iSPIRT works to transform India into a hub for new generation software products, by addressing crucial government policy, creating market catalysts and grow the maturity of product entrepreneurs. Welcome to the Official Insights!
Shri Rajiv Kumar Joint Secretary in-charge of National Policy on Software Products (NPSP 2019) and Senior Director Dr. A K Garg met 20 SaaS companies founders and leader in Chennai on 13th March 2019. At meeting it was discussed that NPSP announced by Government of India on 28th February will soon create a National Software Product Registry, where SaaS companies can register and have access to GEM portal. Also, the procurement process will be suitably amended to allow Govt. departments to procure and use SaaS products. ‘National Software Product Mission (NSPM)’ envisaged in the policy will be setup at Ministry of Electronics and IT (MeitY).
Government has launched NPSP 2019 to focus on Software product ecosystem. iSPIRT has been advocating the cause of SaaS segment in Software products and its importance for India to remain a force to reckon with in Software in next 25 years.
The event was a golden opportunity for SaaS companies Founders and leaders, to provide feedback to and understand from the senior officials in Delhi, about the vision they have to make India a Software product power. Twenty SaaS companies represented in the event.
Speaking on behalf of SaaS founders, Suresh Sambandam, Founder and CEO of OrangeScape said,” Global landscape has changed very fast driven by new technology. We have a 2 trillion Dollar opportunity for SaaS industry. If we get our act right, India can aspire to remain in global game in Software Industry”.
The roundtable was organised by iSPIRT Foundation to facilitate officials to have direct interaction with SaaS industry and understand issues, problems and opportunities in SaaS industry, to enable Government to further carve out schemes/ programs under NPSP 2019 going further.
It is a moment of delight at iSPIRT to see Govt. of India setting its focus on “Software Product”, with the announcement of National Policy on Software Products by government of India on 28th February 2019. The policy framed by Ministry of Electronics and Information Technology (MeitY) is aimed to sustain India as a global power in Software industry in emerging technological changes impacting the industry.
A link to PDF document of the NPSP 2019 is given here on MeitY website. https://meity.gov.in/writereaddata/files/national_policy_on_software_products-2019.pdf
Ispirt held a Discussion on NPSP 2019 on 2nd March 2019 with Dr. A. K. Garg, Director MeitY and iSPIRT volunteers Shoaib Ahmed, Amit Ranjan, Nakul Saxena and Sudhir Singh. A vedio of the discussion is placed below.
Given below is the transcript of the main part of the discussion. (We have tried our best to put this but It is not a ditto verbatim transcript but what each participant spoke in essence). It is advised to watch and listen to the video.
Sudhir Singh started the discussion and invited Dr. A.K. Garg to give an overview on the policy.
Dr. A.K. Garg – The policy gives wholistic looks and a single window opportunity. issues involved with HS Code. Three tire effort of building a talent pool. First, Appraising Students at school level that there is a difference between product and services. Second, Dedicated pool of developers dedicated to products. Third, Developing a pool of people who can be mentors
The other aspects we have looked at is, how do we provide dedicated market access to the product space. Unless and until there is a dedicated and early market access, we cannot create opportunities. We have not looked at graduating this from services industry to product industry, but we are looking at a completely new set of eco-system that will created around the product space, that is one thing which is very important and hallmark of this policy.
Sudhir – in the Strategy section 1 that deals with ‘Promoting Software Products Business Ecosystem’ creating ‘Product registry was an important aspect that can be further utilised to create incentives, schemes and programs.
Amit Ranjan – what can not be measured can not be improved, going further on the line, what can not be defined can not be measured. The government is taking a proactive view od first defining what is a Product and then a logical breakdown of that is building the registry, building the classification and codification system. So at least the system recognizes the different dimension and different players in the industry and then once you have a clear understanding of it than you know you can tailor policy and you can do specific thing for specific part and creating this registry will lead to mapping the industry and there after many things could emerge out of the system
Nakul Saxena – One of the main objectives of iSPIRT was to create a special focus on Software products and thanks to people like Mr Garg and Secty MeitY and the Minister that we finally got this out. The HS code creation can help product companies to get preferential inclusion in Government procurements and Software products being included in many of the international agreements, especially where Govt of India gives grant to developing countries.
ShoaibAhmed – Is the definition of Software product clear (referring to the early phase of development of policy when there was lot of debate on this part).
Nakul – the definition on Software product company is that that the company need to be owned 51% by Indian origin person and IP should reside in India.”
Dr. Garg – lot of thinking has gone in to Software product and Software product company. The first and foremost thing is that, it is a very dynamic world and what we have taken is an approach where Software product definition can adjust to changing dynamics. Initially we thought we will not keep any definition, but ultimately, we had to with pressure of various stake holders.
Sudhir – requested Nakul to take up the second Strategy section on Promoting Entrepreneurship & Innovation.
