling on ‘Private Players’ use of Aadhaar doesn’t say what you think it does

On behalf of iSPIRT, Sanjay Jain recently published an opinion piece regarding the recent supreme court judgement on the validity of Aadhaar. In there, we stated that section 57 had been struck down, but that should still allow some usage of Aadhaar by the private sector. iSPIRT received feedback that this reading may have been incorrect and that private sector usage would not be allowed, even on a voluntary basis. So, we dug deeper, and analyzed the judgement once again, this time trying to disprove Sanjay’s earlier statement. So, here is an update:

Section 57 of the Aadhaar act has NOT been struck down!

Given the length of the judgement, our first reading – much like everyone else’s was driven by the judge’s statement and confirmed by quickly parsing the lengthy judgement. But in this careful reanalysis, we reread the majority judgement at leisure and drilled down into the language of the operative parts around Section 57. Where ambiguities still remain, we relied on the discussions leading up to the operative conclusions. Further, to recheck our conclusions, we look at some of the other operative clauses not related to Section 57. We tested our inference against everything else that has been said and we looked for inconsistencies in our reasoning.

Having done this, we are confident in our assertion that the judges did not mean to completely blockade the use of Aadhaar by private parties, but merely enforce better guardrails for the protection of user privacy. Let’s begin!

Revisiting Section 57

Here is the original text of section 57 of the Aadhaar Act

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Now, let us simply read through the operating part of the order with reference to Section 57, ie. on page 560. This is a part of paragraph 447 (4) (h). The judges broke this into 3 sections, and mandated changes:

  1. ‘for any purpose’ to be read down to a purpose backed by law.
  2. ‘any contract’ is not permissible.
  3. ‘any body corporate or person’ – this part is struck down.

Applying these changes to the section, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Cleaning this up, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual pursuant to any law, for the time being in force:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It is our opinion that this judgement does not completely invalidate the use of Aadhaar by private players, but rather, specifically strikes down the use for “any purpose [..] by any body corporate or person [..] (under force of) any contract”. That is, it requires the use of Aadhaar be purpose-limited, legally-backed (to give user rights & protections over their data) and privacy-protecting.

As an exercise, we took the most conservative interpretation – “all private use is struck down in any form whatsoever” – and reread the entire judgement to look for clues that support this conservative view.

Instead, we found that such an extreme view is inconsistent with multiple other statements made by the judges. As an example, earlier discussions of Section 57 in the order (paragraphs 355 to 367). The conclusion there – paragraph 367 states:

The respondents may be right in their explanation that it is only an enabling provision which entitles Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem.

Some pointed out that this is simply a discussion and not an operative clause of the judgement. But even in the operative clauses where the linking of Aadhaar numbers with bank accounts and telecom companies is discussed, no reference was made to Section 57 and the use of Aadhaar by private banks and telcos.

The court could have simply struck down the linking specifically because most banks and telcos are private companies. Instead, they applied their mind to the orders which directed the linking as mandatory. This further points to the idea that the court does not rule out the use of Aadhaar by private players, it simply provides stricter specifications on when and how to use it.

What private players should do today

In our previous post, we had advised private companies to relook at their use of Aadhaar, and ensure that they provide choice to all users, so that they can use an appropriate identity, and also build in better exception handling procedures for all kinds of failures (including biometric failures).

Now, in addition to our previous advice, we would like to expand the advice to ask that each company look at how their specific use case draws from the respective acts, rules, regulations and procedural guidelines to ensure that these meet the tests used by this judgement. That is, they contain adequate justification and sufficient protections for the privacy of their users.

For instance, banks have been using Aadhaar eKyc to open a bank account, Aadhaar authentication to allow operation of the bank accounts, and using the Aadhaar number as a payment address to receive DBT benefits. Each of these will have to be looked at how they derive from the RBI Act and the regulations that enable these use cases.

These reviews will benefit from the following paragraphs in the judgement.

The judgement confirmed that the data collected by Aadhaar is minimal and is required to establish one’s identity.

Paragraph 193 (and repeated in other paras):

Demographic information, both mandatory and optional, and photographs does not raise a reasonable expectation of privacy under Article 21 unless under special circumstances such as juveniles in conflict of law or a rape victim’s identity. Today, all global ID cards contain photographs for identification alongwith address, date of birth, gender etc. The demographic information is readily provided by individuals globally for disclosing identity while relating with others and while seeking benefits whether provided by government or by private entities, be it registration for citizenship, elections, passports, marriage or enrolment in educational institutions …

The judgement has a lot to say in terms of what the privacy tests should be, but we would like to highlight two of those paragraphs here.

Paragraph 260:

Before we proceed to analyse the respective submissions, it has also to be kept in mind that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21…

Paragraph 289:

‘Reasonable Expectation’ involves two aspects. First, the individual or individuals claiming a right to privacy must establish that their claim involves a concern about some harm likely to be inflicted upon them on account of the alleged act. This concern ‘should be real and not imaginary or speculative’. Secondly, ‘the concern should not be flimsy or trivial’. It should be a reasonable concern…

Hence, the privacy risk in these use cases must be evaluated in terms of the data in the use case itself, as well as in relation to biometrics, and the Aadhaar number in the context of the user’s expectations, and real risks. Businesses must evaluate their products, and services – particularly those which use Aadhaar for privacy risks. It is helpful that the UIDAI has provided multiple means of mitigating risks, in the form of Registered Devices, Virtual Ids, Tokenization, QR Codes on eAadhaar, etc. which must be used for this purpose.

What private players should do tomorrow

In the future, the data protection bill will require a data protection impact assessment before deploying large scale systems. It is useful for businesses to bring in privacy and data protection assessments early in their development processes since it will help them better protect their users, and reduce potential liability.

This is a useful model, and we would hope that, in light of the Supreme Court judgement, the Government will introduce a similar privacy impact review, and provide a mechanism to regulate the use of Aadhaar for those use cases, where there are adequate controls to protect the privacy of the users and to prevent privacy harms. Use cases, and an audit/enforcement mechanism matter more than whether the entity is the state, a public sector organization, or a private sector organization.

Note: This is in continuation of Sanjay Jain’s previous op-ed in the Economic Times which is available here and same version on the iSPIRT blog here.

The writer is currently Partner, Bharat Innovation Fund, and Chief Innovation Officer at the Centre for Innovation, Incubation and Entrepreneurship, IIM Ahmedabad. As a volunteer at iSPIRT, he helped define many of the APIs of the India Stack.  He was the Chief Product Manager of UIDAI till 2012

(Disclaimer: This is not legal advice)