iSPIRT’s Official Response to the Draft Drone Rules 2021

This is our response to the Draft Drone Rules 2021 published by the Ministry of Civil Aviation on 14 July 2021.

Introduction

The potential commercial benefits that unmanned aviation can bring to an economy has been well established in several countries. A primary and immediate use-case for drones is in Geospatial data acquisition for various applications such as infrastructure planning, disaster management, resource mapping etc. In fact, as argued in the recently announced guidelines for Geospatial data, the availability of data and modern mapping technologies to Indian companies is crucial for achieving India’s policy aim of Atmanirbhar Bharat and the vision for a five trillion-dollar economy.

The current situation in India, however, is that the drone ecosystem is at a point of crisis where civilian operations are possible in theory, but extremely difficult in practice. Because the regulations in place are not possible to comply with, they have led to the creation of a black market. Illegally imported drones are not only significantly faster, cheaper and easier to fly but also far more easily acquired than attempting to go through the red tape of the previous regulations to acquire approved drones. Thus, rather than creating a system that incentivises legal use of drones, albeit imported, we’ve created a system that makes it near impossible for law-abiding citizens to follow the law of the land and discourages them from participating in the formal system. This not only compromises on the economic freedom of individuals and businesses but it also poses a great national security risk as evidenced in the recent spate of drone attacks. If we do not co-opt the good actors at the earliest, we are leaving our airspaces even more vulnerable to bad actors. This will also result in a failure to develop a world-class indigenous drone & counter-drone industry, thus not achieving our goals of an Atmanirbhar Bharat.

The Draft Drone Rules (henceforth the draft) have addressed some of these problems by radically simplifying and liberalising the administrative process but haven’t liberalised the flight operations. Unfortunately, closing only some of the gaps will not change the outcome. The draft rules leave open the same gaps that cause the black market to be preferred over the legal route.

With the three tenets of Ease-of-Business, Safety and Security in mind, it is our view that while the intention behind the draft rules is laudable, we feel that the following areas must be addressed to enable easy & safe drone operations in India:

  1. Remove Requirement of Certificate of Airworthiness: The draft mandates airworthiness certification for drones whereas, no appropriate standards have been developed, thus, making the mandate effectively impossible to comply with.
  2. Lack of Airspace segregation, zoning and altitude restrictions: The draft doesn’t mention any progressive action for permitting drone operations in controlled airspaces.
  3. Business confidentiality must be preserved: The prescribed rules for access to data is not in consonance with the Supreme Court Right to Privacy Judgement
  4. Lack of transparent Import Policy: This results in severe restrictions on the import of critical components thus disincentivizing indigenous development of drones in India
  5. Insurance & Training must be market-driven and not mandated: We must let market forces drive the setting up of specialised training schools & insurance products & once mature they may be mandated & accredited. This will result in the creation of higher quality services & a safer ecosystem.
  6. Fostering innovation and becoming Atmanirbhar:
    A. Encouraging R&D: by earmarking airspace for testing for future drones
    B. Encouraging the domestic drone manufacturing industry: through a system of incentives and disincentivizing imports should be inherent in the Drone Rules.
    C. Recognition of Hobby flying: Hobbyists are a vital part of the innovation ecosystem; however, they are not adequately recognised and legitimized
  7. Encouraging A Just Culture: Effective root cause analysis would encourage a safety-oriented approach to drone operations. Penal actions should be the last resort and dispute resolution should be the focus.
  8. Enabling Increased Safety & Security: NPNT and altitude restrictions would enhance safety and security manifold.
  9. No Clear Institutional Architecture: Like GSTN, NPCI, NHA, ISRO, and others a special purpose vehicle must be created to anchor the long-term success of Digital Sky in India based on an established concept of operations
  10. Lack of a Concept of Operations: Although drone categories have been defined, they have not been used adequately for incremental permissions, as in other countries; rather the draft appears to prefer a blank slate approach. The failure to adopt an incremental approach can arguably be considered as one of the root causes of the drone policy failures till date in India as regulations are being framed for too many varied considerations without adequate experience in any.
1. Airworthiness

In the long term, it is strategically crucial to India’s national interest to develop, own and promulgate standards, to serve as a vehicle for technology transfer and export. The mandatory requirement for certification of drone categories micro and up is the key to understanding why the draft does not really liberalise the drone industry. It would not be too out of place to state that the draft only creates the facade of liberalising drone operations – it is actually as much of a non-starter as the previous versions of regulations.

The standards for issuance of airworthiness certificates have not been specified yet the requirement has been stipulated as mandatory for all operations above nano category in the draft (pts 4-6). However, most of the current commercial operations are likely to happen in the micro and small categories. And for these categories, no standards have been specified by either EASA or FAA. EASA’s approach has been to let the manufacturer certify the drone-based on minimum equipment requirements. On the other hand, It is only fairly recently that the FAA has specified airworthiness criteria for BVLOS operations for a particular drone type of 40kg, and which it expanded to 10 drone types in November. Building standards is an onerous activity that necessitates a sizable number of drones having been tested and criteria derived therefrom. The only other recourse would be adopting standards published elsewhere, and as of date these are either absent (not being mandated in other countries) or actively being developed (cases noted earlier). Given the lack of international precedent, the stipulation for certificate of airworthiness in the draft needs to be eliminated, at least for micro and small category drones.

2. Airspace

One of the major concerns since the early days of policy formulation in India has been the definition of airspace and its control zones. All regulations till date, including the draft, require prior air traffic control approvals for drone operations in controlled zones. However, given that controlled airspace in India starts from the ground level for the controlled zones upto 30 nm around most airports (unlike many other countries where it starts at higher levels), it effectively means no drone operations are possible in the urban centres in the vicinity of airports in India. While the Green/Yellow/Red classification system is a starting point for Very Low-Level airspace classification, the draft does not move to enable the essential segregated airspace for drone operations up to an altitude limit of 500ft above ground level.

3. Business Confidentiality

In the domain of Privacy Law, India has taken significant strides to ensure protection of individual and commercial rights over data. The draft (pt 23.) in its current form seems to be out of alignment with this, allowing government and administrations access to potentially private and commercially sensitive information with carte blanche. The models of privacy adopted in other countries in unmanned aviation are often techno-legal in nature. It is recommended that DigitalSky/UTM-SP network data access be technically restricted to certain Stakeholder-Intent mappings: executing searches for Law Enforcement, audit for the DGCA, aviation safety investigations and for Air Traffic Control/ Management. This would need due elaboration in the detailed UTM policy complemented with a legal framework to penalise illegitimate data access.

4. Insurance

One constant hindrance to compliance is the requirement of liability transfer. While the principle of mitigating pilot and operator liability in this fashion is sound, the ground reality is that as of date, very few insurance products are available at reasonable prices. The reason behind it is that insurance companies have not been able to assess the risks of this nascent industry. Assuming the regulation is notified in its current form (pt 28), arguably affording a clean start at scaling up drone operations, we will continue in this vicious dependency loop in the absence of incentives to either end. Again, market forces will drive the development of this industry with customers driving the need for drone operators to obtain insurance for the respective operations. Therefore it is recommended that initially, insurance should not be mandated for any category or type of drone operations, and instead be driven by market or commercial necessity. Over a period of time, insurance may be mandated within the ecosystem.

Similar feedback has been shared by Insurers: “Though the regulator (aviation regulator) has made mandatory the third party insurance, the compensation to be on the lines of the Motor Vehicles Act is somewhat not in line with international practices,” the working group set up by Insurance Regulatory and Development Authority of India (IRDAI) said.”

5. Training

Currently, there’s a requirement of training with an authorized remote pilot training organization (RPTO) (pt 25), applicable for micro-commercial purposes and above (pt 24). While the intent is right, it should not be mandated at the initial stage. The reality is that there are very few RPTO’s that offer training and the cost of such training is often higher than the cost of the drones themselves, while quality is inconsistent. While the current draft rules try to address this problem, they do this with the assumption that liberalizing the requirements for establishing RPTO’s will solve this problem. While this incentivizes more RPTO’s to be established, it still does not incentivize quality and leaves in place the same bureaucratic process for registration. This has been the experience of the ecosystem so far. While it is certainly reasonable to expect that remote pilots should receive training, the goal of better informed and equipped pilotry is better achieved, at this time, if left to manufacturers and market participants to drive it.

