BEGIN:VCALENDAR VERSION:2.0 PRODID:-//HasGeek//NONSGML Funnel//EN DESCRIPTION:SMEs and the startup ecosystem in India share concerns about t he (retracted) draft Data Protection Bill\, 2021 - and the way forward for businesses X-WR-CALDESC:SMEs and the startup ecosystem in India share concerns about the (retracted) draft Data Protection Bill\, 2021 - and the way forward fo r businesses NAME:The past as a compass for the future X-WR-CALNAME:The past as a compass for the future REFRESH-INTERVAL;VALUE=DURATION:PT12H SUMMARY:The past as a compass for the future TIMEZONE-ID:Asia/Kolkata X-PUBLISHED-TTL:PT12H X-WR-TIMEZONE:Asia/Kolkata BEGIN:VEVENT SUMMARY:The past as a compass for the future DTSTART:20220822T092800Z DTEND:20220930T092800Z DTSTAMP:20260424T082708Z UID:session/RZU7LRmmfoCM7hHWrhiUJ@hasgeek.com SEQUENCE:150 CREATED:20220822T092757Z DESCRIPTION:To understand the impact of the Draft Data Protection BIll (DP B) on Small and Medium Businesses (SMBs) and startups\, Privacy Mode inter viewed representatives across the industry. The interviewees shared their perspectives on how complying with the mandates and provisions of the Bill is likely to affect opportunities for innovation\, investment and the cos ts of doing business in India. \n\nThis report provides a more nuanced di scussion on data governance policies\, especially regarding the regulation of data protection laws in India\, and helps inform more consultations ar ound data governance\, data protection and rights.\n\nThe Personal Data Pr otection (PDP) Bill\, 2019\, was first introduced in the Lok Sabha by the Ministry of Electronics and Information Technology (MeitY) in December\, 2 019. Its primary intent was to protect the digital privacy of individuals relating to their data\, while acknowledging the right to privacy as a fun damental right and necessary to protect personal data as an essential face t of informational privacy. It also aimed to create a collective culture t hat fosters a free and fair digital economy\, respecting the informational privacy of individuals\, and ensuring empowerment\, progress and innovati on through digital governance and inclusion. \n\n**Cite this report-** Das h\, Sweta “The past as a compass for future - SMEs and the startup ecosy stem in India share concerns about the (retracted) draft Data Protection B ill\, 2021 - and the way forward for businesses” (2022) at https://hasge ek.com/PrivacyMode/dpb-survey-report/\n\n### Executive Summary\n(The refer ence text of the Draft Data Protection Bill\, 2021 is mentioned in the cit ations. You can also see the timeline\, showing how the text and provision s of the Bill have evolved through various stages.)\n\nAccording to the Bi ll\, personal data is defined as data about or relating to:\n1. Natural pe rson who is directly or indirectly identifiable\, having regard to any cha racteristic\, trait\, attribute or any other feature of the identity of su ch a natural person. \n2. Whether online or offline.\n3. Any combination o f such features with any other information. \n4. Shall include any inferen ce drawn from such data for the purpose of profiling.\n\nIn 2019\, the Uni on Government referred this Bill to a Joint Parliamentary Committee (JPC). The updated Draft Data Protection Bill (DPB)\, 2021 emerged from the JPC report tabled in 2021. \n\nThe Draft DPB had changed the initial PDP Bill significantly\, and received mixed responses and concerns from stakeholder s [^1]. \n\nTo understand the impact of the Draft DPB on Small and Medium Businesses (SMBs) and startups\, Privacy Mode interviewed representatives across the industry. The interviewees shared their perspectives on how com plying with the mandates and provisions of the Bill is likely to affect o pportunities for innovation\, investment and the costs of doing business i n India. \n\nThis report provides a more nuanced discussion on data gover nance policies\, especially regarding the regulation of Data Protection La ws in India and helps inform more consultations around data governance\, d ata protection and rights.