The tiered system RBI should consider for merchant discount rate charges on digital payments

Overall, it seems as if a tussle is brewing between India’s monetary and fiscal authorities. However, to objectively evaluate this debate on charges for P2M transactions, it is important to understand incentives and dynamics at play in the payments ecosystem.

Authors: Rohit Kumar and Aishwarya Viswanathan
Published: November 11, 2022 in The Economic Times

From debit and credit cards to e-wallets, India’s payments landscape has seen many waves of innovation and regulation over the years. Today, India’s latest home-grown innovation, the Unified Payments Interface (UPI), currently free of charge, is the subject of a fiery debate on whether levying charges will slow the adoption of digitisation or, worse, undo its gains and hasten a reversal to cash transactions.

In August 2022, the Reserve Bank of India released a discussion paper ( to elicit feedback on charges in the payments system. The paper approximated that, collectively, the various players enabling a UPI peer-to-merchant (P2M) transaction with an average value of ₹800 incur a charge of ₹2. A few days later, the finance ministry tweeted that UPI will continue to remain free of charge and cost concerns of service providers will have to be met through other means.

Overall, it seems as if a tussle is brewing between India’s monetary and fiscal authorities. However, to objectively evaluate this debate on charges for P2M transactions, it is important to understand incentives and dynamics at play in the payments ecosystem.

The ability to ensure frictionless and secure real-time payments via UPI is heavily dependent on banks and third-party app providers that perform a range of functions, including the acquisition of merchants, provision of infrastructure, fund transfers, and, as such, bear significant fixed and operating costs for facilitating transactions. While the finance ministry has already allocated two rounds of subsidies of ₹1,500 crore and ₹1,300 crore to boost digital transactions, continued subsidising of costs is likely going to be fiscally unsustainable.

And even if subsidies are an option, they can be an impractical offering that can lead to coordination difficulties with respect to allocation between payment players. For instance, in June, several payment companies wrote to the National Payments Corporation of India (NPCI) complaining that a large chunk of the money granted in the budget is being retained by banks, with very little flowing their way.

Here, it is important to note that much of UPI’s capture of India’s payments landscape has been enabled by payment companies operating third-party apps, who have invested heavily in designing user-friendly interfaces and instituting attractive cash back offers to drive adoption. But without adequate fiscal support, they are being incentivised to pursue other means of monetising their business.

What goes UPI, stays up

While some apps have chosen to directly pass on costs to consumers in the form of platform fees on services such as prepaid phone and direct-to-home (DTH) recharges, others are making up for lost revenue through cross-selling. A few others are indirectly imposing costs on users through data monetisation. In the absence of a comprehensive data protection legislation, the repercussions of some of these practices can be worrisome.

While the zero-charge framework for UPI transactions has certainly played a role in providing a fillip to the payments ecosystem, its role in incentivising adoption may be overestimated. In the digital payments space, the acquisition and maintenance of UPI’s QR (quick response) code infrastructure continues to be among the lowest for merchants. While it took over a decade to increase the number of point-of-sale (PoS) terminals from 5 lakh to 50 lakh, there are already over 10 crore QR code terminals in the country. By the time UPI completes a decade in existence, the number of QR codes is set to reach 170 crore.

Apart from the asset-light infrastructure, a steady proliferation of use-cases has been critical to merchant uptake. From recurring payments to FASTag recharges and ever-increasing acceptance of cross-border payments, continued innovation and development of UPI’s mandate promises to preserve UPI’s ubiquity and the expansion of its merchant base.

Against this background, instituting a merchant discount rate (MDR) may represent an important avenue of cost recovery for intermediaries. Rather than denting merchant acquisition or retention, MDR may help maintain uptake by making the system more resilient and sustainable, factor also critical in driving more users towards UPI. Also, the fact that UPI currently accounts for almost 50% of digital financial fraud and lacks a robust real-time dispute-resolution mechanism, also reflects the urgent need to create adequate financial incentives to enable robust systems for trust-building and longevity.

Since merchants have an option to choose between different service providers that offer the best rates, the market for merchant acquisition is generally competitive. So, ideally, the regulator should let MDR be market-determined. However, to ensure that the optics of levying MDR does not taint public perception or adversely impact acceptance of UPI, the regulator can consider instituting a tiered system of charges. UPI can be kept free of charge for low-value transactions, with higher-value transactions being charged a market-determined MDR. The threshold above which payments get charged can be decided by the regulator based on the funds required for sustainability as well as consumer price sensitivity.

Separate wheat from cost

For this, understanding the elasticity of demand to UPI transaction charges will be useful. Such research will help ascertain how usage of UPI is likely to be reduced if costs were to increase and, consequently, assist in identifying the threshold that balances costs and returns effectively.

This exercise can particularly help India’s monetary authorities proceed with a degree of certainty and assuage the concerns of the fiscal administration – which is actually pursuing the same objective: a safe and secure digital payments landscape.

Image: Shutterstock

Creating ‘good’ digital public infrastructure

Looking beyond the ‘tech’ aspects of digital public infrastructure to how it interacts with users as individuals, as collectives, and in societies.

Authors: Kriti Mittal, Varad Pande and Aishwarya Viswanathan
Published: October 26, 2022 in ORF

The COVID-19 pandemic revealed that despite the vast difference in our geographical, cultural, social, and political contexts, one thing that countries all over the world urgently need is digital public infrastructure (DPI).

DPI comprises foundational population-scale technology systems on which the digital economy operates, such as identity systems, payment systems, data exchanges, and social registries.

Some countries, such as India, were able to leverage existing DPI to provide targeted social protection assistance to their citizens amidst the pandemic; on recognising the benefits of ‘digital-delivery’, others such as Togo and Sri Lanka undertook efforts to rapidly build their own. The demand for DPI among countries has grown significantly since then, with the World Bank’s Identification for Development initiative alone currently supporting 49 countries to implement digital IDs.

Conservative estimates suggest that Estonia’s X-Road—an open-source government data exchange system that facilitates the provision of over 99 percent of all government services digitally—saves Estonians an estimated 820 years of working time every year and approximately 2 percent of GDP.

Today, DPI is increasingly being built using open-source and modular technologies that enable ‘interoperability’, which facilitates the exchange of information between different arms of the public and private sector, thereby, vastly improving the speed and scale of service delivery. This represents a paradigm shift from older end-to-end siloed systems, wherein governments provided end-to-end services through monolithic tech systems, to building minimal digital infrastructure that allows multiple actors to build solutions on top. DPI designed in this way can mean significant time and cost savings. For instance, conservative estimates suggest that Estonia’s X-Road—an open-source government data exchange system that facilitates the provision of over 99 percent of all government services digitally—saves Estonians an estimated 820 years of working time every year and approximately 2 percent of GDP.