There are currently two types of training – Type training and Airspace training. Type training can be driven by manufacturers in the early days, as is the current practice, and Airspace training can be achieved through an online quiz, based on a Concept of Operations. It is our view that customers of drones will have a natural incentive to seek training for their pilots, thereby creating the market need for better quality training schools. Furthermore, as manufacturers establish higher levels of standardization and commoditization, they will partner with training schools directly to ensure consistent quality. In the upcoming years, as the drone ecosystem grows more mature, it will become reasonable to revisit the need for mandating pilot training at approved training schools, and DGCA may create a program that accredits the various RPTOs.

6. Fostering innovation and becoming Atmanirbhar
6A. R&D

To encourage institutional research and development further, we recommend authorised R&D zones be designated, particularly where low population and large areas (like deserts, etc) are available, some key areas of experimentation being long range and logistics operations which might require exemptions from certain compliance requirements.

6B. Import policy

Rather than simply delegating the entire import policy to DGFT (pt 8), there needs to be a clear statement of the import guidelines in the rules based on the following principles in the current draft:

  1. No barriers for the importation of components and intermediary goods for local assembly, value addition and R&D activities
  2. Disincentivising import of finished drone products, both pre-assembled and Completely Knocked Down. Possible avenues could be imposition of special import duty as part of well-considered policy of “infant industry protection”, a policy used successfully in the recent past in South Korea and is considered a part of the policy of Atmanirbhar Bharat by the Principal Economic Advisor to the PM, Sanjeev Sanyal.
  3. Incentivising investments in the indigenous manufacturing industry by aligning public drone procurement with the Defence Acquisition Procedure (2020) and supplemented by targeted government programs such as PLI schemes and local component requirements, which will help realise the PM’s vision of ‘Make in India’ and “Atmanirbhar Bharat’.
  4. In the long term, developing incentives for assemblers to embed themselves into global value chains and start moving up the value chain by transitioning to local manufacturing and higher value addition in India, to be in line with the PM’s vision of Atmanirbhar Bharat. Some suggestions here would be prioritisation for locally manufactured drones for government contracts, shorter registration validity for non-locally manufactured drones etc.
6C. Hobby Fliers

While research and development within the confines of institutions is often encumbered by processes and resource availability, hobby and model flying has enjoyed a long history in manned aviation as a key type of activity where a large amount of innovation happens. Hobby clubs such as The Homebrew Computer Club, of which Steve Jobs and Wozniak were members, and NavLab at Carnegie Mellon University are instances out of which successful industries have taken off. Far from enabling hobby or recreational fliers, they are not even addressed in the draft, which would only limit indigenous technology development. Legally speaking, it would be bad in law to ban hobby flying activities considering hobby fliers enjoy privilege under the grandfathering rights. A solution could lie in recognising hobbyists & establishing hobby flying green zones which may be located particularly where low population and large areas are available. Alternatively, institution-based hobby flying clubs could be authorised with the mandate to regulate the drone use of members while ensuring compliance with national regulations. The responsibility of ensuring safe flying would rest with these registered hobby clubs as is the case in Europe and USA.

7. Encouraging A Just Culture

Implementation is the key to the success of any policy. One of the key factors in encouraging voluntary compliance is an effective means of rewarding the compliant actors while suitably penalising any intentional or harmful violations. Therefore, arguably, an important step could be to build such rewards and punishments. In the context of aviation safety and security, the key lies in effective investigation of any violation while fostering a non-punitive culture. Effective investigations enable suitable corrective actions whilst minimal penal actions encourage voluntary reporting of infringements and potential safety concerns. ICAO encourages a just and non-punitive culture to enhance safety. Penal actions, if considered essential, should be initiated only after due opportunity and should have no criminal penalties except for deliberate acts of violence or acts harming India’s national security. However, considering the fallout from any unintentional accident as well, there should be adequate means for dispute resolution including adjudication.

8. Enabling Increased Safety & Security

The draft while taking a blank slate approach clearly aims to reduce hurdles in getting drones flying. However, we argue that lack of clarity on several issues or not recognising certain ground realities actually reduces the chance of achieving this. We list the details of these issues in the subsections below.

Points 13-14 acknowledge the existence of non-NPNT (No Permission No Takeoff) compliant drones and makes airworthiness the sole criteria for legally flying, provided such drone models are certified by QCI and are imported before the end of this year and registered with DigitalSky. This is a great step forward, however, keeping in mind the win-for-security that NPNT provides through trusted permissioning and logs, it is recommended that NPNT be phased back in with an adoption period of 6 months from the date of notification.

To bring back a semblance of safety to the thought process and keeping in mind that manned aviation would be operating above 500 ft except for takeoff, landing and emergencies, it would be pragmatic to enforce altitude fencing in addition to two-dimensional fencing going forward. Permissive regulation has the effect of encouraging good and bad actors alike, and this measure ensures the correct footing for the looming problem of interaction between manned and unmanned traffic management systems, where risk of mid-air collisions may be brought back within acceptable limits.

9. Institutional Architecture

The draft indicates that institutions such as QCI and Drone Promotion Council (DPC), along with the Central Government, would be authorised to specify various standards and requirements. However, no details have been specified on the means for notification of such standards as in the case of the Director-General (Civil Aviation) having the powers to specify standards in the case of manned aircraft. Such enabling provisions are essential to be factored in the policy so as to minimise constraints in the operationalisation of regulations e.g. as was observed in the initial operationalisation of CAR Section 3 Series X Part I which did not have a suitable enabling provision in the Aircraft Rules.

Further, effective implementation demands that responsibility for implementation be accompanied by the authority to lay down regulations which is sadly missed out in the draft. In the instant draft, the authority to lay down standards rests with QCI/ DPC but the responsibility for implementation rests with DGCA which creates a very likely situation wherein the DGCA may not find adequate motivation or clarity for the implementation of policy/ rules stipulated by QCI/ DPC.

It is not clear that setting up a DPC would advance policy-making and be able to effect the changes needed in the coming years to accelerate unmanned aviation without compromising safety and security. We argue that for effective policy and making a thriving drone ecosystem, Digital Sky is a unique and vital piece of digital infrastructure that needs to be developed and nurtured. In the domain of tech-driven industries, the track record of Special Purpose Vehicles (SPV) is encouraging in India, the NSDL, NPCI and GSTN being shining examples.

The field of unmanned aviation has its own technical barriers to policy making. Its fast-evolving nature makes it extremely difficult for regulators who might not have enough domain knowledge to balance the risks and benefits to a pro-startup economy such as that of India. With the context formed through the course of this paper, it is our view that an SPV with a charter that would encompass development of a concept of operations, future standards, policy, promotion and industry feedback, would be the best step forward. A key example of success to model on would be that of ISRO, which is overseen by the Prime Minister. This would remove inter-ministerial dependencies by overburdening the existing entrenched institutions.

10. Lack of a Concept of Operations

The difference in thought processes behind this draft and the rules notified on 12th March 2021 is significant and is indicative of the large gap between security-first and an efficiency-first mindsets; keeping in mind that mature policymaking would balance the three tenets. It also points to the lack of a common picture of how a drone ecosystem could realistically evolve in terms of technology capability and market capacity while keeping balance with safety and security. The evolving nature of unmanned aviation requires an incremental risk-based roadmap; the varied interests of its many stakeholders makes reaching consensus on key issues a multi-year effort. To this end, taking inspiration from various sources and focusing on the harsh realities peculiar to India, we are in the process of drafting a Concept of Operations for India.

Concluding remarks

With the goal of raising a vibrant Indian drone ecosystem, we recommend the following actionable steps be taken by policy makers:

Immediate Term – Enabling The Ecosystem

Changes to the draft

  1. Airworthiness Compliance requirements for all drone categories be removed till such standards are published
  2. Hobby flying and R&D Green zones be designated in low risk areas
  3. Guiding principles for Import policy formulation be laid out to incentivise import drone parts and de-incentivise drone models
  4. A privacy model be applied to DigitalSky ecosystem data access that technically restricts abuse while laying a foundation for a legal framework for penalties
  5. Insurance be not mandated for any drone categories
  6. The provision for setting up the Drone Promotion Council be subsumed by a SPV as discussed below
Next six months – Setting the ecosystem up for long-term success

A) NPNT be re-notified as a bedrock requirement for security

B) An SPV outside of entrenched institutions be set up with a charter to

1. Envision India’s concept of aviation operations for the next few decades

2. Formulate Future Policy and institutionalize some aspects of key enablers of operations currently missing in India:

  • Development / update of ConOps
  • Monitor / develop / customize International standards
  • Establish Standards for Airworthiness and Flight Training

3. Develop and operationalise DigitalSky in an open, collaborative fashion with oversight and technical governance mechanisms

4. Redefine control zones and segregate airspace for drone operations

5. Establish an advisory committee with equitable membership of stakeholders

6. Address all charter items of the Drone Promotion Council

Key Authors

1) Amit Garg – [email protected]

2) George Thomas – [email protected]

3) Hrishikesh Ballal – [email protected]

4) Manish Shukla – [email protected]

5) Siddharth Ravikumar – [email protected]

6) Sayandeep Purkayasth – [email protected]

7) Siddharth Shetty – [email protected]

8) Tanuj Bhojwani – [email protected]


About iSPIRT Foundation

iSPIRT (Indian Software Product Industry Round Table) is a technology think tank run by passionate volunteers for the Indian Software Product Industry. Our mission is to build a healthy, globally competitive and sustainable product industry in India.