\n\n### Disclaimer\nThe conduct of this survey a nd the drafting report was done prior to the withdrawal of the DPB on 3rd August\, 2022. The intent of producing this report was to collect peer rev iew from industry practitioners and compile this as feedback to be shared with MeitY and the JPC. We believe that this report is relevant and timely because the findings presented here provide insights into industry concer ns which can be leveraged when the government drafts the next version of I ndia’s privacy bill. For data privacy of users to be genuinely achieved in India\, privacy policies and laws must provide guidelines and direction s to the industry without detailing operational requirements. Else\, compl iance becomes a checkbox to tick\, while privacy continues to be put on th e backburner[^2]. \n\n### Participant Profile Distribution\n```{vega-lite }\n{\n "height": "320"\,\n "width": "480"\,\n "autosize": {\n "type" : "fit"\,\n "contains": "padding"\,\n "align": "centre"\n }\,\n "data": {\n "values": [\n {"category": [" "\,"Architect"]\, "value ": 4.2\, "label": "4.2%"}\,\n {"category": "Product manager"\, "value ": 12.5\, "label": "12.5%"}\,\n {"category": ["Senior"\, "Engineer"]\ , "value": 33.3\, "label": "33.3%"}\,\n {"category": "Founder"\, "val ue": 50\, "label": "50%"}\n ]\n }\,\n "mark": "arc"\,\n "encoding": {\n "theta": {"field": "value"\, "type": "quantitative"\, "stack": true }\,\n "color": {"field": "category"\, "type": "nominal"\, "legend": nul l}\n }\,\n "layer": [\n {"mark": {"type": "arc"\, "outerRadius": 130\ , "innerRadius": 70\, "padAngle": 0.01}\n}\,\n {\n "mark": {"type" : "text"\, "radius": 105\, "fill": "#fff"\n }\,\n "encoding": {\ n "text": {"field": "label"\, "type": "nominal"}\,\n "size": {"value": 12}\n }\n }\,\n {\n "mark": {"type": "text"\, "radius": 170\n }\,\n "encoding": {\n "text": {"field": "category"\, "type": "nominal"}\,\n "fill": {"value": "#000"}\,\n "size": {"value": 12}\n }\n }\n ]\n }\n```\n\n### Indust ry Domain Distribution\n```{vega-lite}\n{\n "height": "430"\,\n "width": "480"\,\n "autosize": {\n "type": "fit"\,\n "contains": "padding"\ n }\,\n "data": {\n "values": [\n {\n "category": [[" "\, " "\,"Agritech"]\, [" "\,"AI Tech"]\, [" "\," "\,"Software"\, "Development "]\, ["B2B"\, "eCommerce"]\, "CRM"\, "Cloud Tech"\, [" "\," "\,"MLOps"]\, ["IT Services "\, "& Consulting"]\, [" "\," "\,"OSS Products"\, "& Servic es"]\, [" "\," "\,"SSD Cloud"]\, ["Cybersecurity"\, "Tech"]\, "Fintech"\, "Health Tech"]\,\n "value": [7.1\, 14.3\, 3.6\, 3.6\, 3.6\, 7.1\, 3.6 \, 3.6\, 3.6\, 3.6\, 3.6\, 25\, 14.3]\,\n "label": ["7.1%"\, "14.3%"\ , "3.6%"\, "3.6%"\, "3.6%"\, "7.1%"\, "3.6%"\, "3.6%"\, "3.6%"\, "3.6%"\, "3.6%"\, "25%"\, "14.3%"]\n }\n ]\n }\,\n "transform": [\n {"flatten": ["category"\, "value"\, "label"]}\n ]\,\n "mark": "arc"\,\n "encoding": {\n "theta": {"field": "value"\, "type": "quantitative"\, " stack": true}\,\n "color": {\n "field": "category"\,\n "type" : "nominal"\,\n "legend": null\,\n "scale":{"range": ["#267278"\ ,"#3363a9"\,"#4e82ea"\,"#f2a354"\, "#3db3a3"\, "#f46767"\, "#d15a69"\, "#f 49667"\, "#f7cc19"\, "#2abca7"\, "#2c96ff"\, "#569d79"\, "#78b3ce"]}\n }\n }\,\n "layer": [\n {"mark": {"type": "arc"\, "outerRadius": 170\, "innerRadius": 85\, "padAngle": 0.01}\n }\,\n {\n "mark": {"ty pe": "text"\, "radius": 145\, "fill": "#fff"}\,\n "encoding": {\n "text": {"field": "label"\, "type": "nominal"}\,\n "size": {"va lue": 12}\n }\n }\,\n {\n "mark": {"type": "text"\, "rad ius": 200\, "align": "left"\, "dx": -10\, "dy": -5}\,\n "encoding": { \n "text": {"field": "category"\, "type": "nominal"}\,\n "fi ll": {"value": "#000"}\,\n "size": {"value": 10}\n }\n }\ n ]\n }\n```\n\n\n| Summary of key concerns | \n|----------|\n| Amb iguities about sensitive and personal data\, and the addition of non-perso nal data (NPD) into the ambit of DPB | \n| Increase in compliance burden and costs owing to provisions such as privacy by design and algorithmic fairness which will be certified by the Data Protection Authority (DPA) | \n| Restrictions on cross border flow of data\, and impact on innovation | \n| Mandates for privacy by design and algorithmic fairness are unviabl e and impractical to implement | \n| Overreaching powers for the governmen t further increase unjustified surveillance | \n\n### Top Concerns\n```{v ega-lite}\n{\n "height": "430"\,\n "width": "520"\,\n "autosize": {\n "type": "fit"\,\n "contains": "padding"\n }\,\n "data": {\n "v alues": [\n {\n "category": [["Mixing of personal"\, "and non-pe rsonal data"]\, ["Ambiguities and"\, "uncertainties"]\, ["Data localisatio n and"\, "cross border data transfer"]\, ["Privacy by design"\, "and algor ithmic fairness"]\, ["Overarching powers"\, "to the government"]\, ["Compl iance"\, "burdens"]]\,\n "value": [8.4\, 19.2\, 19.2\, 17\, 17\, 19.2 ]\,\n "label": ["8.4%"\, "19.2%"\, "19.2%"\, "17%"\, "17%"\, "19.2%"] \n }\n ]\n }\,\n "transform": [\n {"flatten": ["category"\, "value"\, "label"]}\n ]\,\n "mark": "arc"\,\n "encoding": {\n "theta ": {"field": "value"\, "type": "quantitative"\, "stack": true}\,\n "col or": {\n "field": "category"\,\n "type": "nominal"\,\n "leg end": null\,\n "scale":{"range": ["#f46767"\, "#d15a69"\, "#f49667"\, "#f7cc19"\, "#2abca7"\, "#2c96ff"\, "#569d79"\, "#78b3ce"]}\n }\n }\, \n "layer": [\n {"mark": {"type": "arc"\, "outerRadius": 165\, "innerR adius": 85\, "padAngle": 0.01}\n }\,\n {\n "mark": {"type": "te xt"\, "radius": 