Nakul – One of the important features of the Policy is that Govt. and MeitY will be putting together 20 Grant Challenges to solve for specific eco-system problems in education, agriculture and healthcare. He mentioned that Secretary has asked to quickly start working on the Grant Challenges.
Dr. Garg – Can we crowed source ideas using iSPIRT and Policy Hacks platform.
Nakul – Yes, we can. This is a welcome idea and suggested we can have Policy Hacks session to structure discussions and then invite ideas.
Dr. Garg – (further spoke on skilling) for skill development to suit product space, one has to think product and live with it. We have to think through a program that can create a pool of 10 to 15 thousand product professionals who understand product eco-system can help innovation and creation of new ideas and or mentor product companies. And that will be the most important dimension for creating a product eco-system.
Shoaib – I think that is a wonderful point and a very important point, beyond the technology and is a combination of skills with one being important is understanding of product market and development of these skills is important.
Amit – The way to think about it is that we have to catch people when they are young and I actually see this playout when lot of times when student are in their secondary education, when they are doing their class 10th or 12th, if you are able to educate them at this stage then it takes very early root in their mind. Product system is all about being experimental and all about being failing then retrying and then improving via every attempt. We should educate them about what is a Product how is it different from Services. We do not have lot of Product success stories from India. But educate them and then skill building comes at secondary stage.
Dr. Garg – We do not have to replicate the Silicon valley model and that will never work. We have to think and India specific solution that will work.
Shoaib – We need to create an India eco-system, there are a few success stories which we have in India, we need not copy but which need to be understood.
Sudhir – There are two more points covered in this section of Strategy. One is on common upgradable infrastructure to be created to support startups and software product designers to identify and plug cyber vulnerability. The second being creation of a Centre of Excellence will be set up to promote design and development of software products.
Dr. Garg – the first market in Cyber Security is Govt. So creating a single repository of various Indian Cyber products will help. The other thing could be understanding Indian cyber problems and through Challenge grant on some of these problems.
Sudhir – let us take up the Strategy section on improving access to market. Requested Nakul to start.
Nakul – for Indian Companies to start growing and start scaling it is important getting some anchor customer. The policy has taken care of this aspect for Product companies to get access to anchor customers and then compete within domestic and international market. But the product entrepreneurs have also to be aware how to deal with Govt. RFP.
Dr. Garg – So first two anchor customer are important. In Govt. space we are working on Gem to provide interface to Indian Software product. But we need to think how these product companies tie up with System Integration Companies and their interest are not compromised by Sis. Second thing is awareness building in various Govt. agencies. A young entrepreneur may not be able to get to the right stake holder, how does he get this access is what we need to think through. We will be very happy to get your views on creating access to first market.
Amit – this is a very important point, especially in the context of SaaS companies, there is an unwritten rule that Indian Domestic market is not big enough or pay enough to sustain many of the SaaS startups. And that is why many VCs are suggesting that you can build a SaaS Company of out of India but that is essentially for engineering, product design but the market it self you will have to go overseas. Development of the Indian domestic market is extremely important. One of the factors which will play a role there is kind of graduating these startups up the Quality ladder as well. The buyer will look for best product in market at best price. By focusing on Quality, they can compete with foreign companies. It is very important to break this negative feeling in the Eco-system that if you are SaaS you can not sell in India, you have to go out.
Shoaib – my point is that Quality software and creating a eco-system. Selling Software, servicing Software and manage Software is a complete different eco-system. Making sure that policy supports that and recognizes it, is the first step. I think we have started with that and I am happy to spend more time to contribute on what does it take to do this.
Dr.Garg – if you have a Quality and you do not have a brand it a challenge.
Sudhir – this section again mentioned in Policy creating a Software product registry and connecting this with Gem for government product.
Sudhir – Let us move on to the last strategy section on implementation. I remember that the ‘National Software Product mission’ (NSPM) was proposed by iSPIRT in to the policy. NSPM can play a vital role as it can become an umbrella cover. Using this it may be possible to create many schemes and program. For example, we have a formidable SaaS industry and it may be possible to quickly create a SaaS product registry and use Gem to get access to Government. Once the registry is created may be Govt. can also issue and advisory to state Government to adopt products from this registry.
Dr. Garg – One of the important things is we have to educate the people, and secondly, we have to educate the people on procurement model. Most of the time procurement models are one-time purchase, whereas in a SaaS you have to budget every quarter or every month or it will be pay per use also. Which is a very difficult proposition in Govt. to be approved.
One of this thing that come in to my mind is the entry barrier have to be made easier, e.g. there is lot of activity around e-commerce. Now Govt. is actively going to promote product. The e-commerce system is far more developed, it has lower gestation. You can find few companies having valuation of Billion dollars, but that is not true of Product startups. So, we need to see how do we make entry barrier lower for entrepreneur of product companies, other wise human nature is to go by the path of least resistance. Product takes much longer to build, the gestations are much longer, risk are much higher.