For more, please visit www.ispirt.in or write to [email protected]


iSPIRT’s Official Response to the Draft Drone Rules 2021 from ProductNation/iSPIRT

Data Empowerment and Protection Architecture Explained – Video

More commonly known as the ‘Consent Layer of the India Stack’, Data Empowerment and Protection Architecture (DEPA) is a new approach, a paradigm shift in personal data management and processing that transforms the currently prevalent organization-centric system to a human-centric system. By giving people the power to decide how their data can be used, DEPA enables the collection and use of personal data in ways that empower people to access better financial, healthcare, and other socio-economically important services in a safe, secure, and privacy-preserving manner.

It gives every Indian control over their data, democratizes access and enables the portability of trusted data between service providers. This architecture will help Indians in accessing better financial services, healthcare services, and other socio-economically important services.The rollout of DEPA for financial data and telecom data is already taking place through Account Aggregators that are licensed by RBI. It covers all asset data, liabilities data, and telecom data.

We, at iSPIRT, organised a learning session on the 18th of May, to give relevant and interested stakeholders a detailed primer on DEPA. We had 60-odd very animated and engaging people in the audience. The purpose of the session was to understand the technological, institutional, market and regulatory architecture of DEPA, it impacts on existing data consuming businesses and how people could contribute to this new data sharing infrastructure that’s being built in India.

The session was anchored by Siddarth Shetty, Data Empowerment And Protection Architecture Lead & Fellow, iSPIRT Foundation (Email – sid@ispirt.in). Please feel free to reach out to him for any queries regarding DEPA.

For other queries, please write to [email protected].

#3 What does the Health Stack mean for you?

The National Health Stack is a set of foundational building blocks which will be built as shared digital infrastructure, usable by both public sector and private sector players. In our third post on the Health Stack (the first two can be found here and here), we explain how it can be leveraged to build solutions that benefit different stakeholders in the ecosystem.

Healthcare Providers

  • Faster settlement of claims: Especially in cases of social insurance schemes, delay in settlement of claims causes significant cash-flow issues for healthcare providers, impacting their day-to-day operations. The claims and coverage platform of the health stack is meant to alleviate this problem through better fraud detection and faster adjudication of claims by insurers.
  • Easier empanelment: The role of facility and provider registry is to act as verified sources of truth for different purposes. This means a convenient, one-step process for providers when empanelling for different insurance schemes or providers.
  • Quality of care: The use of personal health records can enable better clinical decision making, remote caregiving and second opinions for both patients and medical professionals.

Insurers

  • Faster and cheaper settlement of claims: claims and coverage platform, as described above
  • Easier empanelment of healthcare providers: registries, as described above
  • Diverse insurance policies: In addition to the above benefits, the policy engine of the healthstack also seeks to empower regulators with tools to experiment with different types of policies and identify the most optimum ones

Researchers and Policymakers

  • Epidemiology: the analytics engine of the healthstack can be helpful in identifying disease incidence, treatment outcomes as well as performance evaluation of medical professionals and facilities
  • Clinical trials: a combined use of analytics and PHR can help in identifying requirements and potential participants, and then carrying out randomised controlled trials

How can it be leveraged?

While the healthstack provides the underlying infrastructure, its vision can be achieved only if products benefitting the end consumer are built using the stack. This means building solutions like remote second opinions using health data from healthcare systems, as well as developing standard interfaces that allow existing systems to share this data. In the diagram below, we elaborate on potential components of both of these layers to explain where innovators can pitch in.

If you are building solutions using the health stack, please reach out to me at [email protected]!

#1 India’s Health Leapfrog – Towards A Holistic Healthcare Ecosystem

In July 2018, NITI Aayog published a Strategy and Approach document on the National Health Stack. The document underscored the need for Universal Health Coverage (UHC) and laid down the technology framework for implementing the Ayushman Bharat programme which is meant to provide UHC to the bottom 500 million of the country. While the Health Stack provides a technological backbone for delivering affordable healthcare to all Indians, we, at iSPIRT, believe that it has the potential to go beyond that and to completely transform the healthcare ecosystem in the country. We are indeed headed for a health leapfrog in India! Over the last few months, we have worked extensively to understand the current challenges in the industry as well as the role and design of individual components of the Health Stack. In this post, we elaborate on the leapfrog that will be enabled by blending this technology with care delivery.

What is the health leapfrog?

Healthcare delivery in India faces multiple challenges today. The doctor-patient ratio in the country is extremely poor, a problem that is further exacerbated by their skewed distribution. Insurance penetration remains low leading to out-of-pocket expenses of over 80% (something that is being addressed by the Ayushman Bharat program). Additionally, the current view on healthcare amongst citizens as well as policymakers is largely around curative care. Preventive care, which is equally important for the health of individuals, is generally overlooked.  

The leapfrog we envision is that of public, precision healthcare. This means that not only would every citizen have access to affordable healthcare, but the care delivered would be holistic (as opposed to symptomatic) and preventive (and not just curative) in nature. This will require a complete redesign of operations, regulations and incentives – a transformation that, we believe, can be enabled by the Health Stack.

How will this leapfrog be enabled by the Health Stack?

At the first level, the Health Stack will enable a seamless flow of information across all stakeholders in the ecosystem, which will help in enhancing trust and decision-making. For example, access to an individual’s claims history helps in better claims management, a patient’s longitudinal health record aids clinical decision-making while information about disease incidence enables better policymaking. This is the role of some of the fundamental Health Stack components, namely, the health registries, personal health records (PHR) and the analytics framework. Of course, it is essential to maintain strict data security and privacy boundaries, which is already considered in the design of the stack, through features like non-repudiable audit logs and electronic consent.

At the second level, the Health Stack will improve cost efficiency of healthcare. For out-of-pocket expenditures to come down, we have to enable healthcare financing (via insurance or assurance schemes) to become more efficient and in particular, the costs of health claims management to reduce. The main costs around claims management relate to eligibility determination, claims processing and fraud detection. An open source coverage and claims platform, a key component of the Health Stack, is meant to deal with these inefficiencies. This component will not only bring down the cost of processing a claim but along with increased access to information about an individual’s health and claims history (level 1), will also enable the creation of personalised, sachet-sized insurance policies.

At the final level, the Health Stack will leverage information and cost efficiencies to make care delivery more holistic in nature. For this, we need a policy engine that creates care policies that are not only personalized in nature but that also incentivize good healthcare practices amongst consumers and providers. We have coined a new term for such policies – “gamifier” policies – since they will be used to gamify health decision-making amongst different stakeholders.

Gamifier policies, if implemented well, can have a transformative impact on the healthcare landscape of the country. We present our first proposal on the design of gamifier policies, We suggest the use of techniques from microeconomics to manage incentives for care providers, and those from behavioural economics to incentivise consumers. We also give examples of policies created by combining different techniques.

What’s next?

The success of the policy engine rests on real-world experiments around policies and in the document we lay down the contours of an experimentation framework for driving these experiments. The role of the regulator will be key in implementing this experimentation framework: in standardizing the policy language, in auditing policies and in ensuring the privacy-preserving exchange of data derived from different policy experiments. Creating the framework is an extensive exercise and requires engagement with economists as well as computer scientists. We invite people with expertise in either of these areas to join us on this journey and help us sharpen our thinking around it.

Do you wish to volunteer?

Please read our volunteer handbook and fill out this Google form if you’re interested in joining us in our effort to develop the design of Health Stack further and to take us closer to the goal of achieving universal and holistic healthcare in India!

Update: Our volunteer, Saurabh Panjawani, author of gamifier policies, recently gave a talk at ACM (Association for Computing Machinery)/MSR (Microsoft Research) India’s AI Summit in IIT Madras! Please view the talk here: https://www.microsoft.com/en-us/research/video/gamifier-policies-a-tool-for-creating-a-holistic-healthcare-ecosystem/

iSPIRT Final Comments on India’s Personal Data Protection Bill

Below represents iSPIRT’s comments and recommendations on the draft Personal Data Protection Bill.  iSPIRT’s overall data privacy and data empowerment philosophy is covered here.  