145\, "fill": "#fff"}\,\n "encoding": {\n "tex t": {"field": "label"\, "type": "nominal"}\,\n "size": {"value": 12 }\n }\n }\,\n {\n "mark": {"type": "text"\, "radius": 21 5\, "align": "left"\, "dx": -45\, "dy": -10}\,\n "encoding": {\n "text": {"field": "category"\, "type": "nominal"}\,\n "fill": {" value": "#000"}\,\n "size": {"value": 10}\n }\n }\n ]\n }\n```\n\n#### Mixing of Personal and Non-Personal Data\nWhile the JPC re port recommended that both personal and non-personal data must be brought under the ambit of the same data protection law\, or rather under “a sin gle administration and regulatory authority"\, respondents remain sceptica l of the intent and implications of such a move. They said this transition from PDP to the current DPB relegates users to the margins instead of put ting them on the centrestage in the discourse on privacy [^3].\n\nTo them\ , the onus of the user’s privacy now shifts on to businesses. And\, sinc e data aggregated by businesses is a mix of both personal and non-personal \, it increases their operations and compliance costs. Segregating this da ta into non-personal data\, sensitive personal data\, and critical persona l data is a herculean task for businesses\, especially those who operate o n a data heavy model[^4].\n\n[📖 Read more about this key finding ](htt ps://hasgeek.com/PrivacyMode/dpb-survey-report/sub/mixing-of-personal-and- non-personal-data-UKJDr2oUfZ2ArWheK8hiJ1)\n\n----------------------------- ----------\n#### Consent Management\nOn one hand\, the DPB now allows non- consensual processing of data under several circumstances. That is concern ing because consent must ideally be the foundation of a Bill on data prote ction\, especially given the fact that DPB is still a chapter in the histo ry of the milestone Puttaswamy judgement. \nClause 13 of the DPB\, for in stance\, notes that non-consensual processing of data “can reasonably be expected by the Data Principal.” The next Clause then disregards user c onsent for measures like search engine operation and credit scoring. \n\nO n the other hand\, the mechanisms for businesses to adhere to consent have become more cumbersome. With the requirements of consent managers and mul tiple levels of checks and balances\, respondents are confused about what is even expected of them. To them\, this will eventually be a reason for g reater compliance costs for the business and friction for the end-users. \ n\n[📖 Read more about this key finding ](https://hasgeek.com/PrivacyMod e/dpb-survey-report/sub/consent-management-8QRosYGBAoUAiRBxXoSLYb)\n\n---- -----------------------------------\n#### Data localization and cross bord er data flows\nThe draft DPB’s mandates on physical data storage and pro cessing the data within the country’s jurisdictional borders is seen as a serious impediment to growth\, investment\, and innovation opportunities for businesses. \nAdditionally\, the DPB has different standards for hand ling sensitive personal data and critical personal data adds to compliance costs because businesses are finding it difficult to understand what this will mean for costs of operations. They also find it challenging to now s egregate three categories of data and having to invest in resources that w ill be needed to do the same. \nTransfer of data cross-border requires exp licit consent of the Data Principal\, pursuant to a contract or intra-grou p scheme approved by the Data Protection Authority (DPA) in consultation w ith the Centre. This leaves businesses worried about extra approval mechan isms and audit systems. So much so that some said they might consider movi ng the base of their business to a different country instead. \n\n[📖 Re ad more about this key finding ](https://hasgeek.com/PrivacyMode/dpb-surve y-report/sub/geographical-restrictions-on-data-problems-with-da-LBhjhsULkm tuK4zVhrdpwN)\n\n---------------------------------------\n#### Privacy by Design and Algorithmic Fairness\nIn principle\, respondents welcomed the m ove to build mechanisms and processes for Privacy By Design and Algorithmi c Fairness. They think it is time that privacy and fairness gets its due r ecognition and importance in data businesses. However\, they are concerned that these are theoretical concepts and not viable to implement and adher e to on a routine basis. Respondents said that it is difficult to have bro ad but uniform standards for these approaches\, and that a blanket solutio n will not cater to the nuances of data that each business operates with. \n\nRespondents also shared that these are not measurable metrics - which then translates into: \n1. It will be difficult to comply with and get ce rtifications by the DPA\; and \n2. It is always possible for some algorith ms to have roundabout ways to seem