Shoaib – the challenge are to get role models going, to showcase this. Education is some thing we have been talking about from two dimensions, one is the entrepreneur, second is the Indian SME customer or the Indian customer.
The Participants did deliberate further on important of early implementation of NSPM and working on various section of Policy and providing active support from iSPIRT. The discussion was closed with final remarks from the participants. (please listen/watch the Video for further details on final deliberations).
The main Salient features of this policy for benefit of users are as follows:
The visision is to make India a Software product leader in world
In it’s mission – It aims at a ten-fold increase in India’s share of the Global Software product market by 2025, by nurture 10,000 technology startups, upskill 1,000,000 IT professionals and setting-up 20 sectorl technology cluster.
The policy has 5 Strategie to implement the policy.
Strategy are 1 – Intendents to create a congenniel environment for Sofware product business.
An important feature of the policy is creation of a Software product registry of India that can facilitate implementation of schems and programs in future, creation of a HS Code category for Software products.
To boost enterprenure ship, it itends to create a Software Product Development Fund (SPDF) with 1000 Croroe contributed by ministry in a fund of funds format. Remaining coming from private sources.
20 dedicated challenge grants to solve societal challenges.
Readying a talent pool of 10,000 committed software product leaders
Improving access to domestic market for Software product companies and boost international trade for Indian Software products.
Lastly setting up of a “National Software Product Mission (NSPM)” to be housed in MeitY, under a Joint Secretary, with participation from Government, Academia and Industry. NPSM will further drive implementation of the policy and be able to craft schemes and programs for the said purpose.
An important part of announcing the scheme has been done. This has now to be leveraged to create a momementum in Software product. iSPIRT is committed to see the further development of India as a Product Nation.
This PolicyHacks recording was done on 2nd January 2018 at 5.30 pm covering a discussion on the proposed rules ( amendment ).
iSPIRT Volunteers, Sanjay Jain, Saranya Gopinath, Venkatesh Hariharan (Venky), Tanuj Bhojwani iSPIRT volunteers and Bhusan, a lawyer from IDFC participated in the discussions with Sudhir Singh.
The main aspects of the draft amendment and its impact on the Software product and Start-ups in tech world in India are covered in the discussions. A transcript of the discussion is given below for read. Or you could choose to listen to the recorded audio/video on you tube embedded below.
The draft rules mainly cover information published by users on intermediaries also referred to as platforms in this discussion. The three broad aspects that draft rules cover are :
Putting higher onus on Intermediaries on objectionable content
High level of compliance and penalties
Enforcing traceability of objectionable content
With above introduction to topic floor was opened for discussions by host Sudhir Singh. Below is the transcript of contribution made by participants ( the transcript may not be complete word by word but follows the semantics of contribution made).
On Question on how the draft rules will impact industry
Sanjay Jain – “Two three element that you have highlighted in there.
First is the definition of the platform player. Intermediaries are broadly defined. They include everybody from telecom players, ISPs, a Social network and even a site like apartment Adda, Baba-jobs, because all of these will have some kind of user generated content, which is being published and shared with others. While the law drafting may have had one type of intermediary in mind, but it actually applies to all of them and as such that is where some of the issue starts.
Second part is that by moving some of the Onus to the platform, and I actually think they have not fully moved the onus to the platform, which is very dicey situation because, they have moved and not moved at the same time. And because, the onus is primarily still on the Govt. to notify to the intermediary, that there is something objectionable and they have to remove it. But, at the same time they have said that intermediary shall develop technological means for identifying all of this, as well. Sometimes there is an assumption that technology can do a lot, and in reality while you can have 99.9% accuracy, you still have those 0.1% and that becomes an issue.
Third part, I wanted to say is cost of compliance goes up considerably. They have put a limit 50 Lakh users in India, though we believe 50 lakh may either be little low. They should go little higher and depending upon type of user generated content they should allow for little graded form of compliance.”
Bhusan, from IDFC Institute – “As a context, these rules have come about are drafted based on earlier rules of 2011 and have some new features like graded approach such as significant intermediary to non-significant intermediary. They have put time lines in terms of response from intermediary and so these rules are being built upon existing set of rules.
There is some short of tightening of the compliance on intermediary e.g. 72 hours of time line for response. If you are a significant intermediary, than you have to be incorporated in India and has to appoint a person who is available 24X7, and you also have to have proactive measure to screen content on your side. Some of this is coming from frustration of getting information from intermediaries.”
On issue of how much these numbers are practical for small players? How to save start-ups?
Sanjay Jain – “Differed assumption is that if you publish any content which is against the law, you are liable. Being an intermediary protects you. If you remember the case of Baje.com, the only protection they got was proving to be an intermediary. Hence, you want to call them (Start-ups) intermediaries but get a better procedural control to stop harassment at hand of low level law enforcement.”
Tanuj came in and quoted the the line after 72 hours, in section 5 it says”as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto.”
