Outlook 2021: Designing data governance policies to promote domestic startups

The past year has seen several changes within the startup ecosystem, be it in terms of the increased reliance of digital services by the consumer base, or making sense of varied government policies that are regulating the ecosystem.

In sectors such as edtech, fintech, ecommerce, the pandemic made digital the new normal as the world stayed in lockdown. As we continue to move forward, socially distant and with masks, the changes in our relationship with the digital services and startups that serve us, are here to stay. 

The Personal Data Protection bill and the Report of a committee of experts on Non Personal Data Governance Framework seek to make substantial changes to the nature of data flows and consequently, the manner in which data intensive startups function.   

The framework, released to the public, in July 2020, seeks to govern and regulate non-personal data flows, within borders and across geographic borders. In a data-driven world, the startup and SMB community stand to gain from the increased market opportunities, and the Government has identified the startup ecosystem as an integral component in an AtmaNirbhar Bharat.

That being said, the sector is deeply affected by the impact of COVID-19, with many businesses closing shop. This has created a crunch in innovation, and the funding that these startups relied on to continue scaling.

With more and more startups relying on data driven business models and analytics for improving the service/product, and using data for their competitive advantage, data governance laws with steep compliances are a cause for worry. The regulations will have a direct effect on how the businesses deal with data available to them, and that is on the market. 

The regulatory uncertainty in matters pertaining to handling data and the drawing economic value from data, causes indirect impact on long term innovation and investments as well. 

Investors that are looking for facilitating growth in the domestic market are also deeply concerned about the current trend of steep compliance, excessive government access to data and regulatory uncertainty. 

In this context, the commonalities in the two frameworks are pertinent to note. Firstly, both the PDP and the NPD framework restrict cross border data flows, citing reasons pertaining to sensitivity of data that underlies it. 

While the concerns regarding harm are valid, the solution to address the concerns might be misplaced. The assumption is that security is better served if the data is stored within the territorial limits of the country and that rests on shaky grounds. Unless investments are made towards setting up of data centers, with global standards of security, this proposition seems to be a long shot as far as protecting data is concerned. 

However, the solution to this could lie in developing data sharing agreements between countries or creating harmonised data protection laws with countries that share the same ethos as us when it comes to data privacy and security. Besides, for a startup with limited resources and global ambitions, the benefits of free flow of data with foreign jurisdictions might be crucial as far as growth is concerned. 

Second, the nature of government access to private data that has been collected by the companies is a sticking point. This causes concerns for both founders and investors alike.

In a research study that we have been conducting, we have noticed a common trend amongst the startup ecosystem to be open to sharing certain kinds of data with the government, within a strong framework of rights. The current wording regarding mandatory sharing of anonymised data, non personal data with the government agencies further deepens the asymmetry in power between the government and the startup ecosystem. 

Data is not merely a by-product that these businesses generate, sometimes collection and storage of certain kinds of data (based on the nature of the business) is towards a certain goal. Insights that are drawn from data are also important for scaling, strategic development and for maintaining competitive edge in the market. To that extent, any data sharing regime with private/government must respect voluntariness as a principle which supports any such sharing. 

Third, the startup ecosystem stands to benefit from an interoperable system of data governance laws. With the intent of making India a global leader when it comes to the tech sector, there is ample scope for the labour market in India to serve a global audience. Access to foreign markets and ecosystems will be easier for many startups if regulatory synergy existed with other leading jurisdictions. To that extent, the Personal Data Protection Bill must strengthen its provisions regarding the structure and constitution of data protection authority, must relook localisation mandate and define classes of data clearly to make itself align with global standards. 

Last, the provisions regarding innovation sandbox and exceptions for startups and SMBs within the paradigm of data protection is a welcome move. The mandate for allowing startups greater access to pools of data to innovate on would spur innovation. However, it is to be noted that mandatory sharing frameworks will do more harm than good, and questions on conflicts of interests must be acknowledged in any case right from the start. 

The need of the hour is for progressive policy that aims to uplift the technology startups that are thriving in India, and create a conducive environment for their growth. Regulatory certainty, reduced compliance burden and increased interoperability will push the interests of the domestic ecosystem forward. 

More and more of our lives are turning digital, there is an increased number of consumers who are waiting to be served within the Indian market. This is an opportune moment for the law makers, regulators and policymakers to come together and to create systems that are sustainable and benefit all stakeholders.


Kazim Rizvi is founder and Karthik Venkatesh is research coordinator at The Dialogue. The article was first published in TechCircle.