fair without actually being fair. Respo ndents felt that this defeats the purpose of this provision in the DPB [^5 ]. \n\n[📖 Read more about this key finding ](https://hasgeek.com/Privac yMode/dpb-survey-report/sub/proposed-design-and-technological-architecture -cha-JxkAap31xJKU3UkH3WBXrA)\n\n---------------------------------------\n# ### Problems with government exemptions\; fear of data sharing with govern ment and central agencies\; anonymized datasets\nThe DPB 2021 assures exem ptions for the government and central agencies (including the police\, Cen tral Bureau of Investigation (CBI)\, Enforcement Directorate (ED)\, Resear ch and Analysis Wing (RAW)\, Intelligence Bureau (IB) and Unique Identific ation Authority of India (UIDAI) after the JPC report with the insertion o f a non-obstante provision in Clause 35. \n\nRespondents remain fearful of such provisions that grant overarching powers for the government and cent ral agencies to process data without the user's consent. Among other thing s\, they are concerned that these exemptions are “scary”\, “unjustif ied”\, and “unconstitutional”.\n\nThey are also worried that such un regulated data access by the State can have potential security threats to their digital and proprietary information. \n\n[📖 Read more about this key finding ](https://hasgeek.com/PrivacyMode/dpb-survey-report/sub/overre aching-powers-to-government-and-central-agen-NvovxMKgjCJAyHhrYLZ2st)\n\n-- -------------------------------------\n### Way forward\n\nThe objective of this qualitative study was to understand the concerns that startups and S MBs had regarding the Draft DPB. At a time when startups and SMBs play suc h a crucial role in the digital economy of the country\, and data itself h olds the centrestage across sectors\, it is imperative to hear from the in dividuals who have firsthand experiences that can inform more consultation s around data governance\, data protection and rights.\n\nThe interviews r eveal that there is a strong need for: \n1. Clarifying the scope and inten t of the DPB\;\n2. Include provisions for reasonable and proportional lega l safeguards as part of the mandates drafted in the DPB. Without this\, re spondents are worried that the ramifications will be fatal for innovation\ , growth and security of data\, among other things. \n\nNow that the DPB h as been withdrawn and it is likely that the Government will table a new se t of legislations for data privacy in the winter session of the Parliament later this year\, we hope that these concerns of SMBs and startups will b e taken into account. We hope the report helps to facilitate more interact ions between practitioners and policymakers for such future iterations of India’s privacy bill\, and in turn\, will inform policy directions and g uidelines that can genuinely protect users’ digital data. \n\n---------- -----------------------------\n### Conclusion\n\nAfter four years since it was first tabled in the Parliament\, the Draft DPB was withdrawn in Augus t 2022. The next version of data protection legislation is likely to be ta bled in the winter session of the Parliament later this year. It has been said that the DPB will be replaced by a more “comprehensive framework” that will be in alignment with “contemporary digital privacy laws”. [ ^7]\n\nIt is worth remembering that a robust legislation on digital data p rotection is\, indeed\, the need of the hour\, and surely long overdue. An d\, the road to this legislation has had a commendable history - one that stems from the Puttaswamy judgement which acknowledged privacy as a right. That the country needs a reliable data protection law\, especially in the se times of digitization and consensus on the importance of data\, cannot be emphasized enough. \n\nWe do consider this a milestone that the State i s finally invested in the framing of a legislation that is meant to safegu ard the users’ data privacy and sovereignty as well as facilitate growth and innovation of businesses dealing with digital data. Reports already s uggest that certain concerning aspects of the DPB are likely to be taken c are of. [^8] Having said that\, the fact remains that four years later\, w e are at square one again. \n\nAs we wait for a data protection law in Ind ia\, we hope that the new legislation will cater to the on-ground voices o f the businesses who will be affected by such laws. Besides\, as SMBs and startups have had a lot of experience with regulations and compliance proc edures for their specific businesses already\, be it with the European Uni on’s General Data Protection Regulation (GDPR) or with sectoral laws and policies for their industry\, they certainly do have useful insights on w hat data protection regimes can actually do to foster innovation while saf eguarding privacy rights. \n\nBelow are some recommendations\, drawn from the survey\, which Privacy Mode advocates need to be considered in the new data protection legislation when it is next tabled in the Parliament. \n\ n#### Regarding mixing of personal and non-personal data.