Table of Contents

Major Comments
1. Include Consent Dashboards
2. Financial Understanding and Informed Consent for all Indians
3. Data Fiduciary Trust Scores Similar to App Store Ratings
4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data
5. Warn of Potential Credit and Reputation Hazards
6. A Right to View and Edit Inferred Personal Data
7. Sharing and Processing of Health Data

Suggestions and Questions

  • Fund Data Rights Education
  • Limit Impact Assessment Requirement
  • Passwords should be treated differently than other Sensitive Personal Data.
  • Does the Bill intend to ban automatic person-tagging in photos and image search of people?
  • Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.
  • Need for an Authority appeal process when data principal rights conflict
  • Do not outlaw private fraud detection
  • Limit record keeping use and disclosure to the Authority and the company itself.
  • Fillings may be performed digitally
  • Request for Definition Clarifications
  • Author Comments
  • Links
  • Appendix – Sample User Interface Screens

Major Comments

1. Include Consent Dashboards

We support the idea of a Consent Dashboard as suggested in the Data Protection Committee Report (page 38) and recommend it to be incorporated in the Bill in Section 26 – Right to Data Portability and Section 30 (2) Transparency.  

We envision all of a user’s personal and inferred data that is known by data fiduciaries (i.e. companies) being exposed on a consent dashboard, provided by a third party consent collector or account aggregator (to use the RBI’s parlance). Below is an example user interface:

This mandate would enable users to have one place – their consent collector-provided dashboard – to discover, view and edit all data about them. It would also allow users to see any pending, approved and denied data requests.

Furthermore, in the event of data breaches, especially when a user’s password and identifier (mobile, email, etc) have been compromised, the breach and recommended action steps could be made clear on the consent dashboard.

Given the scope of this suggestion, we recommend an iterative or domain specific approach, wherein financial data is first listed in a dashboard limited to financial data and for its scope to grow with time.

2. Financial Understanding and Informed Consent for all Indians

We applaud the Bill’s Right to Confirmation and Access (Chapter IV, Section 24):

The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

That said, we’ve found in practice that it’s difficult to appreciate the implications of digital policies on users until real user interfaces are presented to end users and then tested for their usability and understanding. Hence, we’ve put together a set of sample interfaces (see Appendix) that incorporate many of the proposed bill’s provisions and our recommendations. That said, much more work is needed before we can confidently assert that most Indians understand these interfaces and what they are truly consenting to share.

The concepts behind this bill are complicated and yet important. Most people do not understand concepts such as “revocable data access rights” and other rather jargon-filled phrases often present in the discussion of data privacy rights. Hence, we believe the best practices from interface design must be employed to help all Indians – even those who are illiterate and may only speak one of our many non-dominant languages – understand how to control their data.

For example, multi-language interfaces with audio assistance and help videos could be created to aid understanding and create informed consent.  Toll-free voice hotlines could be available for users to ask questions. Importantly, we recognize that the interfaces of informed consent and privacy control need rigorous study and will need to evolve in the years ahead.

In particular, we recommend user interface research in the following areas:

  • Interfaces for low-education and traditionally marginalized communities
  • Voice-only and augmented interfaces
  • Smart and “candy-bar” phone interfaces
  • Both self-serving and assisted interfaces (such that a user can consensually and legally delegate consent, as tax-payers do to accountants).

After user interface research has been completed and one can confidently assert that certain interface patterns can be understood by most Indian adults, we can imagine that templated designs representing best practices are recommended for the industry, much like the design guidelines for credit card products published by US Consumer Financial Protection Bureau or nutritional labelling.

3. Data Fiduciary Trust Scores Similar to App Store Ratings

We support the government’s effort to improve the trust environment and believe users should have appropriate, easy and fast ways to give informed consent & ensure bad actors can’t do well. Conversely, we believe that the best actors should benefit from a seamless UI and rise to the top.

The courts and data auditors can’t be the only way to highlight good, mediocre and bad players. From experience, we know that there will be a continuum of good to bad experiences provided by data fiduciaries, with only the worst and often most egregious actions being illegal.

People should be able to see the experiences of other users – both good and bad – to make more meaningful and informed choices. For example, a lender that also cross-sells other products to loan recipients and shares their mobile numbers may not be engaging in an illegal activity but users may find it simply annoying.

Hence, we recommend that data fiduciary trust scores are informed with user-created negatives reviews (aka complaints) and positive reviews.

In addition to Data Auditors (as the Bill envisions), user created, public ratings will create additional data points and business incentives for data fiduciaries to remain in full compliance with this law, without a company’s data protection assessment being the sole domain of its paid data auditors.

We would note that crowd sourced rating systems are an ever-evolving tech problem in their own right (and subject to gaming, spam, etc) and hence, trust rating and score maintenance may be best provided by multiple market actors and tech platforms.

4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data

…so 3rd party actors and civil society can act on behalf of users.

A privacy framework will not change the power dynamics of our society overnight. Desperate people in need of money will often sign over almost anything, especially abstract rights. Additionally, individual citizens will rarely to be able to see larger patterns in the behaviour of lenders or other data fiduciaries and are ill-equipped to fight for small rewards on behalf of their community.  Hence, we believe that user ratings and complaint data about data fiduciaries must be made available in machine-readable forms to not only to the State but to third-parties, civic society and researchers so that they may identify patterns of good and bad behaviour, acting as additional data rights watchdogs on behalf all of us.

5. Warn of Potential Credit and Reputation Hazards

We are concerned about the rise of digital and mobile loans in other countries in recent years. Kenya – a country with high mobile payment penetration and hence like India one that has become data rich before becoming economically rich – has seen more than 10% of the adult population on credit blacklists in 2017; three percent of all digital loans were reportedly used for gambling. These new loan products were largely made possible by digital money systems and the ability of lenders to create automated risk profiles based on personal data; they clearly have the potential to cause societal harm and must be considered carefully.

Potential remedies to widespread and multiple loans are being proposed (e.g. real-time credit reporting services), but the fact that a user’s reputation and credit score will be affected by an action (such as taking out a loan), most also be known and understood by users. E.g. Users need to know that an offered loan will be reported to other banks and if they don’t pay they will be reported and unable to get other loans.

Furthermore, shared usage-based patterns – such as whether a customer pays their bills on time or buys certain types of products – must be available for review by end users.

6. A Right to View and Edit Inferred Personal Data

The Machine Learning and AI community have made incredible strides in computers’ ability to predict or infer almost anything. For example, in 2017, a babajob.com researcher showed the company could predict whether a job seeker earned more or less than Rs 12000 / month with more than 80% accuracy, using just their photo.  She did this using 3000 job seeker photos, 10 lines of code and Google’s TensorFlow for Poets sample code.  Note the project was never deployed or made publicly available.

As these techniques become ever more commonplace in the years to come, it’s reasonable to assume that public facing camera and sensor systems will be able to accurately infer most of the personal data of their subjects – e.g. their gender, emotional state, health, caste, religion, income – and then connect this data to other personally identifiable data such as a photo of their credit card and purchase history. Doing so will improve training data so that systems become even more accurate. In time, these systems – especially ones with large databases of labelled photos – like the governments’, popular social networks’ or a mall’s point of sale + video surveillance system – truly will be able to precisely identify individuals and their most marketable traits from any video feed.

Europe’s GDPR has enshrined the right for people to view data inferred about them, but in conjunction with the idea of a third party consent dashboard or Account Aggregator (in the RBI’s case), we believe we can do better.

In particular, any entity that collects or infers data about an individual that’s associated with an identifier such as an email address, mobile, credit card, or Aadhaar number should make that data viewable and editable to end users via their consent dashboard.  For example, if a payment gateway provider analyses your purchase history and infers you are diabetic and sells this information as a categorization parameter to medical advertisers, that payment gateway must notify you that it believes you are diabetic and enable you to view and remove this data. Google, for example, lists these inferences as Interests and allows users to edit them:

Using the Consent Dashboard mentioned in Major Comment 1, we believe users should have one place where they can discover, view and correct all personal and inferred data relevant to them.

Finally, more clarity is needed regarding how data gathered or inferred from secondary sources should be regulated and what consent may be required. For example, many mobile apps ask for a user’s consent to read their SMS Inbox and then read their bank confirmation SMSs to create a credit score. From our view, the inferred credit score should be viewable by the end user before it’s shared, given its personal data that deeply affects the user’s ability to gain usage of a service (in this case, often a loan at a given interest rate).

7. Sharing and Processing of Health Data

The Bill requires capturing the purpose for data sharing:

Chapter II, point 5:

“Purpose limitation.— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.”