Another DPI success story is India’s Unified Payments Interface (UPI), which facilitates the largest number of daily transactions of any tech platform in the world, and is estimated to have resulted in savings of US $12.6 billion in 2021. Moreover, since its launch in 2017, India has been improving financial inclusion at a compound annual growth rate of over 5 percent, a significant expansion of India’s formal financial system.

‘Good’ DPI is more than just the tech

Given such unprecedented population-scale impact, there is now a growing consensus around the necessity of DPI. However, there is much debate about what constitutes ‘good DPI’. As countries embark on the journey of building, maintaining, and scaling their DPI, it is imperative to understand that the technology, no matter how powerful and essential, does not exist in isolation and cannot solve all problems by itself. To maximise the benefits of DPI for the provision of citizen-centric services, and minimise risks and potential harms, the ‘non-tech’ layers of institutions, legal and regulatory frameworks, and communities are equally, if not more, important than robust technology solutions.In this regard, the ‘open digital ecosystems’ (ODE) approach offers a useful framework and set of guiding principles, with a strong emphasis on strengthening DPI through citizen-centric design and safeguards, sustained community engagement, institutional capacity building, and robust governance.

Building trust in the context of DPI has many dimensions—from data security and privacy to institutional accountability and grievance redressal, to proactive communication and change management.

To design ‘good’ DPI, countries can build on the ODE approach and focus on getting three key ‘non-tech’ elements right: Trust, access, collaboration.

  • Building trust in the ecosystem to drive DPI adoption 

The potential of DPI to generate new economic and societal value largely depends on the extent of end-user adoption, which, in turn, depends on how much citizens trust the new technology. Building trust in the context of DPI has many dimensions—from data security and privacy to institutional accountability and grievance redressal, to proactive communication and change management.

In an increasingly digitised society, data privacy and security are among the biggest risks for users if DPI is not designed with adequate safeguards. Safeguards can be built in both the tech and non-tech layers. Firstly, they can be incorporated into the design of the technology itself as a ‘default setting’ to protect all citizens, including those who may not be equipped to make active choices to protect their personal data. Secondly, safeguards can be put in place through robust governance (data protection laws and accountable institutions).

‘Security-by-design’ and ‘privacy-by-design’ principles, which include both technological and policy choices, can be incorporated at all stages of the development of the DPI. Security-by-design principles, to ensure secure processing and sharing of data, include access control, encryption, anonymisation, and the like.

Privacy-by-design principles include ensuring data is collected for a specific and limited purpose, designing mechanisms for informed consent for data sharing that are in adherence with relevant data protection laws, and defining usage and obligations around the processing of data.

‘Security-by-design’ and ‘privacy-by-design’ principles, which include both technological and policy choices, can be incorporated at all stages of the development of the DPI.

Additionally, countries can learn from ongoing research on behavioural science approaches to data privacy that are experimenting with innovative mechanisms, such as behavioural nudges and simplified privacy ratings, which aim to reduce the ‘burden’ of making privacy-conscious choices from the end users. Supporting such ‘responsible tech’ choices can play a key role in ensuring the security and privacy of citizens’ data and, thereby, building transparency and trust in the digital infrastructure.

The other key dimension of trust is the accountability of the ‘institutional home’ of the DPI. For example, in India, the Unique Identification Authority of India (UIDAI) is the institutional home of the Aadhaar system. Similarly, the National Health Authority is the institutional home of the digital health infrastructure. Ensuring accountability of these institutions includes conducting frequent public consultations, having responsive grievance redressal, establishing the right legal and institutional structure in line with the objectives of the DPI, and guaranteeing transparency in reporting and disclosing audits. The risk of diffusion of accountability because of multiple actors being involved in digitally-mediated service delivery between the state and the citizen must be proactively addressed.

Lastly, DPI implementation results in significant changes in the roles of last-mile government functionaries, as well as the processes through which citizens interface with the state. Managing these changes sensitively, developing mass awareness campaigns and innovative mechanisms for government-to-citizen and citizen-to-government communications will be crucial for enhancing users’ experience, and a sense of connectedness and co-ownership of the DPI.

  • Working towards universal digital access and inclusion 

Digital accessibility—access to digital connectivity as well as digital literacy—is fundamental to the adoption of DPI. It is also critical, especially for low- and middle-income countries starting their DPI journeys, to ensure that digitisation does not deepen existing regional and socioeconomic divides.

According to the International Telecommunications Union, the COVID-19 pandemic accelerated access to the internet, with the number of users increasing from 4.1 billion in 2019 to 4.9 billion in 2021. However, access is not uniformly distributed, with stark urban-rural and gender divides persisting. In India, for instance, 2021 National Health and Family Survey data also shows only 24.6 percent of rural women have ever accessed the internet, as against 72.5 percent of urban men.

DPI implementation results in significant changes in the roles of last-mile government functionaries, as well as the processes through which citizens interface with the state.

Apart from access, limited digital literacy also impedes the meaningful adoption of DPI. Moreover, limited digital literacy or awareness also raises the risk of exposure to harmful online content, which can further disempower users and disincentivise adoption.

Measures must be taken to bridge these digital divides for countries to implement DPI without exacerbating existing structural inequalities. Multimodal access (feature phone, smartphone, computer) must be prioritised to accommodate for varying levels of digital access that might exist between different social groups. For instance, to drive the adoption of digital payments in India, the National Payments Corporation of India launched the UPI123Pay Service to allow feature phones without an internet connection to use UPI.

Field studies have found that even when digital services are accessible, trusted intermediaries or community anchors play a critical role in enabling adoption. Therefore, such a ‘phygital’ approach should be factored into the DPI vision. These intermediaries encompass a vast range of individuals and institutions, from local NGOs and community-based organisations to local politicians and trusted community leaders. By augmenting online touchpoints and processes with a human point of contact that often functions as the ‘last mile of service delivery’, omnichannel access can ensure underserved communities are able to access digitally-enabled service delivery.

Civic-tech organisations can also play an enabling role in facilitating last-mile inclusion by developing contextualised solutions, such as Gramvaani’s interactive voice response system for rural areas with limited connectivity, and Haqdarshaq’s ‘assisted-tech’ model where community-based field agents support citizens in accessing government programmes.