\nThe mixing of p ersonal and non personal data has given rise to a lot of confusion about t he DPB\, and adds more layers of compliance and operational costs for busi nesses. \nSince non personal data can be de-anonymized\, it poses a privac y threat to the ecosystem. Even when the data is in the form of aggregated \, non-identifiable form\, respondents said that there is always the possi bility of re-identification. \nWe recommend that non-personal data be left out of the DPB\, and that it be governed through other frameworks. We als o recommend that the government must carry out consultations with stakehol ders to decide on how non-personal data can be regulated. It is also recom mended that policymakers provide concrete definitions for new categories o f data as sensitive personal data\, and not let this be an arbitrary proce ss.\n\n#### Regarding data localization and cross border data flows. \nIt is imperative that the DPB does not mandate restrictions on storage\, tran sfer\, and processing of personal data within the border of this country a lone. This will be a serious blow to the open nature of the internet and d igital data. \nWhile it is commendable that this provision is meant to as sure safety and privacy of personal data\, these could very well be achiev ed without such restrictive measures. An environment ensuring free flow of data - while guaranteeing privacy and reasonable safeguards for data sove reignty - will help in promoting an open and innovative society and econom y. \nIn fact\, the latest National Trade Estimate Report on Foreign Trade Barriers released by the US government in March 2022 also makes a strong case against such provisions in the DPB. It said that these provisions “ would serve as significant barriers to digital trade between the United St ates and India. These requirements\, if implemented\, would raise costs fo r service suppliers that store and process personal information outside In dia by forcing the construction or use of unnecessary\, redundant local da ta centres in India … (and) could serve as market access barriers\, espe cially for smaller firms.”[^9]\nTo assure privacy in the free flow of da ta across borders\, the future version of a privacy bill for India must en deavour to provide adequate legal safeguards that will be beneficial to th e user’s data and to the business’s success. [^10] Additionally\, ambi guous phrases like “public policy” and “State policy” must be defi ned in it. \n\n#### Regarding Privacy by Design.\nFirst\, as the founder o f an MLOps business said\, \n>“But I think the way to do privacy by desi gn is to create public goods\, shared recipes\, scripts\, tools\, methods\ , in steps to be followed\, make it really easy for companies to think abo ut privacy\, right? But you will not have this until you have means\, moti ve\, and opportunity.” By means\, the founder referred to necessary bac kground knowledge about tools and script required. By motivation\, they re ferred to the creation of a general discourse on privacy in tech. And\, by opportunities\, they meant that individuals who pursue privacy research a nd design ought to be given incentives and made to feel valued. “The bil l addresses a little bit of the motivation\, but we have a long way to go\ ,” the founder said.\n\nSecond\, respondents suggested that there should be clarity about what Privacy by Design even means in the context of DPB\ , and how the DPA hopes to certify and approve this for businesses.\n\nThi rd\, many respondents suggested that Privacy by Design policy should not b e a mandatory compliance requirement that needs approval by the DPA. “It should come into picture when there is a dispute in terms of data protect ion\, i.e.\, if there have been some issues in terms of data protection\, data privacy or information security\, then the privacy by design policy o f the company can be scrutinized.”\n\nFourth\, one respondent involved w ith an agri-tech business suggested easing of the consent management syste ms involved with Privacy by Design policy as prescribed in the provisions of the DPB. They suggested one waiver instead of multiple consent manageme nt checks that add more friction to the process for users and for business es.\n\n#### Regarding algorithmic fairness.\nFirst\, the provision needs c larity. Since this is a design and technology principle that is largely a theoretical concept\, it will be useful to have defined boundaries regardi ng what the DPB means by algorithmic fairness.