According to Tarun, this statement is so broad that any junior level officer can say I got information that someone from Hissar in Haryana is harassing a person and give information of all users in Haryana.
Venky – “I agree with Tarun, we have the laws or the rule meant to be more sharply defined and have sharp implementation guidelines. In this case seems to be pretty loosely framed.”
Sudhir Singh – “There is another issue in draft rules on once in a month information to user, and taking their consent. Any hard compliance of rules is normally easier for large players, they may easily invest and handle with technology but small players and start-ups it is difficult situation to comply.”
Sanjay – “From technology experience we learn that if you make something automated, user ignore it. So, what will happen is this will be implemented by sending one email to every user, once in a month, stating if you don’t comply, we will delete your account from platform.
That’s an email that is going to get ignored. So, it is a very ineffective suggestion. Also, there is an implicit assumption that all users are identifiable, which is not the case always. So, just to implement it you will have to identify users. That may not be a valid requirement.”
Bhusan – “On the point that you need to have more than 5 million users. My question is procedurally how do you even establish that?
Will platform will have to do GPS type of tracking to ensure that and does this not create a privacy risk in itself e.g. I do not know does platforms like Quora know that they have more than 5 million users in India or not. It seems, there is this focus on regulating Big Techs and this 5 Million number really come from that.”
Sanjay – “Basically, anybody can be hosting user generated content. So, lets us say we are on a common platform, and there is a message flowing from me to you. If I violate the law, and let’s say the message is liable of incitement or any other law, then I should be held liable and not the platform.
For that platform needs to be qualified as intermediary, put under safe harbour and intermediary takes on the responsibility of helping the law enforcement. So, we should not take up start-ups out of its ambit. What we have to do is make sure that, the conditions required is that conformance to the standard should not be so terrible that start-up should be excluded.
So, we need to sharpen the requirement they they should be conforming with and make it easy enough for somebody to confirm.”
It is being discussed that Govt. is aiming for higher level of Penalty. What should be our recommendation?
Tanuj – “If you take very young company any short of hit is bad, but if you can put proportion of revenue basis, it will be at least more forward thinking, even if it is not absolutely fair, in some sense more fair of not having that rule or having flat rule. The amendments of changes we should think about of moving the penalty would be not being in favour of arbitrary penalty.”
Tarun added – “Our recommendations should be around sharpening rules, like who can use it who cannot use, what are the accountability measures on them, more than magnitude of these numbers.”
Saranya – “Just to address the Data protection law vis-à-vis intermediary act. The subject matter of Data Protection law is ‘personally identifiable information’, whereas Intermediary act tries to cover ‘all communication in some sense’ and hence, Intermediary act has a longer leash with regard to the person who can take the intermediaries to task.
The criteria of what would be offensive under Intermediary act is very different e.g. encouraging consumption of narcotics. Hence, the criteria that a person can take intermediary to task is extremely wide and needs to be curtailed.”
Bhusan – “There is an inherent subjectivity in these rules and there is need to some short of standard procedures on how these rules are applied by law enforcement agencies across. All that these rules say is – any request has to come in writing and intermediaries have to comply with.”
Venky – “From an implementation perspective we need implementation guideline. Section 5 is so wide that anybody can drive a truck through it.”
How the numbers (e.g. 72 hours period to respond and 50 lakh users) should be defined in a manner that is suits Start-ups who are in the early phase.
Sanjay – “Broadly, we need to identify the places and various numbers to apply proportionally depending upon the size of entity and size of violation, in our feed back to the Government.”
Sanjay also brought in attention to the “Appropriate Govt”, needs to be defined well. He said, “What we want is the Govt. agencies to be defined.”
Bhusan – “This is very standard way of defining. I have not seen any precise definition on specifying agencies in general regulation and I do not see they will start with IT act on this.
Bhusan mentioned another important issue of end-to-end encryption is a more political point rather than national security issue. (refer section 5 last lines).
Sanjay – “This is about tracking and tracing may not be about encryption. The fact, that I sent information to some body is about meta data, it’s not about information itself. This may be clarified better, but is not about end-to-end encryption but about meta data.”
Sanjay further added, “perhaps one clause you could add is to say that the ‘intermediary should be able to do this based on the information it has, if it does not have information, there should be not requirement to maintain information’ e.g. if you take business of mailinator, they don’t keep record of mails sent in and out.”
Bhusan, added “it should not lead to intermediaries having a requirement to do KYC on users.”
Is 50 lakh only to target large platform players?
Sanjay, “my read is they may have thought that way. But in reality a regional ISP or even a small newspaper will fall in to that category.”
“Bhusan, I don’t think it is a number generate by some study, but it seems like they just picked it.”
The discussion was rapped with thanks to all players.
Author note and Disclaimer:
PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system. PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on case to case basis.