  • Encouraging collaboration through open technologies 

The ability to collaboratively build solutions on top of core technology infrastructure or to reuse and repurpose digital building blocks to create new solutions makes the current approach to building DPI unique and different from past approaches. This opens the possibility for individuals, startups, non-profits, and others to contribute to population-scale digital solutions. Open-source software and building collaborative communities are the two key elements to making this happen.

The adaptability of open technologies is also useful in creating customised solutions tailored to local contexts.

DPI set up in areas critical to the functioning of an economy must be able to accommodate any unexpected increase in demand in the number of transactions or users, and also be able to respond to the evolving needs of a large and diverse set of users. Promoting and mainstreaming the use of open technologies—such as open-source software, and application programming interfaces and protocols, where anyone is free to access, use and share code—can be useful as they encourage collaboration and distribute the ability to solve population-scale challenges.

The technological and legal features of open technologies help governments avoid vendor lock-ins and, consequently, lower the costs of switching between vendors of proprietary software. The adaptability of open technologies is also useful in creating customised solutions tailored to local contexts. In other words, open technologies are a key enabler of citizen-centric innovation.

Such open innovation can also lead to unlocking significant value for countries. A 2021 European Commission study found that an 10-percent annual increase in open source software contributions would boost Europe’s GDP by an additional 0.4 percent to 0.6 percent, while also creating more than 600 additional tech startups in the bloc.

While open technologies create the possibility for the wider community of open-source developers, startups, and civil society organisations to participate in the development of digital solutions and services, it is also important to create concrete avenues for the community to recognise this opportunity and have incentives to participate. Many countries adopting this approach focus on creating enabling environments rather than building end-to-end solutions by introducing mechanisms such as sandbox testing, incentive-based innovation challenges/hackathons, incubation centres, and other test beds that provide avenues for meaningful participation. For instance, Singapore’s digital transformation agency, GovTech Singapore, hosts a portal where the community can contribute towards testing and suggesting improvements to GovTech applications. Similarly, India’s DPI for healthcare, the Ayushman Bharat Digital Mission (ABDM), has outlined sandbox testing guidelines, which will allow innovators to test their products or services in a controlled environment. As of June 2022, 867 health service applications were tested in the ABDM sandbox, and 40 applications have been successfully integrated.

The way forward 

The choices made by countries in the current era of building foundational DPI will have far-reaching consequences for future generations. From the point of view of long-term sustainability and equity, the most critical set of choices may be those pertaining to financing DPI and building the right kind of teams to manage DPI, with implications for trust, access, and collaboration.

Many countries adopting this approach focus on creating enabling environments rather than building end-to-end solutions by introducing mechanisms such as sandbox testing, incentive-based innovation challenges/hackathons, incubation centres, and other test beds that provide avenues for meaningful participation.

Setting up digital infrastructure requires specialised expertise in technology and other fields like data analytics, design thinking, and social sciences. Therefore, institutions set up to build digital infrastructure must have systems for encouraging collaboration across domains. Developing in-house capacity and procuring top-quality external partners to build and maintain DPI is one of the most common problems that governments worldwide are grappling with and trying to solve in different ways. For instance, UIDAI pioneered a unique talent strategy where it enlists the services of experts from academia and industry from diverse backgrounds to work with the organisation. It lays down the recruitment guidelines for professionals, volunteers, and sabbatical/secondment officers, and details the manner of engagement, selection criteria and the code of conduct. In the US, the Barrack Obama administration set up a ‘presidential innovation fellows’ programme, which evolved into a permanent technology team, to bring top talent into the US digital service.

Finally, developing a long-term financing model will be critical in ensuring the sustainability of DPI. In this regard, public resources are preferable for the development and maintenance of the ‘core infrastructure’ at the national level as this infrastructure must remain accountable to the wider population due to its pivotal role in enabling public service delivery. Private or philanthropic capital (typically with a higher capacity for risk) may be leveraged to test new innovative solutions by developing proofs of concept, prototypes, and pilots. Innovative mechanisms such as setting up a sovereign tech fund or using blended finance instruments could also be considered to finance resilient DPI. Overall, financing models for DPI, especially for different stages of its lifecycle, is an area that requires more research and experimentation.

The DPI vision of enabling speedy and sustainable service delivery at scale brings with it many changes in the relationship between citizens and states. While entirely essential and inevitable, the true potential of digital infrastructure lies in looking beyond the tech itself to focus on how it interacts with users as individuals, as collectives, and in societies. Approaches like the ODE framework are helpful to bring nuance to ongoing debates as countries begin to make critical choices on both tech and non-tech layers so that DPI can be deployed to meaningfully work towards society’s wellbeing.

The safety gaps in UPI payments — and how to plug them

Despite the ‘openness’ of the UPI architecture, a concentration of market power in the UPI ecosystem is no secret.

Authors: Deepro Guha and Aishwarya Viswanathan
Published: September 28, 2022 in the Livemint

Clocking volumes as large as 10,000 transactions per second, the Unified Payments Interface (UPI) has revolutionized real-time payments in India.

Launched in April 2016, a few months before demonetization and the arrival of new telecom players, initial UPI adoption was driven primarily by the state’s clampdown on the cash economy and dramatic crash in telecom data plan prices.

Subsequently, its open architecture model, which allowed for interoperability across banks and payment service providers, steadily endeared itself to India’s mobile-first consumer economy by offering unparalleled transactional convenience. Today, the country has over 100 million monthly active users of UPI. So, what sets UPI apart? At the forefront of its story is a strategy spearheaded by National Payments Corporation of India (NPCI), which, as UPI’s chief architect and custodian, has been dismantling barriers and incentivizing UPI adoption at two levels: local and global.

Going ‘Glocal’: Recent estimates suggest that a sizable section of India’s poor households have started using digital payment tools. Much of this increase in adoption can be attributed to UPI’s popularity, while NPCI continues its efforts to widen access to UPI by offering products such as UPI 123Pay, a voice-based payment service for feature phone users, and services like DigiSaathi, a 24-by-7 helpline, and UPI Lite for offline transactions. Although perhaps insufficient to address India’s challenges of digital literacy, access and connectivity, these efforts have nudged users to go digital and move away from the informal cash economy.

Similarly, in an era of great power politics being shaped increasingly by developments in the digital realm, NPCI’s partnerships with international networks are noteworthy. For instance, recent announcements of linking UPI with Singapore’s PayNow, Dubai’s NeoPay and the UK’s PayXPert may not only encourage adoption, they may also prove critical in bringing down remittance fees while decreasing India’s dependence on other cross-border payment systems. Remittances are not only an important source of household income, but also a critical source of financial inflows for countries, often higher than foreign direct investment (FDI). In 2021, India received $45 billion as FDI and $87 billion in remittances. Therefore, driving down the cost-of-transfer may magnify the platform’s benefits at the household level.