\n\nAn architect with a FinT ech business said\, \n\n>“I think the regulation needs to define what ex actly it tries to achieve with looking at the whole fair AI algorithm. In my view\, that basically comes to the question of specific vulnerable grou ps\, for example\, groups of women who do not have access to the formal fi nancial system. So for people with low income or people who are on social benefits\, and make sure that the algorithms are not discriminating agains t groups of people.”\n\nSecond\, it is necessary to have use cases for t his provision. In the words of the respondent cited earlier\, \n\n>“This is what needs to be defined very well by the regulation: what specific us e cases need to be addressed? Otherwise\, we can always find\, you know\, a criteria on which certain algorithms won't be fair or want to get to gro ups of customers in the same way. So it is a very\, I would say delicate q uestion\, which needs specific use cases to be defined to make it very muc h practicable and enforceable\, especially in the financial technology sec tor.”\n\nThird\, data and technology experts\, especially\, recommended that this provision of the future version of a privacy bill for India can be closer to being practical only when measurability and accountability fa ctors are clarified. *Respondents said that it is essential to know what m etrics the DPA hopes to use for algorithmic fairness.*\n\nFinally\, that w ill then require a team of auditors who are well-versed with data and algo rithms in ways that they can address nuances and specificities of all busi nesses. The auditors should be composed of neutral arbitrators too “who can actually assess how fair the algorithms are in that particular context ” said one respondent.\n\n#### Regarding overarching powers of the gover nment. \nTo thwart the risks of overriding powers of the government’s ac cess to data\, some of the recommendations by respondents are as follows.\ n\nThe lack of clarity about what constitutes as “necessary or expedient ” to enable broad data sharing with the government needs to be addressed . \n>“I think the Bill needs to specify what exactly means by fair requi rements\, and in what cases this actually needs to happen. Otherwise\, wha t is left at the discretion of the government agencies might be interprete d in multiple ways. It is important to outline more more concrete\, specif ic use cases\,” said an architect.\n\nOne of the respondents suggested t hat such demands for broad exemptions to the government and central agenci es must be supported by “at least the High Courts or higher\, and not ev en by the level of a magistrate or even SHO kind of thing.” Another resp ondent also echoed this recommendation\, \n>“I think the exemptions need to have a process that the courts need to uphold\, rather than the exempt ions being blanket requests\, which they can make at any time without any sort of checks and balances.”\n\nIt is worth noting that the earlier 201 8 draft did have provisions for due authorization by law for such provisio ns. [^11]\n\n\n\n\n\n\n---------------------------------------\n### Survey Design and Research Methodology\n#### Participant Profile Distribution\n` ``{vega-lite}\n{\n "height": "320"\,\n "width": "480"\,\n "autosize": { \n "type": "fit"\,\n "contains": "padding"\,\n "align": "centre"\ n }\,\n "data": {\n "values": [\n {"category": [" "\,"Architec t"]\, "value": 4.2\, "label": "4.2%"}\,\n {"category": "Product manag er"\, "value": 12.5\, "label": "12.5%"}\,\n {"category": ["Senior"\, "Engineer"]\, "value": 33.3\, "label": "33.3%"}\,\n {"category": "Fou nder"\, "value": 50\, "label": "50%"}\n ]\n }\,\n "mark": "arc"\,\n "encoding": {\n "theta": {"field": "value"\, "type": "quantitative"\, " stack": true}\,\n "color": {"field": "category"\, "type": "nominal"\, " legend": null}\n }\,\n "layer": [\n {"mark": {"type": "arc"\, "outerR adius": 130\, "innerRadius": 70\, "padAngle": 0.01}\n}\,\n {\n "ma rk": {"type": "text"\, "radius": 105\, "fill": "#fff"\n }\,\n "e ncoding": {\n "text": {"field": "label"\, "type": "nominal"}\,\n "size": {"value": 12}\n }\n }\,\n {\n "mark": {"typ e": "text"\, "radius": 170\n }\,\n "encoding": {\n "text" : {"field": "category"\, "type": "nominal"}\,\n "fill": {"value": " #000"}\,\n "size": {"value": 12}\n }\n }\n ]\n }\n```\n \nThis report has been created through semi-structured interviews with ind ividuals in SMBs and startups [^6]. \nThe Privacy Mode team identified and shortlisted business leaders\, startup founders\, Chief Executive Officer s (CEOs)\, Chief Technology Officers (CTOs)\, security and compliance expe rts\, product managers\, and engineering heads from the Indian SMB and sta rtup ecosystem. A