In the healthcare domain, collecting the purpose for which the data is being shared might itself be quite revealing. For example, if data is being shared for a potential cancer biopsy or HIV testing, the purpose might be enough to make inferences and private determinations about the patient and say deny insurance coverage. On the other hand, stating high-level, blanket purposes might not be enough for future audits. A regulation must be in place to ensure the confidentiality of the stated purpose.  

The Bill has a provision for processing sensitive personal data for prompt action:

Chapter IV, point 21:

“Processing of certain categories of sensitive personal data for prompt action. — Passwords, financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary— (a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal; (b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or (c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.”

While this is indeed a necessity, we believe that a middle ground could be achieved by providing an option for users to appoint consent nominees, in a similar manner to granting power of attorney. In cases of emergency, consent nominees such as family members could grant consent on behalf of the user. Processing without consent could happen only in cases where a consent nominee is unavailable or has not been appointed. This creates an additional layer of protection against misuse of health data of the user.

Suggestions and Questions

Fund Data Rights Education

We believe a larger, public education program may be necessary to educate the public on their data rights.

Limit Impact Assessment Requirement

Section 33 – Data Protection Impact Assessment —

  • Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section. …
  • On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as may be issued by the Authority.

We believe that the public must be protected from egregious data profiling but this provision does not strike an appropriate balance with respect to innovation. It mandates that companies and other researchers must ask government permission to innovate around large scale data processing before any work, public deployments or evidence of harm takes place. We believe this provision will be a large hinderance to experimentation and cause significant AI research to simply leave India. A more appropriate balance might be to ask data fiduciaries to privately create such an impact assessment but only submit to the Authority for approval once small scale testing has been completed (with potential harms better understood) and large scale deployments are imminent.

Passwords should be treated differently than other sensitive personal data.

Chapter IV – Section 18. Sensitive Personal Data. Passwords are different than other types of Sensitive Personal Data, given that they are a data security artifact, rather than a piece of data that is pertinent to a person’s being. We believe that data protection should be over-ridden in extraordinary circumstances without forcing companies to provide a backdoor to reveal passwords. We fully acknowledge that it is useful and sometimes necessary to provide backdoors to personal data – e.g. one’s medical history in the event of a medical emergency – but to require such a backdoor for passwords would likely introduce large potential security breaches throughout the entire personal data ecosystem.  

Does the Bill intend to ban automatic person-tagging in photos and image search of people?

Chapter I.3.8 – Biometric Data – The Bill defines Biometric Data to be:

“facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;”

The Bill includes Biometric Data in its definition of Sensitive Personal Data (section 3.35) which may only be processed with explicit consent:

Section 18. Processing of sensitive personal data based on explicit consent. — (1) Sensitive personal data may be processed on the basis of explicit consent

From our reading, we can see a variety of features available today around image search and person tagging being disallowed based on these provisions. E.g. Google’s image search contains many facial images which have been processed to enable identification of natural persons. Facebook’s “friend auto-suggestion” feature on photos employs similar techniques. Does the Bill intend for these features and others like them to be banned in India? It can certainly be argued that non-public people have a right to explicitly consent before they are publicly identified in a photo but we feel the Bill’s authors should clarify this position. Furthermore, does the purpose of unique identification processing matter with respect to its legality?  For example, we can imagine mobile phone-based, machine learning algorithms automatically identifying a user’s friends to make a photo easier to share with those friends; would such an algorithm require explicit consent from those friends before it may suggest them to the user?

Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.

Chapter IV – Section 25.4 – Right to correction, etc

Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

We believe the mandate on a data fiduciary to notify all relevant entities of a personal data change is too great a burden and is better performed by a consent dashboard, who maintains which other entities have a valid, up-to-date consent request to a user’s data. Hence, upon a data change, the data fiduciary would update the consent dashboard of the change and then the consent dashboard would then notify all other relevant entities.

It may be useful to keep the user in this loop – so that this sharing is done with their knowledge and approval.

Need for an Authority appeal process when data principal rights conflict

Section 28.5 – General conditions for the exercise of rights in this Chapter. —  

The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

This portion of the law enables a data fiduciary to deny a user’s data change request if it believes doing so would harm another data principal. We believe it should not be up to the sole discretion of the data fiduciary to determine which data principal rights are more important and hence would like to see an appeal process to the Data Protection Authority made available if a request is refused for this reason.

Do not outlaw private fraud detection

Section 43.1 Prevention, detection, investigation and prosecution of contraventions of law

(1) Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.

We worry the above clause would effectively outlaw fraud detection research, development and services by private companies in India. For instance, if a payment processor wishes to implement a fraud detection mechanism, they should be able to do so, without leaving that task to the State.  These innovations have a long track record of protecting users and businesses and reducing transaction costs. We recommend a clarification of this section and/or its restrictions to be applied to the State.

Limit record keeping use and disclosure to the Authority and the company itself.

Section 34.1.a. Record – Keeping –

The data fiduciary shall maintain accurate and up-to-date records of the following

(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;

We expect sensitive meta-data and identifiers will need to be maintained for the purposes of Record Keeping; we suggest that this Record Keeping information be allowed but its sharing limited only to this use and shared only with the company, its Record Keeping contractors (if any) and the Authority.

Fillings may be performed digitally

Section 27.4 – Right to be Forgotten

The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

The Bill contains many references to filing an application;  we’d suggest a definition that is broad and includes digital filings.

This also applies to sections which include “in writing” – which must include digital communications which can be stored (for instance, email).

Request for Definition Clarifications

What is “publicly available personal data”?

  • Section 17.2.g – We believe greater clarity is needed around the term “publicly available personal data.“ There questionably obtained databases for sale that list the mobile numbers and addresses of millions of Indians – would there thus be included as a publicly available personal data?
  • We’d recommend that DPA defines rules around what is publicly available personal data so that it is taken out of the ambit of the bill.  
  • The same can be said for data where there is no reasonable expectation of privacy (with the exception that systematic data collection on one subject cannot be considered to be such a situation)

Clarity of “Privacy by Design”

Section 29 – Privacy by Design

Privacy by Design is an established set of principles (see here and in GDPR) and we would like to see the Bill reference those patterns explicitly or use a different name if it wishes to employ another definition.

Define “prevent continuing disclosure”

Section 27.1 – Right to be Forgotten

The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary…

We request further clarification on the meaning of  “prevent continuing disclosure” and an example use case of harm.

Define “standard contractual clauses” for Cross-Border Transfers

Section 41.3.5 – Conditions for Cross-Border Transfer of Personal Data

(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this subsection to any other person or entity.

We would like to standard contractual clauses clearly defined.

Define “trade secret”

Section 26.2 C – Right to be Forgotten

compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.

We request further clarification on the meaning of  “trade secret” and an example of the same.

Author Comments

Compiled by iSPIRT Volunteers:

  • Sean Blagsvedt – sean _@_ blagsvedt.com
  • Siddharth Shetty – siddharth _@_ siddharthshetty.com
  • Anukriti Chaudharianukriti.chaudhari _@_ gmail.com
  • Sanjay Jain – snjyjn _@_ gmail.com

Links

Comments and feedback are appreciated. Please mail us at [email protected].

Appendix – Sample User Interface Screens

Link: https://docs.google.com/presentation/d/1Eyszb3Xyy5deaaKf-jjnu0ahbNDxl7HOicImNVjSpFY/edit?usp=sharing

******

How To Empower 1.3 Billion Citizens With Their Data

2018 has been a significant year in our relationship with Data. Globally, the Cambridge Analytica incident made people realise that democracy itself can be vulnerable to data.  Closer to home, we got a first glimpse at the draft bill for Privacy by the Justice Sri Krishna Committee.

The writing on the wall is obvious. We cannot continue the way we have. This is a problem at every level – Individuals need to be more careful with whom they share their data and data controllers need to show more transparency and responsibility in handling user data. But one cannot expect that we will just organically shift to a more responsible, transparent, privacy-protecting regime without the intervention of the state. The draft bill, if it becomes law, will be a great win as it finally prescribes meaningful penalties for transgressions by controllers.

But we must not forget that the flip side of the coin is that data can also help empower people. India has much more socio-economic diversity than other countries where a data protection law has been enacted. Our concerns are more than just limiting the exploitation of user data by data controllers. We must look at data as an opportunity and ask how can we help users generate wealth out of their own data. Thus we propose, that we should design an India-specific Data Protection & Empowerment Architecture (DEPA). Empowerment & Protection are neither opposite nor orthogonal but co-dependent activities. We must think of them together else we will miss the forest for the trees.