Overall, the adoption of UPI is a success story that needs to be applauded. However, this ubiquity and relentless rise is not without its risks and critical questions that relate to UPI’s functioning and future need answers.

What are the risks of UPI infrastructure that users should be wary of?: Despite the ‘openness’ of the UPI architecture, a concentration of market power in the UPI ecosystem is no secret. GooglePay and PhonePe still dominate it. While they deserve credit for their critical role in driving UPI’s spread, their dominance of this ecosystem is starting to preclude the meaningful participation of others in this market. To keep it contestable, NPCI had in its role as a quasi-regulator decided to issue a cap of 30% on transaction volume clocked by any single player. However, the deadline for compliance with this diktat has been pushed forth several times, with little clarity on how it will be enforced. These concerns have also been recognized by the Reserve Bank of India (RBI), which is studying regulations in other jurisdictions to find an effective solution to a problem that is not easy to solve.

More ominously, UPI currently accounts for a whopping 50% of all online financial fraud. Various devices old and new, such as phishing, malicious QR codes, etc, are being used to trick consumers. Part of the problem stems from the ease and newness of UPI; users are yet to fully understand and adapt to it. While card systems have over time developed robust systems for fraud prevention, this is yet to be addressed in UPI’s case. However, given its furious growth and user-base being more inclusive than those of card networks, a lot more needs to be done. To improve the security and reliability of the interface, UPI service providers would need to tweak their digital architecture, which in turn would entail additional expenditure. Hence, the next question.

What is the cost of the UPI infrastructure and who will bear it? RBI recently estimated that for a ₹ 800 merchant transaction, various stakeholders enabling a UPI swipe incur a collective cost of ₹2 per transaction, which suggested that the cost of infrastructure may not be sustainable in the long run. A few days later, the ministry of finance intervened with assurances that UPI will remain available free of cost. However, details of what fiscal support will be offered to keep UPI swipes free of cost are yet to be seen. Until then, questions of who will bear the cost of UPI, and for how long, will continue to loom.

Separately, given the involvement of multiple private stakeholders in the UPI payments chain, it is important to ensure the sustainability of their operations and alignment of their incentives with public good objectives. In this context, while many solutions have been suggested by experts, a tiered system of charges for ensuring UPI sustainability could be considered.

Overall, the time has come for us to look beyond UPI adoption. Identifying workable solutions to questions around competition and cost of operation will be critical in ensuring that India’s unique experiment in online payments continues to look up for years to come.

Betting big on healthcare

We discuss lessons from a research study undertaken for the Lancet Citizen’s Commission on Reimagining India’s Health Systems. The study highlights how healthcare came to be seen as a politically viable and electorally rewarding issue in some, but not nearly enough, States.

Author: Nikhil Iyer
Published: August 11, 2022 in The Hindu Business Line

Ask any politician at random if they think healthcare needs to be prioritised in India, and they are likely to say yes. Yet, there seems to be a sense of reluctance in making healthcare a political priority.

As India turns 75, we discuss lessons from a research study undertaken for the Lancet Citizen’s Commission on Reimagining India’s Health Systems. The study highlights how healthcare came to be seen as a politically viable and electorally rewarding issue in some, but not nearly enough, States.

Early 2022, Tamil Nadu and Rajasthan indicated they would legislate a Right to Health for their citizens. An emphatic political expression by the respective Chief Ministers, these bills signify a culture where politicians feel incentivised to deliver better healthcare as their competitors try to one up them.

Take Tamil Nadu’s case. The Right to Health Bill’s antecedents include a maternity benefits scheme for women’s nutritional security (1987), procurement and distribution of free medicines (1994), health insurance (2009), and so on. Over decades, motivated by the Dravidian ideology, leaders like K Karunanidhi, MG Ramachandran and J Jayalalithaa pursued initiatives which have embedded an expectation of health among voters. Present-day politicians, who seek to sustain their legacies, thus have an incentive to continue reforms.

Competitive political issue

In Rajasthan, health has become a thriving, competitive political issue in the past decade. In 2011, then Chief Minister Ashok Gehlot introduced the free medicines and diagnostics schemes, which went on to become so popular even his successor Vasundhara Raje had to continue it, despite murmurs about watering it down. Later in 2013, as CM, Raje introduced a health insurance scheme, and set up ‘Model PHCs’. On returning as CM in 2018, Gehlot first expanded the coverage and eligibility under the insurance scheme, and has now introduced the Right to Health Bill.

There have been few more instances where Chief Ministers decided to bet big on health, in turn affecting voter expectations of other politicians in the State. A relevant example is the legacy of YS Rajasekhara Reddy in Andhra Pradesh, which is claimed by his son Jaganmohan Reddy today. YSR introduced the Rajiv Aarogyashri Scheme, the first State-wide health insurance scheme for families below the poverty line in India, in 2007, seeking to create a pro-welfare, rural-centric image for himself.

The insurance scheme’s ensuing popularity ensured that even when the opposition led by Chandrababu Naidu came to office, they could not roll it back, due to pressure from both citizens as well as hospital associations who benefited from the scheme. Jaganmohan Reddy, as the incumbent CM, has expanded the list of procedures and benefits under the scheme.

These examples indicate a much warranted shift. We can observe a virtuous loop of political action and voter demand — as most apparently has happened in Rajasthan. What started off as a free medicines and diagnostics scheme has today snowballed into a political plank for both major parties in Rajasthan. Good service delivery arguably leads to loss aversion among the voters, which builds pressure on competitor politicians to continue the scheme, and build on it. Even smaller reforms, such as guaranteeing delivery of medicines, may begin to change the political culture, and eventually lay the path for the State to pursue systemic reform.

Healthcare is by no means an easy issue to fix. Even after 75 years, our health system pushes more than 50 million people into poverty each year, with out-of-pocket-expenditure as high as 70 per cent in some States. The Covid-19 pandemic further uncovered the deficiencies of the Indian public health system.

One might expect politicians would have adequate incentives to care for this issue that virtually affects every voter. Yet, there is a marked absence of mainstream political discourse around health financing, outcomes, human resources in health, etc. This must change, and maybe our politicians, inspired by the examples above, will be incentivised to surprise the voters with a new political agenda involving healthcare.