total of 30 individuals were interviewed through June an d July 2022. Domain diversity and scale of operations of the startups were the two factors considered when shortlisting and contacting individuals a nd organisations to participate in this research. \n\nThe Privacy Mode tea m reached out to the interviewees with a primer on DPB\, interview questio nnaire\, and an ethics and consent form prior to the interviews. See Appen dices I and II for reference to the primer and the questionnaire. The prim er and background material were compiled so that respondents understood th e nuances and trajectories of DPB before the interview\, and were in a pos ition to respond to the questions with an informed opinion.\n\n----------- ----------------------------\n### Credits and acknowledgements\nWe thank a ll the interviewees who participated in this research and have shared thei r views.\n\n* Sweta Dash is the Lead Researcher of this study. She is a re searcher and independent journalist based in New Delhi. \n\n* Kalki Vundam ati was the research assistant for the report.\n* Aditya Sujith Gudimetla drafted the interview questionnaire\, which was finalized taking into acco unt comments from reviewers\, and based on the responses during initial in terviews. \n* Neeta Subbiah draft the primer\, and participated in initial interviews. \n* Sankarshan Mukhopadhyay\, editor at Privacy Mode\, review ed and provided critical feedback during various stages of this report’s preparation. \n* David Timethy is project manager at Privacy Mode. He ove rsaw the completion and publication of this report. \n* Anish TP create ch arts and visuals for the report. \n\n------------------------------------- --\n### Community participation and peer review\nIn keeping with Privacy M ode’s policy of peer review\, interviews were conducted by the Lead Rese archer and collaborators from the community. We thank the interviewers fro m the community for their active role in the research process\, and for br inging a critical perspective to this report.\n\n* Dr. Akshay S Dinesh is policy and ethics consultant at Weavez Technologies.\n* Joshina Ramakrishn an from Weavez Technologies is a software engineer and an entrepreneur wit h a decade of experience in inclusive technologies.\n* Kritika Bhardwaj is an advocate practising in Delhi.\n* Maansi Verma is a lawyer and public p olicy researcher.\n* Sameer Anja is co-founder at Arrka Privacy Management Platform.\n\n---------------------------------------\n\n### Citations and references for additional reading \n\n👉 [Draft Data Protection Bill\, 2021: ](http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20 Personal%20Data%20Protection%20Bill\,%202019/17_Joint_Committee_on_the_Per sonal_Data_Protection_Bill_2019_1.pdf )\n\n👉 Seetharaman\, Bhavani: [ “Understanding innovation in the Indian tech ecosystem”](https://hasge ek.com/OpenInnovation/mozilla-open-innovation-project-understanding-innova tion-in-the-indian-tech-ecosystem/sub/understanding-innovation-in-the-indi an-tech-ecosys-5uqEkMHygpMzpSjx5hkYHC) published at [Mozilla Open Innovati on Project: Understanding Innovation in the Indian Tech Ecosystem ](https: //has.gy/ipSo). Specifically\, see the chapter on the impact of policy on entrepreneurs in non-urban ecosystems - https://has.gy/ipSo\n\n👉 [Time line of the Bill](https://hasgeek.com/PrivacyMode/dpb-survey-report/sub/ti meline-EwfqvT5saqs3mNhzHb4xMw)\n\n👉 [Appendix - 1 Primer](https://hasg eek.com/PrivacyMode/dpb-survey-report/sub/appendix-1-primer-6suQLjX8RurkVp sAgfyV4V )\n\n👉 [Appendix - II Interview questionnaire](https://hasge ek.com/PrivacyMode/dpb-survey-report/sub/appendix-ii-interview-questionnai re-MbutetfKjXFSSppMEx8UEL )\n\n👉 [Glossary](https://hasgeek.com/Privac yMode/dpb-survey-report/sub/glossary-HzbNNdirD6hR4Q41xU6twS )\n\n\n\n---- -----------------------------------\n### Footnotes\n\n[^1]: Privacy Mode r eviewed the changes introduced in this PDP Bill\, and its likely impact on SMEs. This review was shared with the newly constituted JPC in September 2021. The review is published at: [hasgeek.com/privacymode/pdp-bill](https ://hasgeek.com/PrivacyMode/pdp-bill ). \nAlso see [Data Protection Bill wi ll increase compliance cost for small companies: Hasgeek](https://www.theh indubusinessline.com/info-tech/data-protection-bill-will-increase-complian ce-cost-for-small-companies-hasgeeek/article36584709.ece ): *Business Line .