In my talk linked below which took place at IDFC Dialogues Goa, I expand more on these ideas. I also talk about the exciting new technology tools that actually help us realise a future where Data can empower.

I hope you take away something of value from the talk. The larger message though, is that it is still early days for the internet. We can participate in shaping its culture, maybe even lead the way, instead of being passive observers. The Indian approach is finding deep resonance globally, and many countries, developing as well as developed, are looking to us for inspiration on how to deal with their own data problem. But it is going to take a lot more collaboration and co-creation before we get there. I hope you will join us on this mission to create a Data Democracy.

StartupBridge India – Strengthening Potential Strategic Partnership to the world

startup-bridge-india

There are many dimensions to India becoming a Product Nation. A thriving  local market is critical, which are shaped by changing consumer preference and policy.  Also important is increased trade in areas of comparative advantage.

Digital consumer market in India that opened few years ago saw its waves and cycle of valuation however it is already witnessing its next shift from India Metro to Bharat due to technology and regulation disruption going hand in hand (aka India Stack).

An undercurrent that has been largely unnoticed is emergence of B2B companies from India. Top 30 enterprise startups in India that are tracked in the iSPIX B2B is $10.25 billion last year. Saas market for Indian startups is exploding — and is on pace to be over $10 billion annually by 2025.

Like Israel is to Cybersecurity, India is becoming Saas capital for the world.

Ease of doing business in India is improving, out of 34 items in Stay In India check list part of Startup India Policy, 29 critical ones are fixes in progress.

Cross border partnership of US-India startups always existed, it is the right time to come together as software product industry to strengthen this linkage to highlight this new dimension. Two related initiatives to towards this

Initiative 1 –  India Technology Product Exits Industry Monitor 2016, measuring liquidity especially global.  

iSPIRT and Signal Hill in partnership is releasing our annual report for 2016 on state of exit deals in India. During 2014 & 2015, India witnessed a Product Technology funding boom with over $10bn getting invested in consumer tech / e-commerce companies and $1bn in enterprise tech start-ups. Whilst funding levels in 2016 have seen a steep decline (54% decline during first 3 quarters), mainly on account of a very steep drop in hedge fund activity, M&A in Product Technology with $1.34 billion in exits during the first 3 quarters (from 113 transactions), is on track to beat 2015 levels (137 transactions with $1.35bn transaction value) which was a record year for Indian Product Technology M&A. Furthermore, many global Tech majors including the likes of Apple, Google, Facebook, IBM, Naspers and Salesforce have now completed at least one Product Tech acquisition in India. However the large majority (81%) of M&A transactions are still very small (<$5m in transaction value), with the bulk (>70%) of the transaction value in the last 3 years being accounted for by 7 large (>$100m) M&A transactions. Hence there is currently a missing middle in the $5-100m deal range in Product Tech M&A in India. With an increasing number of companies that received funding during the 2014 & 2015 funding boom achieving scale during the next couple of years, we expect Product Tech M&A levels in particular across mid-size and large transactions to pick-up multi-fold from here.

Detailed report here

Initiative 2 – StartupBridge India, strengthening foundation to  increase cross border linkages.

Towards enhancing cross border linkages iSPIRT is organizing a conference called StartupBridge India in partnership with TiE SV and Stanford Center for International Development (SCID) on Dec 2 at the Stanford campus.

This conference will bring top 30 business software startups from India to the US with aim to foster cross-border partnership and potential strategic opportunities.

The conference is designed to be a symbolic and relationship-building bridge between top Indian SaaS and deep tech startups and US companies, to forge long-term relationships.

More details here www.startupbridgeindia.com

Why We Started A Change.org Petition Fighting India’s Late Payment Culture

 

(Our petition against India’s late payment culture can be found here)

The Late Payment Problem

We’re going to keep this short. Now that 97% of Indian SMBs were reportedly paid late in 2015, the late payment culture in our business environment has gotten out of hand.

Today, India officially carries the longest average payment delays in the Asia Pacific for B2B SMB invoices, 51% of which are always paid late.

The system currently in place is flawed, and heavily skewed in favor of the largest buyers on the market. The judicial system is over-burdened. It consequently delivers justice far too late to save businesses whose money is trapped in clients’ accounts.

What’s more is that the entire idea of justice by law in business is a debunked protection. Smaller businesses almost never take non-paying clients to court because they fear losing out on future contracts. They would rather suffer through the impact of being paid 90 to 120 days late, while their salaries go unpaid or they miss out on larger opportunities to thrive.

This isn’t guesswork either. Not only has this been verified to us in our hundreds of interactions with Indian CFOs and CEOs, but a commission established to study the impact of the EU directive against late payment found that 60% of European small businesses never even consider a legal battle as an option because they don’t want to spoil working relationships.

And why would hard-working Indian businesses, which prefer compromising to build strong working relationships with clients, be any different?

Our Motivation

As supporters of the business reforms espoused by our esteemed Prime Minister, Shri Narendra Modi, we believe that unorthodox action begets change. And yet, the late payment protections for businesses in India have stagnated in the same state for the last twenty years.

The last committee set up in 2014-15 to study further updates required on the MSMED Act – which provides these legal protections to SMBs – did not even consider the necessity for better options. This was despite the comprehensive database of studies measuring the horrendous effects of late payments on the Indian business environment.

Instead, they directly skipped over the issue of late payment protections, and jumped to the question of “How can we provide more access to loans for these companies?” And all we ask is, why? While access to credit is vital for businesses in any growth economy, late payment is the root of significant troubles in the world. It causes bankruptcy and unemployment, and increases barriers to survival in the business world. It also has a significant impact on inflation since businesses up and down the supply chain mark up prices to survive late payments from their clients.

As a single factor, trade credit is indispensable because it allows companies to keep running operations even during temporary working capital shortfalls. But when it extends to the point where clients refuse to pay their suppliers intentionally, as was the case with 38% of Indian SMBs paid late last year, it needs to be addressed.

A late payment culture which forces sellers and suppliers to simply accept it as an unaddressable pain is the equivalent of a cancerous tumor. It creates chaos, and no one can entirely predict which sections of the body it will hit next if left unchecked.

And this tumor isn’t very difficult to target either. Rather that It’s grown this large from a lack of trying than a lack of successful solutions. While we sit and attempt to convince you of the horrific effects of this problem, the UK government has now passed legislation mandating all large companies to release the details of their payment practices twice a year.

This means that SMBs and startups dealing with larger companies will now be able to check beforehand what the average payment term for their prospective client actually is even before signing them on.

Singlehandedly, this increased visibility has become the best prospective protection against large businesses which exploit their financial influence on their supply chain. Now, with the reputation of their leadership on the line, larger companies have lesser incentive to hoard cash while not paying suppliers.

Even though this may not be immediately possible in India’s current business and political environment, our motivation is to bring about similar unorthodox solutions to protect the average Indian business.

What We Want

What we want is simple – for you to sign the petition, and support us by sharing it among your professional and personal circles. This is no longer a problem which affects business alone, but is also a big contributor to why life in India is getting significantly more expensive year on year.

Next, we want the government to approve another sitting committee which will accept input and feedback from the private sector for meaningful practical solutions rather than laws which look good on paper.

Instead of adding more courts alone, which will be overwhelmed just as soon by India’s burgeoning case burdens, we are pushing for the establishment of a first line of defense. We want for policy to allow for out-of-court protections which can be enforced in straightforward non-payment cases, thus clearing the line in courts for more complicated business disputes.

To this end, as some of the most prolific activists pushing for more awareness of the phenomenon of late payment in India, Hummingbill intends to release a policy white-paper for the Indian government as well in the coming month.

Keep an eye on this space for more updates on this exciting journey. Now that we can depend on your support, click here to read and sign the petition.

But, before you leave, what policy recommendations would you put forth from experience, which could help fight the late payment culture in India? Leave your answers in the comments section below.

change.org

 

 

 

Why Flipkart Taking Clients to Court For Non Payment Is A Big Deal

Flipkart_2673995f-300x175

What’s The Scoop With Flipkart?

 

“The digital industry is suffering because there have been several cases where advertisers default on payment… We do not have a strong industry body in terms of payment collection yet.” –  Amar Deep Singh, CEO, Interactive Avenues

 

(article originally posted here)

Between April and May 2016, one of India’s e-commerce leaders – Flipkartfiled cases against 20 of its clients for payment, to collect unpaid advertising dues.

 

Unlike Snapdeal and Amazon, who charge their clients ahead of time,Flipkart provided advertising services to clients on credit.