Author: Nikhil Iyer is Senior Public Policy Analyst at The Quantum Hub Consulting

IT Rules: Content moderation, an alternative

Author: Rohit Kumar
Published: July 16, 2022 in the Economic Times. Full version below. Photo by Jeremy Bezanger on Unsplash
A lot has been written about the proposed amendments to the IT Rules. Many commentators have raised concerns that the rules go beyond the remit of the IT Act and seek more control of content moderation even as challenges are still pending in the courts. There have also been questions about the government setting up Grievance Appellate Committees and whether that will lead to political interference in moderation and censorship of critical voices.

While all of these are pressing concerns that merit deep consideration, there is also a need to examine the likely impact of the proposed rules on businesses – especially India’s digital startups – and the many administrative challenges that their enforcement may entail.

The press note accompanying the amendments explicitly says that the proposed changes are aimed at establishing stronger accountability standards, especially for the larger social media intermediaries who are perceived to be dragging their feet on compliance. The goal is to get all such intermediaries to set up better systems for grievance redressal and address the challenges presented by unlawful and harmful content being uploaded to their platforms. While this is a well-intentioned aim, the legal framework being proposed to fix the problem is likely to present many operational challenges, besides risking the freedom of speech of India’s digital citizens.

An example is the requirement to remove content within 72 hours of complaint if it is unlawful or harmful under the 10 prescribed (and very broadly defined) categories.

This change is specifically meant to address the issue of virality to ensure that the spread of unlawful or harmful content, including misinformation, is curtailed before it causes significant damage. While it is certainly important to cut the circulation of problematic content, the amendment is overzealous in that it extends the requirement to all intermediaries, irrespective of their size or the potential of virality. Content is usually likely to go viral on social media platforms with significant user bases that allow for large scale dissemination and sharing of information. Therefore, it is not necessary that smaller social media platforms or intermediaries such as enterprise communication software, video conferencing services and platforms that allow only one-on-one communication such as matrimony apps be required to implement 72 hour redressal timelines.

Even on large social media platforms, all complaints may not require expeditious redressal if there is limited risk of virality. The government should therefore consider explicitly defining virality in terms of the width of spread and the pace at which information is getting shared. In the event of a complaint, content that crosses prescribed thresholds could be reviewed on priority. Such a provision is likely to help reduce compliance costs and also increase the efficacy of the grievance process.

Another issue to consider is the structure of the Grievance Appellate Committee (GAC). While the creation of an alternative forum of appeals – outside of the already overburdened judicial process – is well-intentioned, if set up in its proposed form, it is likely to encounter several challenges in its functioning.

Given the volume of users on the internet, the GAC is likely to be inundated with an unmanageable number of requests. Intermediaries also have varying terms of use and functionalities, which could make it difficult for the GAC to assess complaints arising from widely varying contexts. For example, content takedown decisions by social media intermediaries are likely to be different from those taken by online marketplaces or enterprise software like Slack, Zoho etc. Decision making in such a situation is likely to be both cumbersome and time-consuming, making the entire exercise administratively expensive and burdensome.

A potential solution to these issues could be a redesigned, tiered intermediary-industry led appellate mechanism that culminates in the judicial system. To reduce distrust between regulators and intermediaries, and to force platforms to apply their terms of service uniformly, Evelyn Douek of the Harvard Law School proposes that intermediaries be required to put a wall between teams handling grievance redressal and those responsible for profitability/ growth and political lobbying. Evelyn’s proposal can be further strengthened by requiring intermediaries to create the first-level appellate committees in-house with independent stakeholders from outside (such as in the case of the Sexual Harassment Act). The second level of appeal could potentially lie with an industry-wide appellate body, though it might be challenging to create a truly independent body that can be insulated from both business interests and political pressures. The final appeal, therefore, must lie with the courts to protect freedom of speech and to insulate the process from interference. This thinking is also reflected in the draft shared by MeitY.

The government could also call for compliance reports on the decisions of appellate bodies to be made publicly available. This is likely to help align incentives for compliance and fairer decision-making.

While policymakers are undoubtedly operating in a challenging environment, the proposed amendments may have several unintended consequences. The government is already consulting stakeholders to overhaul the IT Act in its entirety to equip itself with new tools to deal with the changing tech landscape. Perhaps it is time that this conversation be taken forward at full steam, so that alternative regulatory models can be built ground-up, instead of patchwork through amendments.

The tokenisation regime will affect all businesses that accept cards

Authors: Rohit Kumar and Aishwarya Viswanathan
Published: June 08, 2022 in the Economic Times. RBI has since postponed the deadline to 1st October, 2022.

The payments ecosystem in India is in for a stir. Reserve Bank of India’s no-card-storage directive initiated in March 2020 is set to kick-in from July 1st, 2022. Starting July, both authorised payment aggregators and merchants will not be allowed to store customer card credentials. Instead, transactions will have to be processed through a card ‘token’ – an alphanumeric code unique to every combination of card and merchant.

Industry insiders largely believe that this move to tokenise is well-intentioned. With access to sensitive card information restricted to fewer players in the ecosystem, the likelihood of a data breach is reduced. However, with less than four weeks left for implementation, many maintain that the transition is unlikely to be seamless and will adversely affect both customer experience as well as payment completion rates.

Note: TQH undertook a range of work on ecosystem readiness for tokenisation, including representations to the RBI, panel discussions, technical explainers and opinion pieces. Please scroll down for the links to these pieces.

The payments ecosystem requires sequential interaction between players (merchants, payment aggregators and gateways, card networks, banks) for smooth end-to-end transaction processing. For the tokenisation regime to take shape, it will require the ecosystem as a whole to demonstrate a certain degree of ‘readiness’. As per industry body NASSCOM, this would mean banks managing at least 80% of the cards in circulation to have tokenisation solutions, with stable APIs made available for merchants to integrate with their backend systems. Other bodies such as the Merchant Risk Council add that ‘readiness’ should also mean the ability to simultaneously create and process tokens, while being able to do so at high volumes and across use-cases, especially on days that see heavy traffic such as during e-commerce sales.

Voluntary disclosure on readiness, but hard to verify

So far, a few major card networks, some banks and payment aggregators have stated that they are ready with tokenisation solutions. Some have also indicated that compared to 6 months ago, their systems are much better equipped to handle token provisioning and processing. But while such disclosure by key players is welcome, available information still remains fragmented and superficial; it is also hard to verify. This coupled with the lack of any official information being made available by the RBI is creating a trust-deficit in the ecosystem at large, and more ominously between co-dependent players.

For instance, it is still not clear if the ecosystem is ready to use tokenised transactions for use-cases such as promotional offers and cashbacks. Merchants are also unsure if they’ll be able to process refunds for customers who choose to make online purchases as guests on a website i.e., without saving card details. Since acquiring banks will not be allowed to store customer card data starting July 1st, they may have no means to track transactions to fulfil refund requests in case of guest checkouts.