PolicyHacks discussions and recordings are intended at issues concerning the industry practitioners. Hence, views expressed here are not the final formal official statement of either iSPIRT Foundation or any other organisations where the participants in these discussions are involved. Media professionals are advised to please seek organization views through a formal communication to authorised persons.
Data protection and privacy have been a topic of hot debates and discussion in recent times in India. It had become extremely important as India is progressing to a be a “Digital economy” to address this issues relating to the use of personal data.
iSPIRT has been in forefront of developing Consent Framework and called as Data Protection & Empowerment Architecture (DEPA). The Account Aggregator Policy of RBI revolves around this consent architecture.
Whereas the bill is of interest to almost all the sectors of the economy, it is extremely important for businesses in Information Technology sector and especially in Software product Industry to understand the law as it is seeded and further as it evolves.
The bill has many aspects to it in the legal framework. It is not possible to cover the entire understanding of the bill in one blog. We have attempted to cover some salient features that may be important for the Software Product Industry as well as how it contacts with the techno-legal aspects of DEPA as it stands in financial sector, perhaps to be replicated in other important sectors of the economy.
This blog is again posted in a Question and answer format both as a video and as a transcript of the video. You can use the one you like.
Questions have been asked by iSPIRT volunteer and Policy expert Mr Sudhir Singh and answered by Supratim Chakraborty (Data Privacy and Protection expert from Khaitan & Co.) and Siddharth Shetty (leading the DEPA initiative at iSPIRT).
What are the most important aspects of the bill?
Supratim answered, “What we have seen is through this draft bill, there is an attempt to establish the relationship of trust between the data subject and data controller. The nomenclature has been changed in this bill and It is data fiduciary and data principles. It puts a lot of onus on the data fiduciary to take care of data care protection.”
“There are several important aspects of the bill that needs attention such as localisation of data, cross-border transfer and also some other aspects such as privacy by design, transparency requirement, security safeguard, breach notification, grievance redressal mechanism, the requirement of Data protection officer, record keeping requirements”, as elaborated Supratim.
Is there some restriction on data fiduciary? Is the state exempted?
Supratim said, “this bill is equally applicable to private parties and the Government unlike earlier provisions of section 43A and 72A of IT ACT. 43A will be scrapped after this bill comes into existence. There has been a lot of debate on this aspect of bringing Govt. under the purview of the law.”
Is right to be forgotten covered in a similar way as GDPR?
Supratim explained, “Our Govt. has looked at this in a more business-friendly way by covering the right to be forgotten by provisioning that any further dissemination of data should be stopped, once the data principal chooses to withdraw the consent or ask for the right to be forgotten.”
He described four governing aspect that explains how to determine the aspect of keeping Data local, as described below.
You could have certain pockets of personal data that can be transferred outside.
There could be certain pockets of data that could be transferred outside but a serving copy of the data has to be within the country
The third category is sensitive personal data ambit of sensitive personal data which has been widened considerably compared to what we saw under the 43A of IT ACT. For this, if sent out of
The fourth category is data that cannot be sent outside country at all.
“On Cross border transfer of data in addition to ‘consent’ there has to be standard contractual clauses (approved/prescribed by authority) or the transfer to a jurisdictions is approved by the central government”, he further explained.
What is the Data Protection Authority?
Supratim answered, “In the draft bill this seems to be all encompassing all powerful authority from rulemaking to advisory to enforcement. Therefore it is important to see how this really shapes up. In “IT Act”, section 43 A and 72A were largely there to cover the aspects of data privacy but enforcement and implementation.”
What are other important aspects to consider?
“There are many aspects but let us touch upon two given below”, said Supratim.
One is the requirement of having notices in multiple languages, which is not a very hard obligation the way it has been put. But in a country like India for say an e-commerce platform imaging the cost that one has to incur for putting multiple language notices. Also, we need to see are we able to really address the point of informed consent through this, because you also have a section of people who may be illiterates. Justice Srikrishna report suggest that we should have short videos or graphical representation which make it very easy for someone to understand the critical aspects of privacy.
Another important aspect is applicability of the law. This law is applicable to all processing that is happening in India and also to foreign bodies. Section 2(2) talks about applicability to foreign bodies, the first part says that “in connection with any business carried out in India”. This means a global platform that is accessible from India has to have the entire requirement of this law.
Are we going in direction of GDPR?
Supratim answered, “Whereas we are trying to follow the Gold standard and many countries are trying to follow the path set by GDPR, India is quite different country and we are not following everything the way it is in GDPR, we have to be mindful of our requirements. But the idea is slowly and surely reach a zone where we can have our laws quite akin to laws of matured jurisdictions.”
How does Bill address iSPIRT DEPA initiative?
Siddharth, sees this draft bill as a unique India first approach. He feels that apart from addressing privacy and data protection aspects it empowers Indians on having control on the use of their data for better financial services, better health services, education etc.
