The investor input - a discussion on the future of data protection
The Personal Data Protection (PDP) Bill 2019 was tabled in the Indian Parliament by the Ministry of Electronics and Information Technology on December 11, 2019. Last week, the Government of India withdrew the Bill. As the government mulls the introduction of a fresh Bill, based on recommendations of the Joint Parliamentary Committee, and industry and civil society stakeholders, it has stated that it wants to keep the concerns of the Indian startup ecosystem front and centre. Investors in Indian startups therefore become an important part of the conversation.
Recently, The Quantum Hub, in collaboration with YourStory, held the fourth panel discussion as a part of the series ‘Reshaping India’s Data Landscape’. This session centred around the investor input on the now withdrawn PDP Bill 2019, bringing together investors who have invested in tech startups in India. The panellists for the discussion included Somshubhro Pal Choudhury, Partner, Bharat Innovation Fund; Ankit Kedia, Founder and Lead Investor, Capital A; Vishesh Rajaram, Managing Partner, Speciale Invest; Manu Rikhye, Partner, growX ventures; and Pearl Agarwal, Founder, Eximius Ventures. The discussion was moderated by Aparajita Bharti, Co-founder; Nikhil Iyer, Public Policy Analyst; and Mayank Mishra, Public Policy Manager, The Quantum Hub.
The discussion centred around three key issues- regulation of non-personal data, cross border data flows, and the mandatory disclosure of proprietary algorithms used for processing data.
Factoring data protection policies into investments
The session started with the most pressing concern - how do these policies affect investors? According to Ankit, the first thing investors do when governments push for policies in a certain sector, is analyse the regulatory risk around it. He said, “As an investor, we definitely keep circling around issues like that to make sure that our investment doesn't fall into any regulatory issue.”
For investors, regulatory uncertainty is likely to prevent them from investing in sectors where they believe the Government could enforce unclear or restrictive regulations.
A large problem with regulations such as these is their inflexibility. As the panel agreed, policies are often in danger of becoming unilaterally prescriptive in nature. Are these policies coming from a need to safeguard India’s data? If so, then governments should balance that need, with the kind of flexibility that young startups need to thrive and innovate. Instead of policies that demand one-size-fits-all compliances from businesses, a data framework could be created that allows for more nuance and innovation. The government should look at frameworks that are globally applicable instead of being ultra prescriptive.
Will a privacy law change India’s startup story?
India’s homegrown startup story has been a compelling one. Today, the media spotlight is focused heavily on new-age startups, tech companies, valuations, unicorns, exits. In the last year alone, there have been a slew of regulatory developments, and tech startups are feeling the strain. Some startup founders are also starting to consider the need for a Chief Risk Officer, who will ensure that the company practises a certain amount of ring fencing when it comes to regulatory challenges.
Cross Border Data flows could hamper collaboration and innovation
India is currently a hub for global Software-as-a-Service (SaaS), building products for global consumption. “We are looking at using global, world-class tools to build our businesses. Because when you have finite resources, you can't build everything. I often give examples of companies like Microsoft, AWS and others that use our products rather than using their own, even though they're big tech companies. So every tech company partners with a bunch of others” said Manu.
To facilitate smooth transfer of data into and out of India, India must try to align with global standards for cross border transfers.
Furthermore, will these clauses hamper innovation from India’s startups?
Non-personal data and the risk of deanonymisation
There have been several discussions that India’s Data Protection Framework may expand its mandate to govern not only personal data but also non-personal Data (NPD). Sharing of NPD has also been proposed in other policy proposals. This development is of concern to both investors and startups.
In today’s incentive structure, businesses derive value from customer and other data in order to refine, better or expand their services. Investors consider the value of these proprietary datasets in their business decisions, and any mandatory sharing is likely to disincentivise them from investing in Indian companies. There is also the risk of deanonymisation of NPD, which could lead to privacy risks for individuals, as Indian industry has not yet agreed upon anonymisation standards. It is also unclear if any prescribed standards can be implemented by all entities.
One solution proposed was to mandate only large companies to share data. Yet, this does not address the incentive structure, as all startups too wish to grow bigger over time. It will be ideal if sharing of NPD is kept voluntary for companies, as we see in the recent National Data Governance Policy Framework.
Disclosing proprietary algorithms
The Joint Parliamentary Committee recommended that businesses disclose potentially proprietary information, to check for the ‘fairness of its algorithms and the methods used for processing of personal data’. However, in the process, businesses' intellectual property rights could be compromised. At the moment, there is very little information on how fairness will be evaluated or what information will be requested. According to Somshubhro, a potential alternative could be to set industry standards to which all companies must comply, to achieve the goals of fairness. “We do not even have fair lending practices for humans, why do we insist on them for Artificial Intelligence?” he asked.
As the Government looks to take a fresh approach to data governance framework for India, the startup and the investor community would hope that these concerns that got aired during the previous Bill’s consultation process would be taken into account in any new draft privacy Bill.