The anxiety being caused by this information asymmetry is being further aggravated by the ecosystem’s recent experience with RBI’s e-mandate on recurring payments. A media report published in May this year, after 7 months of the e-mandate regulations coming into force, highlighted that success rates for recurring transactions vary between 30-75% and the experience has been extremely damaging for smaller businesses. An important use case that has still not been solved for is international payments; many foreign developers who sell software subscriptions over the internet have found RBI’s compliance requirements cumbersome and have altogether suspended payments from Indian cards.

Unintended consequences

In this regard, it may be worth noting that the tokenisation regime will affect all businesses that accept cards, unlike the e-mandate which was only applicable to those offering subscriptions. Given that we are still seeing disruptions 7-8 months after the e-mandate kicked in, the disruption post-tokenisation may be significantly more widespread than what was previously experienced.

As the deadline approaches, players in the payments ecosystem are finding other ways to cope with the uncertainty. Some are taking pre-emptive steps to avoid disruption and circumvent compliance requirements. For instance – in a first, Apple said that they will stop accepting debit and credit card payments for both app purchases and subscriptions in India, as well as for payments on ad campaigns – a matter of concern for many small businesses who leverage credit to smoothen cash flows and ensure continuity of operations.

At a time when post-pandemic economic activity is slowly picking up pace, the RBI must recognise that forcing compliance in this manner is likely to disincentivise credit usage – a move that could have broader adversarial effects on the economy as a whole.

RBI should demonstrate readiness

The idea of pushing hard for compliance and hoping that the ecosystem will fall in line may not be the best approach to adopt at this time. The RBI needs to demonstrate that the ecosystem is confident of transacting at scale, and across use-cases. As a first step, the central bank must clarify what it considers to be ‘readiness’, and then proactively seek information from ecosystem players to demonstrate the same. Additionally, it must also consider introducing some flexibility in the transition period – perhaps by allowing acquiring banks to store card data till the system stabilizes. This will go a long way in reducing anxiety and ensuring a smooth transition. Moreover, it will guard against other inadvertent consequences for the economy that might stem from impulsive actions by ecosystem players – all of whom are in a haste to comply, no matter the cost.

Related pieces of work

Evaluating Ecosystem Readiness: RBI’s No-Card-Storage Mandate [Medianama, 15 Jun, 2022]

Technical Explainer on Ecosystem Readiness [The Print, 16 Jun, 2022]

Will India Pay for RBI’s hurry [Times of India, 23 Dec, 2021]

Experts weigh in on how RBI’s new digital payment guidelines can impact small businesses [YourStory, 09 Dec, 2021]

The Data Protection Bill puts Indian children at a disadvantage. Here’s how

Over-reliance on parents for consent may curtail internet access for teenagers. The discussion on what is a good age-verification mechanism has been missing from the discourse.
Authors: Aparajita Bharti & Nikhil Iyer
Published: July 02, 2022 in The Economic Times
Imagine a 16-year-old boy getting his first smartphone in a tier-3 city. He has attended school online for two years of the pandemic. He helps his parents download and use new apps. His primary means of shopping is online and he orders for the family.

Contrast this with his 70-year-old grandmother, also a new smartphone user. Like many women of her age, she has had limited formal education and is learning to use messaging and social media apps to keep in touch with her family. Who is likely to be more vulnerable on the internet? And is age, then, a good indicator of a person’s ability to make decisions when it comes to their privacy and safety online?

This is a point of contention for policymakers across the world. Currently, as the Personal Data Protection Bill 2019 stands, any child below 18 years has to effectively obtain consent from their parent(s) or guardian(s) in all cases of their data being processed on the internet. Further, there is a blanket ban on profiling based on children’s data. If this provision remains unchanged, India will be an outlier globally.

In Britain and the US, for instance, parental consent is needed for those below 13, while in China this threshold is at 14. In the EU, the threshold age is 16, with an option for member-states to reduce it to 13. At the other end of the spectrum is Australia. Its Privacy Act, 1988, mentions no age of consent. Instead, consent is valid if the individual has ‘capacity to consent’. Entities handling individuals’ personal information have to decide on a case-by-case basis whether there is capacity to consent and take parental consent if they think fit.

In comparison, the high threshold of 18 years in India is out of touch with reality, and can seriously hamper Indian teenagers from fully experiencing the digital age. Nearly one-third of all internet users in the country were under 18 as of 2020. This number is likely to have increased in the Covid context.

Over-reliance on parents for consent may curtail access for teenagers due to various reasons, including parents’ lack of exposure, gender bias and unhealthy relationships. Further, the discussion on what is a good age-verification mechanism has been missing from the discourse, even as privacy experts concur that it should not itself lead to collection of more personal data and IDs.

Ctrl + Shift to Enter

To resolve this, policymakers could turn to the Convention on the Rights of the Child (CRC), 1989. It exhorts states – their legislative, executive and judicial arms – to act in the ‘best interests of the child’ in all matters pertaining to the realisation of their socioeconomic and political rights. India has upheld the principles of CRC in various legislations, such as the Commission for Protection of Child Rights, 2005, the Right of Children to Free and Compulsory Education, 2009, and the Protection of Children from Sexual Offences, 2012. This approach should also be applied to children’s data protection and privacy.

Britain’s Age-Appropriate Design Code (AADC), in force from September 2021, presents a model. AADC entrusts entities handling children’s data with a positive obligation to give primacy to the interests of the child. It lays down 15 standards, instead of strict dos and don’ts, directing entities to implement ‘age-appropriate’ design. This design should rest on principles of data minimisation, purpose limitation, transparency, avoiding usage of nudge techniques, default settings that safeguard children’s privacy, and so on.

Virtually all entities providing online products or services – apps, programs, websites, connected toys – are covered. AADC acknowledges that the ‘best interests of the child’ may differ on different platforms, depending on each platform’s use-case. For example, risks on a gaming platform may be different than on a video-streaming platform. The code, therefore, encourages platforms to consider their impact on children and build in mitigation strategies.

For example, while evaluating whether and how to process children’s data, entities must consider risks such as physical harm, mental health issues, excessive screen time, exposure to inappropriate content, etc. AADC also gives guidance on different age-verification mechanisms, including self-declaration, artificial intelligence (AI; by assessing usage patterns), third-party verification, and hard identification (through government-issued IDs), which can be applied proportionately to the risks faced by children on the platforms.