 

Though this move made sense as an advantageous proposition to attract more clients away from competitors, they have now initiated legal procedures against non-paying patrons who respectively owe them anywhere from Rs. 90,000 ($1,350) to Rs.1 crore ($150,000).

 

Is This Non-Payment A Common Problem?

The Indian business culture is infamous for the chaotic state of its payment practices. In fact, India has the longest average payment delays in the Asia Pacific region (Atradius Payment Practice Barometer).

 

Furthermore, 97% of Indian SMBs were paid late by their clients last year.38% of these businesses claimed that the late payment was an intentional move by clients. It was a means of using trade credit to finance their own working capital needs.

 

What’s more is that most of these companies will never enforce their contractual terms on overdue Accounts Receivables. Even when 1 in 2 B2B SMB invoices are paid late. And 1 in 7 B2B invoices are still pending past 90 days.

 

This is because enforcing a contract in court for non-payment by a client can take up to 3 years and 40% of the claim value to resolve (Doing Business India). By the time suppliers manage to get their money from the over-burdened court system, they’re already sinking under.

 

Which means that larger clients and buyers run pretty roughshod all over smaller SMBs in their supply chain. They even threaten to withhold payment altogether if their suppliers don’t give them unreasonable discounts to get paid faster.

 

Large buyers are well aware that their smaller suppliers are:

  • Either not aware of their legal rights in such situations;
  • Won’t act upon their legal rights because they would choose preserving business relationships over getting paid faster;
  • Will be tied up in an expensive legal case for years if they try to take matters to court.

 

This has created an environment where only the most exclusive businesses can demand payments upfront. While others are usually forced to roll the dice on the kind of client they land up with. Or have to face being ignored altogether by prospective customers.

 

To put this in perspective, for all the talk of “Why don’t businesses just demand payments upfront”, 98% of Indian SMBs extended goods and services on credit to their clients in 2015.

 

And if you think the situation is bad for regular Indian SMBs, it’s even worse for businesses which deal in digital services or mass communication products.

where in the world is that payment

So Why Does This Story Matter?

Because the Internet and Mobile Association of India (IAMAI) has used the publicity provided by this issue to push for the development of a payment recovery mechanism for their industry.

 

Several of the largest digital communication platforms and services are members of the IAMAI. And the organization is wisely using this move by Flipkart to justify enforcing meaningful out-of-court payment protections for the digital communication service industry in India.

 

The issue of late payment has been a given in the Indian business culture for a long time, to the point where it’s barely mentioned in mainstream media. Even according to law firms interviewed on the Flipkart matter by YourStory staff, this case has gained significance in the media only because a large brand like Flipkart was involved.

 

This is why, by this point, we’re sure you’re asking – How does this affect me as a small business? Of course Flipkart, a well-known brand, would be able to afford taking its clients to court. Yet if we, as small businesses, did the same – we’d probably be bankrupt by the time a verdict came in.

 

First, most late or non-payment situations can be addressed by integrating global best payment practices into your business – which Hummingbill’s Gmail plugin automatically does for you for free.

 

SecondIndian companies are gradually getting less court-shy in getting back money they’re owed by non-paying clients.

 

Third, the actions of the IAMAI shine a light on the necessity of out-of-court payment mechanisms.

 

Yet, none of the mechanisms put in place by the IAMAI’s committee will protect other non-member small businesses like you or us. Even though we need these defenses just as sorely.

 

With that in mind, we at Hummingbill are scaling up our war to break India’s late payment culture in the immediate future. The Indian business culture needs a concentrated effort to create better non-litigious protections which can be enforced. SMBs and startups need shielding from larger buyers who wish to exploit their position on the supply chain.

 

And for that effort, we will need the support of every single one of you. Keep an eye on this space for more information over the next few days.

 

In the meanwhile, let us know in the comments section below. If you had the ability to enact out-of-court enforceable protections against late paying clients, what measures (except straightforward mediation) would you put in place?

– Adam Walker & Aniket Saksena

Get to Learn from @Zoho – Zoholics: India, Nov 20-21, Bengaluru

We have been around for the last 18 years, making software for businesses around the world. At Zoho, software is our craft and our passion. Our people spend years mastering the craft, and their handiwork are the 30+ products that we now offer. With more than 10 million users across the world, we are one of the largest IT product companies based out of India. This journey has taught us many things, and we are ready to share our experience with you.

We are holding our first-ever event in India on Nov 20 and 21 at The Ritz Carlton in Bengaluru. At Zoholics: India, we will share our story and talk about creating world-class products, and selling them to a global audience, from India.

Other sessions include, product vs services mindset, engineering products, running a business on a budget, whether to take VC money or not, and much more. To view the full agenda, click here.

zoholicsJoin us at Zoholics:India, to learn, share and explore the Indian innovation in IT, through the lens of Zoho.

Who should attend and why

Entrepreneurs and Startups: It does not matter what business you do. Business apps can greatly increase your productivity and help you streamline various processes. This will leave you free to do what you love. At Zoholics:India, you can learn about which tech-tools are best suited for your business, how to position your product in the international market, and whether taking venture capital is good for your business or not.

Aspiring Entrepreneurs: Learn about various opportunities in the local market and how to create world-class products and sell them to a global audience, from India. Also find out how to capture the attention of an increasingly mobile-centric world.

CXOs and Managers: Discover some of the best practices in online marketing for selling to a global audience out of India. Know about the market trends and opportunities.

Technology Geeks: Learn about cloud-based technology and how it is affecting the local market. Find out more about business apps and latest trends.

Business and Technology Analysts: At Zoholics, we will discuss product vs services mindset, how college credentials are of little value as the real learning happens at the workplace, market trends and much more. Also, use this opportunity to learn more about the cloud market in India.

To register, log on to ZOHOICS India website. Use the discount code: ISP to avail a 15% discount.

Guest post by Raju Vegesna, ZOHO

 

“Potential of Software Products from India” – Insights from an interview with Prof. Rishikesha T Krishnan, IIM Bangalore

In an interview with Govindraj Ethiraj on the changing paradigm of the Indian software industry, Professor Rishikesha T Krishnan, IIM, Bangalore, talks about how the software industry is getting transformed from a services oriented model to creating successful products. He cites FusionCharts as a great example of finding a niche market and moving to the cloud as an efficient mechanism to deliver and service customers.

 

Lets Not Lose the Reason and Season for Products

One of the long running debates in the Indian technology entrepreneurial world is whether India will ever engender global product companies or will it be destined to be a purveyor of services and a consumer of products and solutions that are imagined, created and marketed by others. As in most things, and especially true for India, there has to be a reason and there has to be a season for anything to occur. So what has occurred? What’s the reason? What’s the season?

What has occurred and is occurring with increasing velocity is:

  • Services companies are passé.  Almost all companies being created today are products or solutions (ie services around a core product offering)
  • These companies are largely to be found in the telecom/mobile domains utilising SaaS/cloud based delivery. This isn’t surprising since telecom/mobile are global scale, scope and market opportunities in India; SaaS/Cloud based companies can inexpensively cater to the world leveraging expensive and complex infrastructure built by others.
  • Talent from global tech companies or even from overseas is coming together to capitalise on these opportunities.

While these are heartening developments, what is more interesting is the opportunity ahead-  across each and every sector of the economy.

What’s the reason though for all this?

Increasing competition, awareness, technology adoption, and the like are beginning to convince more and more companies, across the board, of the importance of investing in technology to drive efficiency, productivity, quality and indeed competitiveness. Technology for all practical purposes today is all software: from vehicles to logistics to hotel, bus and airline reservations to rocket launches to banking to fraud detection to communication to education to anything-else-you-can-imagine! India is beginning to realise that it can be a market on a global scale for solutions as each of these sector s is plagued by colossal global sized problems.

Why is the season right?

Without the right season, no fruit would ever ripen. The season, in this case, is the environment:  enormous numbers of youngsters – aspirational, aware, impatient, confident, unafraid, educated, driven, the growing presence of avenues for these youngsters and their supporters, backers, service providers – investors, mentors, partners of all kinds– to experiment.

The collision of the reason with the season is accelerating this process at an increasing pace.