* Sept 2021\n\n[^2]: In the report on privacy practices in the Indian tec h industry in 2020\, Nadika Nadja and Anand Venkatnarayanan make the argum ent that compliance often becomes a checkbox to achieve instead of compani es focussing genuinely on user data privacy. This particularly happens in heavily regulated sectors when leadership looks at compliance as an inconv enience that must be fulfilled\, instead of paying attention to genuine us er privacy issues. See - [Privacy practices in the Indian technology ecosy stem](https://has.gy/sdFw). \nWithdrawal of the DPB in August 2022: \n[Gov ernment Withdraws Personal Data Protection Bill\, Plans New Set of Legisla tions](https://thewire.in/government/government-withdraws-personal-data-pr otection-bill-plans-new-set-of-legislations): *The Wire.* Aug 3rd 2022\n[E xplained: Why the Govt has withdrawn the Personal Data Protection Bill\, a nd what happens now](https://indianexpress.com/article/explained/explained -sci-tech/personal-data-protection-bill-withdrawal-reason-impact-explained -8070495/ ): *The Indian Express.* Aug 6th 2022\n\n[^3]: In a review of T elangana state government’s agriculture data management policy\, it has been pointed out that policymakers discount the fact that non-personal dat a (NPD) stems from personal data\, and hence\, focussing excessively on NP D poses risks for deanonymization of personal data. [Review of Telangana s tate's Agricultural Data Management Policy 2022](https://has.gy/naQc ): *P rivacy Mode.* Aug 6th 2022\n\n[^4]: See the summary of this public discuss ion on the internal and external organisational risks posed by NPD on busi nesses at [India's Non-Personal Data (NPD) framework](https://has.gy/bFon) : *Privacy Mode.*\nJustice K.S.Puttaswamy(Retd) ... vs Union Of India And Ors. on 24 August\, 2017: [Justice K.S.Puttaswamy(Retd) ... vs Union Of I ndia And Ors. on 24 August\, 2017](https://indiankanoon.org/doc/91938676/ ): *Indian Kanoon*\n\n[^5]: In a panel discussion on current industry prac tices around Privacy by Design\, it was suggested that policies be made on a principle basis\, rather than with very specific technological recommen dations. The implementation of these policies should be left to broad indu stry discussions\, among tech and business communities. See [Privacy Best Practices Guide](https://has.gy/V74h): for a summary of the panel discussi on : *Privacy Mode.*\n\n[^6]: According to the Government of India\, small and medium businesses are those that have investments between 10-50 crore s and turnovers between 50-250 crores respectively. Businesses are recogni sed as a startup till 10 years from its date of incorporation\, with a rev enue threshold of Rs 100 crore. [MSME Gazette of India 1](https://msme.gov .in/sites/default/files/MSME_gazette_of_india.pdf )\, [MSME Gazette of Ind ia 2](https://dpiit.gov.in/sites/default/files/notification_Definition_Sta rtupIndia_06July2021.pdf )\n\n[^7]: Source: https://www.business-standard. com/article/economy-policy/70-respondents-want-data-protection-bill-to-dro p-localisation-rule-survey-122082400325_1.html\n\n[^8]: See [For better co mpliance\, tech transfer\, Govt to ease data localisation norms](https://i ndianexpress.com/article/india/for-better-compliance-tech-transfer-govt-to -ease-data-localisation-norms-8088627/ ): *Indian Express* Aug 14 2022. Al so see [What MeitY Has Said On Upcoming IT Laws Since Withdrawing The Data Protection Bill](https://www.medianama.com/2022/08/223-meity-upcoming-law -data-protection-bill-withdrawn/ ): *Medianama* Aug 10 2022\n\n[^9]: See [ USTR Releases 2022 National Trade Estimate Report on Foreign Trade Barrier s](https://ustr.gov/about-us/policy-offices/press-office/press-releases/20 22/march/ustr-releases-2022-national-trade-estimate-report-foreign-trade-b arriers ): *ustr.Gov* Mar 31 2022.\n\n[^10]: See [Bhavani Seethraman’s critique of the data localization provisions in the PDP Bill\, and the pot ential loss to GDP that this clause will clause were it to be implemented] ( https://has.gy/kmNT ): *Privacy Mode*.\n\n[^11]: See [Ugly Sides of Da ta Protection Bill and Fallacies of JPC Report](https://www.newsclick.in/U gly-Sides-Data-Protection-Bill-Fallacies-JPC-Report ): *News Click* Dec 20 2021\, [There’s an expansion of state power in the domain of privacy] (https://indianexpress.com/article/opinion/columns/personal-data-protectio n-bill-jpc-7678418/): *Indian Express* Dec 18 2021\, [Sweeping powers to government under data protection Bill a step backwards\, say experts](htt ps://economictimes.indiatimes.com/tech/internet/sweeping-powers-to-governm ent-under-data-protection-bill-a-step-backwards-say-experts/articleshow/72 475760.cms?from=mdr ): *Economic Times* Dec 11 2019 \n LAST-MODIFIED:20230810T072505Z LOCATION:Online - https://hasgeek.com/PrivacyMode/dpb-survey-report/ ORGANIZER;CN="Privacy Mode":MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/PrivacyMode/dpb-survey-report/ BEGIN:VALARM ACTION:display DESCRIPTION:The past as a compass for the future in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT END:VCALENDAR