While India has a unique socioeconomic context, there are useful lessons from such models. In place of a blanket imposition, the data protection law must make room for a principles-based approach that allows both regulation and innovation to deal with online risks to children. Entrusting all responsibility to adults can prove to be ineffective, given the well-recorded consent fatigue, and lack of understanding among adults themselves.

Instead, regulation must make way for honest conversations among developers, regulators and parents on ‘what constitutes best interests’ of children, and how best can it be enabled on each platform while balancing their security and agency on the internet.

Privacy Policies and Consent are Broken – Here’s How We can Fix Them

Authors: Rohit Kumar & Avi Krish Bedi
Published: June 15, 2022 in The Hindu Business Line
Our data is more valuable than ever. With increased digital penetration, data has undoubtedly unlocked human potential to do a lot more – and efficiently. However, with more data comes a greater risk of misuse, often exemplified by data leaks and the illicit selling of personal data. The discourse on safeguarding our data, including the discussion on the PDP Bill, is emphasizing the primacy of privacy policies and user consent as our key bastions of defense. But, as we become more aware of how businesses and other entities collect, share, and monetize our personal data, we must revisit the structural shortcomings of this approach and consciously work to devise meaningful alternatives to safeguard our privacy and autonomy.

Try recalling the last time you earnestly read through a verbose and jargon-laden privacy policy before consenting to share your data – but don’t beat yourself over being lax about it. Multiple studies have demonstrated that privacy policies and informed consent are broken. They suffer from three behaviourally-linked problems. First, the transparency/ comprehension problem – wherein the verbose legalese used in privacy policies is often incomprehensible to laypeople; this problem is further compounded by low digital literacy in India. Second, the data repurposing problem – where entities do not overtly disclose all the additional purposes for which user data could be used, thereby resulting in ‘function creeps’. And third, the consent fatigue problem – where users, by virtue of having to repeatedly consent to data sharing, are tired of doing so, thereby unwilling to expend the time and effort required to meaningfully consent.

An over-reliance on this approach has led to the prevalence of a binary “tick-the-box” approach to data protection, rendering “informed consent” perfunctory: while users have the choice to share their data, it is far from being a meaningful choice.

Some solutions posit that data collecting entities should remain legally accountable for any breach or misuse of personal data regardless of whether they obtained consent. To give this approach some teeth, a set of inviolable ‘data rights’ are envisaged. However, the problem remains in implementing and enforcing such rights. As it stands, India still does not have a data protection law, and such rights do not have legal grounding. Moreover, it can be difficult and time-consuming to prove infringements. For instance, if my data is used by AI and IoT for purposes other than what I consented to, how would I actually know? And if I somehow found out, will it be straightforward to mount a legal challenge? Moreover, by the time such a matter is adjudicated on, will any recourse offered be enough to offset the harm already done?

If we were to step back and take another look at the problem, we may be able to find some potential alternatives. Many of the core issues around data privacy are also behavioral in nature; users may wish to secure their data but their intention doesn’t always translate into action. So, by nudging human behavior through better design principles we may be able to unlock human-centric design as a potential solution to better data privacy. By placing people rather than the service-contract at the center of this relationship, we can enable better decision-making.

While designing privacy policies, for instance, UI/UX designers should be included at the very outset of the design process. Their inputs should be used to represent privacy policies visually – to show users how their data is going to be collected and utilized if they consent. Studies have shown that visually representing data flows – through short videos / animations – can make users more aware of what happens to their data when they consent, thereby reducing incomprehensibility and increasing transparency, while also tackling consent fatigue. This also has the added benefit of tackling limited literacy and linguistic diversity in a country like India.

Device makers and operating systems can also be encouraged to implement a ‘master privacy preference setting’ on user devices. Effectively, this will allow users to have a master control panel to preconfigure their data sharing preferences – where they can decide the frequency and type of data they are comfortable sharing in the normal course of online activity. And if a user’s master data sharing preferences do not meet the requirements of an app, they can either choose not to use it, or take time to specifically consent to its additional requirements. On the supply side, such a structure would incentivize the app to minimize data collection or even provide a ‘Lite’ version of their app – with basic functionality requiring only essential data from users – to prevent large-scale user drop-off.

Businesses and other entities can also be incentivized to ethically and responsibly collect data by creating a government approved market of accrediting agencies. These accreditors can carry out assessments on an annual basis to evaluate privacy policies and other data collection practices on a range of metrics including data minimization, purpose specificity, etc. – to provide score-based certifications / star ratings. A similar mechanism is also envisaged through the ‘Data Trust score’ in the PDP Bill. If well implemented, it can go a long way in addressing the shortcomings we see in the current context.

Privacy policies today remain complicated and inaccessible for many. There is a case to be made to behaviourally nudge users to invest more energy into comprehending and consenting to how their data is collected and used. Even as our lawmakers work towards devising a robust data protection law, we must also empower people and incentivise businesses to meaningfully safeguard privacy and autonomy in the digital realm – creating a win-win for all in the long term.

India’s road to a digital El-Dorado

Authors: Deepro Guha & Aishwarya Viswanathan
Published: April 29, 2022 in the Mint
As of 2021, India had issued over 1.31 billion digital identity cards via its Aadhaar platform, and over 1.1 billion digital vaccine certificates via its CoWin platform. More recently, its Unified Payments Interface (UPI), crossed the $1-trillion mark in transaction values after it recorded 5 billion transactions in a month for the first time in March 2022.

What makes these numbers come alive is the sheer speed at which these digital platforms have achieved this scale of operation. And while this digitisation journey began in 2010 with Aadhaar to empower Indian citizens, in recent times India has discovered that its home-grown digital solutions can not only be leveraged to further its own development agenda, but also support its wider diplomatic efforts.

Aadhaar’s open architecture that allows for scalability and vendor neutrality has already resulted in several countries approaching India to either replicate the model or at the very least take note of its technology to develop their respective digital ID systems. The most recent development on this front includes a grant to Sri Lanka to implement its own digital ID program, modelled on the Aadhaar experience.

In a similar vein, India’s National Payments Corporation of India (NPCI) – the developer of UPI – is also providing technological assistance through licensing and consulting for building real time payment systems to countries across the world. This is being done to both help countries establish their own payment systems, while also further integrate UPI with international payments infrastructure. So far, Bhutan has adopted UPI standards for its Quick Response (QR) deployment and Nepal has fully deployed the UPI platform – becoming the first country outside of India to do so, and the RBI and the Monetary Authority of Singapore MAS have announced a project to link their respective fast payment systems, UPI and PayNow. In April 2022, BHIM UPI went live across the UAE.

