India's Non-Personal Data (NPD) framework

This summary is divided into two parts. The first part lists out the questions that were discussed in the panel. Read the first part on: https://hasgeek.com/PrivacyMode/npd-week/sub/summary-of-panel-discussion-on-impact-of-npd-on-st-3kYSFXUkeTGANHzA8bQz2t

The second part covers:

1. Concerns shared and recommendations made by startups.
2. Concerns shared and recommendations made by investors.
3. Policymakers perspective.

Part II: Impact of NPD on startups and SMBs; considerations for NPD V3

1. Startups’ concerns:

• The NPD framework in its current form focuses on public good rather than on economic value creation as an end in itself.
• Any data, including metadata can reveal a lot about the strategic direction in which a company is moving. This is a major concern that companies have today.
• One way to think about data sharing under NPD is like each company’s CSR obligation, or a tax that large companies have to bear for the greater common good, asserted Deepa Venkatraman, CEO at Nilenso Software.
• There is tension and conflict between privacy and metadata sharing. The NPD Report prioritizes data sharing over privacy. The precise privacy concern is that only the machine should be able to access the data, not humans i.e. there have to be additional mechanisms in companies have to put in place to be able to safeguard personal data, making sure nobody except the machine can look at data. Kumar Rangarajan, co-founder and CEO of Slang Labs explained this concern by saying “We should share data. We should have the directory of available data globally shared. But we also need to be able to figure out a better way to anonymize data, and a better way to know make sure that this data that we are sharing is not reversible.”

2. Recommendations from startups for NPD V3:

• Set appropriate thresholds as to whom NPD legislation will actually apply to and whom it will not. This will take off the burden of the compliance overhead on all startups equally. For example, early stage startups need to know that they don’t need to be concerned if the potential NPD legislation will exempt them.
• Create a lock-in time for the data sharing. The lock-in period of the data can help startups maximize the initial leverage. Then, if startups want to make the data available for somebody because there is no point in that data sitting in the storage, or that the data is not adding any more additional value to the startup, or to anybody else, expose the data. Having delayed exposure of data can be a great way for businesses to not lose initial value, but also for everyone else to maximize on this data.
• There is value in metadata creation, especially if a startup wants a more structured format to consume data. Value creation will certainly happen starting with metadata creation.

3. Investors’ concerns:

• Most startups are unaware of the implications of NPD. It comes as a shocker to them when investors try and help them understand that this is something that is being proposed. Sending out an email or survey to most startups to try and help them answer questions about NPD’s nuances is therefore futile. For those startups that have done a deeper dive and have understood the NPD Report, they fear that NPD is going to kill and finish innovation, Shweta Rajpal Kohli of Sequoia Capital asserted.
• Sameer Brij Verma, MD at Nexus Venture Partners, emphasized that investors hate uncertainty without when they are making an investment into startups. “These are companies which are in search of a business model and there all kinds of risk thrown out there, especially in the early stages. What we want is for any startup or any entrepreneur is absolutely good and clear regulation, and less overhead in building out the company,” he explained.
• Rajan, partner with Upekkha, pointed that if the government were to introduce more and more regulations that make it complicated to do business in India, then entrepreneurs will go to places where there is least amount of friction in doing business.

4. Recommendations from investors for NPD V3:

• “Give a paradigm of giving certainty to businesses, so that it is a level playing field in some ways. That NPD is it is not putting anybody at a disadvantage, or the other,” Sameer asserted. Putting another perspective to Deepa Venkatraman’s point, Sameer suggested that tax can be good if there is a tangible framework. “If that tangibility framework can be put in place, in some ways that it brings in a level playing field, then we welcome such policy moves.”
• Rajan further emphasized the aspect of big versus small startups and the creation of level-playing field. He suggested that loss of competitive advantage is for the incumbent, not for an early stage startup. Policies are intended to reign in monopolies. Big businesses fear loss of competitive advantage. But regulations should be easier for startups. Rajan summarized, “for big businesses, data is a moat, a source of defensibility.”
• Shweta Rajpal Kohli emphasized that the personal data protection law should be implemented first. “Let it function for a few years to understand the complexities and nuances of implementation,”" she said, adding, “We’re at a stage in our data governance as well as tech policy where the country does not have a data protection law. And that should be the overarching regulation that we should look at. We must not only look at a data protection regulator coming in place, as the as the bill suggests, but also putting in place rules and regulations trying to make that process work. This is a huge task that that the entire tech industry, the government, policymakers have in front of them. In the midst of this, if we come up with a separate exercise and try to do something which no other country in the world has done, then we are just causing so much confusion in the minds of startups that are just looking for ease of doing business.”

5. Policymakers’ perspective:

Listening to these concerns, Ashish Aggarwal, Head of Public Policy at NASSCOM mentioned, “I want to underline the fact that in all of the deliberations of the (NPD) committee are that this (NPD) will be beneficial to the startups. When we look at the the report shaping up, if we don’t see this benefit, then I think that’s something that we should worry about.”

Ashish summarized the NPD Report and the efforts of the CoE in the following manner:

• A message both to startups and the ecosystem at large is that, per se, it doesn’t mean that every startup will be required to share any data whatsoever.
• What the NPD Report is simply saying is that once a High Value Dataset (HVD) is created, and there are particular startups who could potentially contribute to that high value dataset, then those startups will be asked to contribute to that dataset.
• It can be ensured that no proprietary business productivity, think internal processes, linked information is shared.
• Startups will not be paid for the data they have collected. But they will be paid for any effort that is required for anonymization processing or sharing aspect of that data.
• It appears that there is very limited context where some startup might end up being asked to share data.
• The Personal Data Protection (PDP) Bill has put the consumer at the center. The NPD Report has in in a kind of a wrong way put the consumer in the center by putting the clause of consent for anonymization. This puts the consumer at the center in a wrong way.
• The role of the data trustee needs to be carved out a little more clearly, because the data trustee will handle the High Value Dataset, and who will make demands on sharing of the data. The eligibility of this data trustee and some principles mentioned in the report need to be clarified further.

“What will really help us to take the discussion forward is that if the now committee can do the hard work, after having done all the work, which they’ve already put in, to actually think in terms of a draft legislation, if that’s what we are heading for, and, and really, you know, put that out for consultation and discussion, because that will really give us a little more clarity on how this is expected to play out. Otherwise, we are looking at a report and we are trying to imagine the things as they will move forward,” Ashish concluded.