But before we all start hyperventilating, it is useful to remember that India, despite being the world’s largest producer of milk and in spite of being a milk surplus country, isn’t known around the world for its milk products! There’s a lesson in there somewhere right?  And as a country, we’re known to grab defeat from the jaws of victory with unfailing regularity and precision.  Some important points to keep in mind:

  • Most of the young product companies, especially those that have the connections, are either considering or already have set themselves up as overseas entities. Why? To escape from the mind-numbing red-tape, to enjoy operating freedom, for reasons of branding, protection of intellectual property, to get the benefit of taxation, investments and exits.  Is this desirable? If not, shouldn’t there be policy mechanisms to ensure that the reasons for seeking overseas domicile are minimised? When all countries are laying out red-carpets for companies to come to their shores, why are we intent on driving away those we have?
  • Local branding and awareness generation: Are there sufficient role models for Indian customers? Is it a matter of pride for the country if a world class “Made in India” product is used? What can and should be done to make this happen? Examples from what Taiwan and Korea did are relevant here. Remember, branding isn’t advertising. It is the delivery of a promise, consistently.
  • Industries that are global scale in India eg  defence or where India offers unique challenges eg retail and distribution? Co-option of stakeholders to build world class solutions in these areas is a possibility.
  • India, one would imagine, is ripe territory for the creation of unique voice based products and solutions, given the illiteracy, proliferation of languages and accents. Yet there’re no solutions here. Education – quality video over low bandwidth lines – can be a gamechanger. What about offering cloud based mobile apps for managing businesses for the large number of SMBs?

There are obviously opportunities and possibilities. But without the coming together of like-minded people driven by the desire to effect change across industry clusters via policy, awareness generation, branding, crafting solutions to solve Indian problems, the season to ripen fruits will pass.

This is a season where the coming together of young people, using technology, knowledge, research, engagement, drive and passion, are driving large changes in the way democracy and politics are practised for the better in the Indian nation. Surely, building a product nation is far simpler? Are we all up to it?

Shaping Small Business India

Small Businesses play a significant role in a developing economy – from creating valuable business opportunities to employing a large chunk of the workforce. They are the drivers of growth contributing significantly to a range of sectors and industries.

Small Businesses produce nearly half the manufactured output and are also the largest employers of workforce in India after agriculture. Roughly, 75 million people in India are employed with small businesses. They contribute approximately 9-10% of the Indian GDP. An estimated 90% of industrial units in India come under small businesses. They contribute to 40% of value addition in the manufacturing sector and 35% to India’s merchandise exports.

With such significant contributions, it becomes imperative to encourage the growth of these businesses in India. We are now witnessing an increased focus on small businesses from several government institutions, corporate houses and financial entities. The government, by recognizing the small business opportunity, has introduced various policy measures to help them grow. It is also working towards promoting the small business segment by capacity building measures to keep them updated on emerging areas of business and familiarizing them with the changing laws and regulatory frameworks. Today, the government is developing a positive environment to encourage new businesses and entrepreneurs by providing support in several ways including financial assistance by allowing medium-term loans, reduction of interest rates by RBI etc.

India is a huge market brimming with many opportunities. This has encouraged the growth of the small business segment and brought tremendous success to entrepreneurs and business owners. So far, these businesses have limited their operations to the local Indian market. Increasingly entrepreneurs are keen on expanding to other markets and establishing a global identity. Today, the Indian small business industry is aiming for global markets, ready to compete against global giants. This is an encouraging sign and this industry needs to be provided the right support to cater to global needs.  Industry exchange programmes and access to market research data will help develop an understanding of the global market and its needs. Government support in setting up technology infrastructure will boost productivity and quality for these small businesses.

Another aspect that is essential in creating a positive environment for small businesses is to have friendly regulatory policies. Allowing Foreign Direct Investment, speeding up approvals, creating a single window system for information, simplifying operational frameworks etc. are key factors that will contribute towards the growth of small businesses in India.

Even with adequate support from the government and the private sector, small businesses in India face several challenges which need to be addressed. Prominent among them is the lack of access to technology and financial management resources. Despite various schemes from the government to enable easy access to capital, small businesses struggle to raise adequate funds. Private sector can contribute towards this issue by infusing equity funds and venture capital. In a study conducted by Intuit supported the Ministry of Micro, Small and Medium Enterprises, Government of India, pointed out that small businesses in India are yet to realize the full potential of technology as a game-changer for business. The study also highlighted the top barriers to technology adoption being cost, lack of skilled manpower, low awareness of the benefits of technology, poor infrastructure and concerns about security and privacy. A collaborative effort is needed to address these concerns of small businesses and identify and develop solutions through participation from various quarters. A collective approach with government and private sector coming together is the ideal way forward.  Intuit in association with NIESBUD has introduced a financial literacy programme aimed at helping small business owners understand financial management. Initiatives like these are a positive step in bridging the gaps.

Key hindrances to the growth of small businesses also include lack of infrastructure and limited access to institutional assistance.  Infrastructure hassles have to be addressed on priority as it forms the base of starting a business and also affects productivity. Setting up SEZs, improving transportation through better road and rail connectivity, allowing reforms in telecommunication etc. will help address few problems related to infrastructure. Another challenge for small businesses is labour and talent acquisition. Start-ups and small businesses are generally not considered attractive career options. Participation in education and career related events and academic outreach will help in reaching out to youth and spreading awareness about this sector. Growth and success of small businesses will also automatically make them lucrative for acquiring the right talent.

There are a few factors that even small businesses need to keep in mind to succeed before starting out. Understanding the market is the topmost among them. Considerable research is required to comprehend the ‘what’, ‘why’ and ‘how’ of the market.  It is necessary to understand the market preparedness for your product or service. Evaluating possibilities, pricing and competition will help build a credible product or start a service. Re-organizing and implementing necessary changes is essential to sustain in changing markets conditions.

Lastly, success in entrepreneurship and running a small business is not just dependent on the external factors as discussed above but on the internal ones such as the mindset of the entrepreneur. Challenges are abundant in starting a business but the will to find solutions and overcome these challenges is the key.

It’s time to open the gates wider

There is a growing nervousness among foreign investors putting their money in India. The Global Entrepreneurship and Development Index 2012 revealed that India, Asia’s third-largest economy, ranked 74th out of 79 countries, making it an unviable country to start a business. There is a growing nervousness among foreign investors putting their money in India.

Fewer than 150 start-ups are promoted by venture capital or angel investors annually in India compared to over 60,000 angel investments in the US. In 2011, Indian angels, constrained by regulations that make both investing and exits cumbersome, invested only about Rs.100 crore in around 50 deals compared with Rs.2,000 crore angels invested in Canada.

These figures don’t surprise Indian product software start-ups. India has produced few of the world’s leading software products, has 3,400 software product start-ups, and adds 400 every year. But it needs the right environment and incentives to build a world-leading industry.

For several decades, the Indian ownership laws and the investment and business environment have not allowed a conducive setting for the brightest of minds, many of whom have migrated to California. The new Indian entrepreneurs spend significant time on product development to build patentable products with a global market. However, as soon as the product gains traction, venture investors and professionals advise entrepreneurs to move the holding structure, if not the entire business, outside India. The main reasons are as follows:

Financing:

In today’s world talent and ideas are mobile. Singapore, Hong Kong, Chile and the UK are offering attractive financing (debt and equity) to Indian companies to relocate their business. They are also offering tax benefits. This is starting to result in real migration of promising companies out of India.

Maze of rules:

In India, we have foreign direct investment, VCI (venture capital investment), foreign institutional investors, Reserve Bank of India, fair valuations and draconian consequences for inadvertent slip-ups, while in most major economies there are no restrictions.

Taxation:

Capital gains (20%) as well as dividends (dividend distribution tax of 12.5%) even for foreign investors. In most major economies, foreign investors are not taxed on their capital gains and dividend income on their investments and owned businesses. India’s tax policy does not help a product business to attract the right kind of investors and acquirers, and is a hurdle for those interested in foreign acquisition in a stock deal as Indian paper is not an attractive currency. In the UK, for example, investors can write off any investment losses against income, and this significantly reduces their cost of failures.

Open economy:

India does not treat foreign investors on par with local investors, unlike the US, the UK, Europe, Singapore and Hong Kong, which have no restriction on ownership and company structures, and for the most part, regulatory filings (except some strategic and security related issues).

India needs to build an attractive regime to retain the software products business and its intellectual property, which is highly mobile. Incentives and special regimes for businesses that create IP and file for patents will give the industry a big boost. Among the solutions are the liberalized ownership rules with exemptions from regulatory filings and specific regimes (FDI/VCI/FII, etc.), specific exemptions from capital gains and dividend taxes for investors and tax exemption on foreign income of Indian software product companies. Why not go even further and build a fully liberalized virtual special economic zone for ownership and operation of software product companies, with India signing an iron-clad double-taxation avoidance agreement the virtual SEZ.

India needs to proactively grab opportunities, or risk driving the whole industry abroad. We have the potential to create multi-billion dollar global product companies every year, and the benefits could run into trillions of dollars over a decade or two.

This article first appeared in the LiveMint