Siddharth goes on to explain that at iSPIRT for past 3-4 years we have been working at Consent layer of IndiaStack or Consent framework and it is great to see that bedrock of draft bill is actually based on consent and in that way it is somewhat similar to GDPR. But, one of the biggest problem they are facing in EU today is it is very difficult to operationalise consent. It is for the first time India has a unique infrastructure to operationalise consent.
“DEPA is nothing but a set of two tools that helps to operationalise consent, explains Siddharth.
One is known as Digital Locker system which allows to the federated exchange of data and second is known as electronic data consent, which is nothing but an electronic representation of user Consent.
“This means, if you want to share or allow your data from some provider to say another consumer, then you must be able to express what date you want to share with whom for what time period in some codified manner. This codified information or consent is known as consent artefact”, says Siddharth further.
As explained by Siddharth, the ‘consent artefact’ became a national standard in 2016 adopted by four financial sector regulator RBI, PFRDA, IRDA and SEBI and they adopted it for their entire eco-system.
Based on consent artefact every individual has an access to financial data and has a mechanism to share that data to gain access to a loan or any other services provider. This has been through an institutional mechanism called Account aggregator.
Siddharth further elaborated that, “the ‘Account aggregator’ (AA) is a class of entities known as data access fiduciaries. The AA unlike other parts of world decouples the institution that collecting consent from an institution that either consuming data or providing data. In EU e.g. as per of PSP2 directive the account information service provider which consumes data is also responsible for collecting the data.”
In India, 3 AA have been approved. Technical standard drafts are also out for ecosystem. And through AA you actually have an entity that’s working toward creating an informed consent experience. Going forward just like UPI you receive your consent for a payment, through AA you will have an entity that helps you provide and control consent. Based on Financial sector we have proposed a similar concept to TRAI for the telecom sector and health sector to NITI Ayog.
Has the AA concept been addressed in the bill?
Siddharth explains further, “The bill makes bedrock of most processing of data based on consent. AA model is nothing but your consent collector or Consent manager. Every data principle they have outlined right to confirmation and access, right to correction, most importantly the right to data portability. As a data principle from data fiduciary, you have the right to request and port machine structured non-reputable transaction history or any other user-generated data to other service providers. AA is nothing but a framework to operationalise this right.”
He further explained that in the report preceding the bill, they talk about a concept consent dashboard. AA is nothing but a consent dashboard. They had 2 tech innovation consent dashboard and data dashboard. You can log consent flows and data flows.
Will, there be consent dashboards concept like AA in other sectors also or will there be one single point authority under DPA?
Siddharth, “it would be a combination of both. If you see the draft bill, it allows sectoral regulators to write rules. For data the falls under private data sets category such as data pertaining to social media etc, DPA would prescribe an standard.”
The report talks about that dashboard can be maintained by each data fiduciary or it can be a common dashboard that everyone else agrees and follows. If you look at the account aggregator dashboard it is a common dashboard for the entire financial sector. But for social media companies can follow their won dashboards.
For any Software product companies that does not lie in any of the regulated sector can create their own consent dashboards, where the user can come see their dashboard correct their data, port the data, manage their consent.
Unlike the IT act, this regulation will have a direct bearing on any businesses processing data irrespective of being in a Software product or other domain. And hence there is a need to be attentive. How right is this aspect?
“Yes, the ambit increases quite a bit. Wherever there is sensitive personal data interface involved, the level of compliance requirement has gone up several times. In the IT Act, there was a mention of personal data in section 72A. The present draft bill does not talk about the deletion of 72A. The draft bill have a parallel mechanism set out in the IT Act”, mentioned Supratim.
Siddharth, “it is just not limited to compliance, this law unlocks the whole host of business models around data sharing around consented data sharing that you haven’t yet seen in any other country and it will be really interesting to space to see what companies get a build out there.”
Question from Participants.
What is the definition of data processing? Or what is the differentiation between Data Storage and Data Processing. E.g. if you are an email service provider, is it Data Storage or Data Processing? (asked by Chintan)
Supratim answered, “definition of data processing is extremely wide enough to make businesses fall in to ‘data processing category’ without being a processor.”
What is the timeline? (Asked by Chintan)
MeitY has asked for public comments by 10th of September on the draft bill, thereafter it will be presented to parliament and after promulgation, there will be more work in framing Authority, the rules by DPA etc. The law is not expected to be in implementable form only after 18 Months or so, minimum.
What happens to the Existing customer? Do we go back to them and get their consent? (Karthik)
Supratim answered, “whilst the it is not a retrospective legislation, if you continue processing without taking consent, you will fall foul of the requirement of law.”
Are there any fines defined here? (Karthik)
Yes, it has been taken care. Just like other aspects the draft bill he highly inspired by GDPR on this aspect also. We have 4% and 2% of annual turnover. There are 2 buckets 4% and 15 Cr and other is 2% and 5 Crore.
Do we need to appoint an DPO?
