After the Covid-19 pandemic wreaked widespread economic havoc in 2020, India is hoping to implement solutions for industries to get back on track in the year ahead.
At Prarambh 2021, an international summit for the ‘Startup India’ programme, Prime Minister Narendra Modi announced a Rs 1,000 crore seed fund for startups. He acknowledged that the demographic charter of the business landscape in India is being changed by startups.
These businesses have been the backbone in service delivery across areas such as health and education, in the face of crisis caused by the pandemic. Out of the nearly 41,000 startups estimated to have come up in India, more than 5,700 are in the Information Technology (IT) sector. Other startups in areas such as education, healthcare, e-commerce etc. continue to build and use data systems to strengthen their business models.
Almost 87 per cent of the total investment value in startups in India is concentrated in Delhi-NCR, Bengaluru and Mumbai, followed by Chennai, Hyderabad and Pune. A report by the Asian Development Bank shows that India’s strengths of human capital, information and communications technology (ICT) services and its transition to a digital and knowledge-based economy makes it an ideal location for becoming a global startup hub.
However, there is a need for large-scale implementation of low-ticket technological advances, which allow India to ‘leapfrog’ and leverage the increasing mobile and data consumption in the country. Coupled with research, development and innovation, startups can use technologies such as blockchain, Artificial Intelligence/Machine Learning and Internet of Things (IoT) to harness the power of India’s flexible labour market.
In this context, it is important to deliberate on how the Personal Data Protection Bill, 2019, will impact data management and enforce compliances on the startup industry.
Issues with Personal Data Protection Bill, 2019
Stringent data protection laws — a prime example being the European Union’s General Data Protection Regulation (GDPR) that came into effect in May 2018 — could affect innovation in the short term. There is limited research, but it points towards the predominance of negative effects during the initial phase of implementation, such as disruption of existing structures of production and routines. The benefit from privacy and data protection regulation could arise in the medium term, because of the amount of time taken to market innovation and adjust the technology being used.
India currently does not have a data protection law in place. Although the need to have such a law is not debatable, the provisions of the Bill and how they impact startups can be contested. By the time the Bill is passed and comes into effect, the startup ecosystem will be impacted by a number of concerns — such as compliance costs, restrictions on cross-border data flows and respect for intellectual property rights.
The Dialogue launched a report on 19 January covering these concerns, after interacting directly with startups through a series of stakeholder consultations. On the count of steep compliances, there have been concerns from startups around how the Bill mandates independent audits for significant data fiduciaries, and this requires available resources and funds which all startups might not equally have access to.
The recommendation to overcome this hurdle is charting out graded compliance standards and promoting staggered implementation, to allow those startups which have inadequate resources to alter their business models and not face the risk of shutting down.
Another concern is the restriction on cross-border data flows, which can either increase the costs of accessing storage technology for data based abroad — such as cloud-based services — or it can make startups an unviable investment option for the global market. This will make startups incur significant cost of operations, and could be a heavy price to pay for younger startups which operate on limited budgets.
To solve this issue, interoperability must be prioritised in the framing of the Bill. Countries must work to devise data protection regimes which mutually allow innovation, protect the privacy of citizens and allow free flow of data securely across borders.
Intellectual property and non-personal data
Access to intellectual property of startups classified as ‘NPD’ (non-personal data) is a major discussion point. Under the draft Bill, clause 91 gives the government of India unfettered access to anonymised non-personal data that may even include trade secrets, IP-protected documents and confidential files, as long as the same can be justified as being used for framing policies.
This right to access has been criticized by startups, with the concern and warning that the same might become a barrier for foreign investment in the country as their trade advantages might cease to exist in the Indian market.
A new legislation to cover NPD is being created, and B2G (business-to-government) data sharing can be discussed under a separate policy framework that aims to regulate the governance of NPD. Otherwise, startups would end up in a difficult spot by signing up their proprietary insights and confidential information under the present clause 91 of the Bill.
The need for a revised data protection bill is imminent, with regard to its implications for the functioning of Indian startups. Covid-19 has reduced job opportunities for citizens, and startups are poised to solve some part of this problem by ensuring innovation and thereby, job growth.
However, this would be impossible without positioning startups in a way that makes them attractive investment options for global players. Therefore, the 2019 Bill needs to take cognisance of these pain points, and ensure that the data protection regime (both with respect to personal and non-personal data) is interoperable, acknowledges different constraints of startups of varying sizes, and works towards protecting their intellectual property rights.
Karthik Venkatesh is research coordinator for ‘data governance and data flows’ vertical at The Dialogue, a research and public policy think-tank. He is a lawyer by training who is working on copyright and IPR issues with data sharing in the digital economy, impact assessment of regulations relating to personal and non-personal data flows on startup ecosystems, and the future of a sharing economy
Trisha Pande is policy manager at The Dialogue. A master’s degree holder in public policy, she has an interest in writing about policy issues at the intersection of development policy and technology.