These recent collaborations hint at India’s commitment to nurturing ecosystem efforts to build and strengthen its digital diplomacy. There are two key factors that have enabled India to emerge as a leader in building and exporting such technology.

First, India’s IT sector, with an estimated value of over US$ 150 billion, and an employer of nearly 4.5 million people – has consistently remained a key driver of economic growth. In fact, India’s talent pool in the ICT ecosystem is also increasingly participating in developing and maintaining India’s digital infrastructure. For instance, the Digital Infrastructure for Vaccination Open Credentialing (DIVOC), an open-source vaccine management platform created by a private collective of technologists, eGov Foundation of India, has been leveraged by other nations, including Jamaica, Sri Lanka, Indonesia and the Philippines, to streamline their Covid-19 vaccination process.

Second, India’s strong political will and deliberative policy making – has been crucial in providing high-level direction to steer ecosystem efforts. For instance, Ministry of Electronics and Information Technology’s decisions to incentivize the use of open technology, through Policy on Adoption of Open Source Software, Policy on Open APIs, Policy for Open Standards etc., has expedited the creation of digital public infrastructure and digital public goods. An example of the benefits of such technology is the use of open APIs to leverage the Aadhaar database for providing services like eKYC, DigiSign etc.

The government has also recognized the importance of including diverse stakeholders in the initial decision making for building such digital infrastructure. This is crucial, as these are parts of highly technical ecosystems, and thus require specialized administration, which goes beyond traditional bureaucratic expertise. A prime example of this is the creation of an ONDC Council, which comprises experts from bureaucracy, finance, retail trade, coding etc. Once activated, the Open Network for Digital Commerce (ONDC) will allow various e-commerce entities to showcase their products/services on a common platform, thus potentially introducing greater competition in e-commerce in India.

The governments recognition of the importance of digital public goods led diplomacy also highlights the key role these instruments will play in an emerging new world order.

For example, in light of growing global risks (like wars, pandemics etc.), creation of such infrastructure in areas critical to the functioning of the global economy (like finance), will both increase India’s resilience and further its strategic advantage. This is why in December 2021, a parliamentary panel proposed India building an alternative to the SWIFT network (which has now been used to impose economic sanctions against Russia in retaliation against its invasion of Ukraine).

Furthermore, building indigenous digital solutions that can create interoperable systems between jurisdictions (like UPI), and potentially reduce compliance, transaction costs etc., can garner global goodwill for India. For example, Estonia’s X-Road open software ecosystem, which has recently allowed for cross border data exchange between Estonia and Finland, is a marker in global standard setting and has allowed Estonia to build impressive soft power in the technology domain.

As the world navigates a new wave of rising geopolitical tensions, the need for building resilience while fostering new forms of cooperation becomes more relevant than ever before. In this regard, India’s advances at laying out its own digital Belt and Road have been noteworthy, and something worth keeping our eyes on.

Data Protection Bill: Don’t mule the unicorn

Authors: Aparajita Bharti & Nikhil Iyer
Published: May 19, 2022 in the Economic Times
The Justice Sri Krishna Committee Report on a Free and Fair Digital Economy, which was the basis for the Personal Data Protection Bill, was released in July 2018. Until then, India had 16 unicorns – startups with a valuation of US$ 1 billion or more. Since then, there have been 84 more unicorns (as of May 2022). The upcoming law on data protection, currently under deliberation by the Ministry of Electronics and Information Technology, must create a conducive growth environment so that India’s startup ecosystem keeps thriving.

Broadly speaking, this law will set industry standards for data protection, resulting in enhanced customer trust in the digital economy. However, some provisions in the Personal Data Protection Bill 2019 and the Joint Parliamentary Committee’s (JPC) 2021 report merit a deeper discussion around the implications especially for India’s start-ups.

Startups around the world use various services and plug-ins to conduct their business efficiently, ranging from services that help with sending emails to customers, shipping, marketing, payments, etc. Often, these services are offered by global tech companies, who may be using foreign servers for their purposes, and who send processed data back to India to the concerned startup. Going by the JPC’s suggestions, these entities may need to obtain the DPA’s approval for each contract or scheme to be used for cross-border data transfers, which may deny approval on grounds of ‘public policy’ or ‘state policy’. This is an onerous requirement, which will require substantial resources from both the startups, and the Government. It is especially worrisome as the export-focused Information Technology/ IT enabled Services industries are crucial cogs in India’s growth story. Over half of these exports are to the USA, with another quarter to Europe.

There is also immense uncertainty over how non-personal data (NPD) will be regulated. NPD is data which is stripped of any personally identifiable information or which is anonymised, e.g. weather data, geospatial data, telemetry data, travel data, etc. The ability to process this data in innovative and creative ways, often through proprietary methods is important for startups, for which they invest significant technical and financial resources. Any law which mandates sharing of NPD, is bound to affect their incentives to invest in data collection, storage, analytics, etc., as it will interfere with the companies’ intellectual property rights over their datasets. This provision can also make Indian start-ups less attractive to global funders.

Further, neither does the current Bill, nor the JPC’s suggestions, forbid the Central Government from accessing foreign data once it is in India. This has raised concerns that India may not meet data adequacy requirements – essentially, it may fail to offer adequate protection to data that is imported into India for processing. Indian startups that look to process the world’s data will find these as impediments, as other countries may forbid their companies from sending citizens’ data to India.

Another cause of concern is for start-ups focused on building products for children. According to the Bill, Indian companies creating products and services for children in edtech, gaming, social media, etc. will have to contend with a high age of consent at 18 years, even as other countries allow children to consent to data processing at a much younger age- 13 in the USA, or 16 years, as under the GDPR in Europe. India’s current Bill also puts a blanket ban on profiling children, making customisation of services difficult, e.g., to use AI to offer customised programs for children in a classroom as per their learning abilities – further disincentivising innovation for this target group.

With regulatory ambiguity on key issues, the Indian startup story is at a crossroads today. On the one hand, recent months have indicated that the market is bullish about their prospects, going by the investments they have attracted. Investors have backed startups across a range of sectors – fintech, SaaS, e-commerce, travel, healthcare, education, etc., many of which have become unicorns. On the other hand, by imposing such requirements, we risk tempting Indian founders to register their startups outside India to avoid onerous compliance. An overzealous data protection framework can, therefore, undo decades of progress that the Indian start-up ecosystem has made.

While the Indian government’s aspiration to be a global thought leader in tech regulation is appreciable, straying too far from global benchmarks can have unintended economic consequences. One hopes that the next version of the Bill that the Government brings to Parliament, will take into account the aspirations of India’s entrepreneurs, to whom we are looking to create millions of jobs of the future.