“There is a segregation which has been made of has significant Data Fiduciary under certain conditions will have to have DPO. Also, this law has an immense amount of significant rulemaking power, answered Supratim.
Hence, it will be seen in future how rules are framed by Authority. So, it has to be seen how business friendly the authority remains in rulemaking e.g. section 43A in IT ACT gave rule making power to define what is sensitive data and information and set out what is reasonable practices and procedure. In the rule made in future, we saw a plethora of requirements set out, over legislated and sometimes badly drafted.
The rules will go through an evolutionary cycle. Hence, the legislation has to be tested over a period of time as it unfolds, after crystallisation of this draft promulgation by parliament in to an ACT and rules being made after that on different aspects.
PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system.
PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on the case to case basis.
If you are facing an issue, we recommend you take expert professional advice on the case to case basis.
We intend to provide the best transcripts in the text part of the blog. However, it may not be an exact replica and maybe approximation, more standardised, normalised or moderated version of the expert view presented in the video.
‘Digital India’ is one of the flagship programmes of the Government of India (GoI) with an aim to transform the country into a digitally empowered economy. Given the massive push that the government is giving to this programme, some radical changes have taken place across the country at both the public as well as at the government level in terms of digitization. However, it is also a reality that the growing digitization has increased vulnerability to data breaches and cyber security threats.
According to the Indian Computer Emergency Response Team (CERT-In), more than 22,000 Indian websites, including 114 government portals were hacked between April 2017 and January 2018, including the Aadhaar data leak in May 2017. These incidents clearly emphasized a strong need for cyber security products to tackle the threat to India’s digital landscape. In fact, last year, the Union Ministry of Electronics & Information Technology (MeitY) had directed all ministries to spend 10% of their IT budgets on cyber security and strengthen the Government’s IT structure in the wake of cyber threats.
Now, in order to be prepared for cyber breaches, the government entities need sophisticated security products and solutions. Currently, there is a heavy reliance on the foreign manufacturers to source these products as there are a handful of domestic players operating in this space. MeitY had issued a draft notification in June 2017 stating its preference to procure domestic cyber security products and give further impetus to the government’s flagship programme ‘Make in India’, thereby also boosting income and employment in the country.
The good news is that now the government has mandated ‘Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products’ policy which was released on July 2, 2018. With this policy in place, the local manufacturers will get the much required clarity and support to produce cyber security products. As the participation of domestic players increases in the cyber security industry, it will not only make the digital economy stronger and safer for the nation, but also enhance the ability of the suppliers to compete at a global business level. At the same time, it will also give an opportunity to foreign players to invest in the Indian cyber security product manufacturers which in turn will enable India to channel more FDI into the economy.
Let’s take a look at the key highlights of this policy are:
What is the objective?
Cyber Security being a strategic sector, preference shall be provided by all procuring entities to domestically manufactured/produced cyber security products to encourage ‘Make in India’ and to promote manufacturing and production of goods and services in India with a view to enhancing income and employment
Who are the procuring entities?
Ministry or department or attached or subordinate office of, or autonomous body controlled by the Government of India (GoI) which includes government companies.
Who qualifies to be a ‘local supplier’ of domestically manufactured/produced cyber security products?
A company incorporated and registered in India as governed by the applicable Act (Companies Act, LLP Act, Partnership Act etc.) or startup that meets the definition as prescribed by DIPP, Ministry of Commerce and Industry Government of India under the notification G.S.R. 364 (E) dated 11th April 2018 and recognized under Startup India initiative of DIPP.
Revenue from the product(s) in India and revenue from Intellectual Property (IP) licensing should accrue to the aforesaid company/startup in India.
How big is the government opportunity?
There is a huge government opportunity waiting to be leveraged, especially because MeitY had asked all ministries to spend 10% of their IT budgets on cyber security.
What are the key benefits of the policy to the local supplier?
The main benefits of the policy that local suppliers can avail are:
Procurement of goods from the local supplier if the order value is Rs.50 lacs or less.
For goods that are divisible in nature and the order value being more than Rs.50 lacs, procurement of full quantity of goods from the ‘local’ supplier if it is L1 (refer the note below). If not, at least 50% procurement from the local supplier subject to the local suppliers’ quoted price falling within the margin of purchase preference.
For goods that are not divisible in nature and the order value being more than Rs50 lacs, the procurement of the full quantity of goods from the local supplier if it is L1. If not, then the local supplier will be invited to match the L1 bid and the contract will be awarded to the local supplier on matching the L1 price.
The cyber security products notification shall also be applicable to the domestically manufactured/produced cyber security products covered in turnkey/system integration projects. In such cases the preference to domestically manufactured/produced cyber security products would be applicable only for the value of cyber security product forming part of the turnkey/ system-integration projects and not on the value of the whole project.
Note: L1 means the lowest tender or lowest bid or lowest quotation received in a tender, bidding process or other procurement solicitation as adjudged in the evaluation process as per the tender or other procurement solicitation.
How do I get my cyber security product listed to start getting the benefits of this policy?
You need to get your product evaluated and approved by the empowered committee of the government.
The ‘Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products’ policy is a commendable step in the direction of providing a robust leap to ‘Digital India’ and ‘Make in India’ programmes.
Get complete details about the policy here. You can also reach the author for more details @ [email protected]
Ashish Tandon, Founder & CEO – Indusface
Ashish Tandon a first-generation entrepreneur with a rare combination of strong technology understanding and business expertise has successfully lead and exited several ventures in the areas of security, internet services and cloud based mobile and video communication solutions. Under his leadership as founder & CEO, Indusface a bootstrapped, fast growing and profitable company, has been recognized as an award-winning Application Security company with over 1000+ global customers and a multi-million $ ARR. He is also closely associated with the government and industry bodies of India in drafting of the various Software Product & Security related acts, regulations & policies. Connect with him on LinkedIn or Twitter.
This blog aims to explain where the draft NPSP policy statement stands at present and what to expect further.. The blog also answers many questions arising out in the minds of stakeholders in Software product industry as well as IT industry in general.
This may help Software product industry stake holders in responding to MeitY on this consultation process, which ends on 9th December 2016.
How does NPSP help India?
The first Software policy came up in 1986. It resulted into Software Technology Park (STP) scheme in 1991. Even after 25 years the old Software policy (1.0) of 1986 still prevails, with focus on IT services.
But, past few years have seen serious decline in growth, owing to rapid transformation in technology and Software industry, globally. India’s IT sector is strong enough to face changing technology challenges. India’s national competitive advantage has taken a shift towards innovative stage and ‘product’. Please see another blog on this subject here.
To address globally relevant strategic paradigm shifts, a Software 2.0 policy is needed with ‘product’ as focal to it.
This consultation process will lead this Software 2.0 policy. It will help in India in capitalizing on the existing matured IT industry and build a phase 2 of Industry in form of product based Industry. There are 3 advantages that NPSP announcement brings us.
Firstly, with NPSP announcement, India will give recognition to Software product industry.
Secondly, schemes and programs emergence from NPSP that will catalyze Software product industry eco-system.
Thirdly, Software product industry will have legitimate governance structure in Government of India that help solve problems and provide level playing field.
The draft policy does not have any actionable but only intent statements?
Yes, presently the draft is only a macro policy statement with a vision, mission to be achieved and ten strategic areas to be addressed. Let us understand different aspects of it.
There were two challenges to framing if this draft policy. One most people in Government system link the Industry policies framing directly to a package of fiscal incentives that help in direct market intervention. On the other hand, IT industry having matured, there is less appetite at ministry of finance to easily carve out a fiscal incentive program.
Two, iSPIRT believed that innovation and product based industry needs multi-layered action plan that can help promote the eco-system central to product industry. Adding any fiscal package right in beginning, to the policy statement would have put the efforts in jeopardy.
Hence, most areas that need to be acted upon are summed up in 10 Strategies in the draft. This macro policy announcement helps in getting policy rolled out in two stages.
First, set strategic intents and recognize a product industry.
Second, Action plans (schemes, programs, incentives and institutional setups) can follow on need basis and in phased manner after the policy is finally launched. Policy can be leveraged through multiple threads focused on defined actionable. It could be a) immediate action item list; b) ecosystem building programs; c) segment specific packages and lastly d) incentive schemes. For example, SaaS based product segment needs an early support in form of a booster package that solves their multiple problems.
This is a right flexible approach adopted by MeitY. This is how it happened in Software 1.0 policy as well.
Let us achieve stage one and then proceed to stage two.
Are there stages envisaged further to announcement?
At iSPIRT, we believe, after the promulgation of NPSP the very first action that is required to be taken by MeitY is a new institutional setup (instead of relying on old or existing vehicles).
Hence, a ‘National Software Product Mission’ (NSPM) should be setup urgently, as nucleus of activity to cater to emerging Software product industry. NSPM can operate under an inter-ministry board, thus drawing legitimacy to understand and solve problems of this emerging industry, across Government departments, at a single point.
NSPM should become a forum for intellectuals and industry practitioners for issues of technology, boosting R&D, international competitive dynamics, steps and actions needed to handle challenges that industry face in a continually evolving dynamic world etc.
Let us welcome the NPSP with open mind and right expectation
Some point in NPSP may not be rightly synching with every segment of Industry. However, one must also note that, the Government’s stake in an industry policy is also multi fold which also including the generation of employment and income.
In view of above, it is in favour of Software product industry to welcome this step 1 of formulating a viable National Policy on Software products. An early approval of NPSP is in the interest of Software product industry of India as well as country to look at a bright future.
A positive welcoming feedback will help MeitY in early approval.
We sincerely hope NPSP will soon be approved and help in building a “Software product nation”.