wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Protection Bill: Restrictions on cross-border data transfer will hurt Indian start-ups that depend on global tools #NAMA

An average e-commerce platform uses 35 plug-ins, many of which may not be equipped to comply with the law.

Key Takeaways

  • No clarity on how the law will work when Indian businesses use so many global tools
  • Indian companies looking to go global will face a problem with the law
  • The compliance burden might stop companies from offering services in India

“There is certainly a lot of awareness lacking especially among small companies and young companies on how [the Data Protection Bill] is going to impact them. Most of the popular discourse has been around the rights part of the issue. There needs to be a much stronger conversation around how it is going to impact businesses. There is every reason for us to be anxious as businesses,” said Sijo Kuruvilla George, Executive Director at Alliance of Digital India Foundation, in a panel discussion on cross-border data transfers at a MediaNama event— Decoding India’s Data Protection Bill— held on January 19, 2022, in which Prasanto Roy, Public Policy Advisor, Ashish Aggarwal, VP & Head of Public Policy at NASSCOM, Jyotsna Jayaram, Partner at Trilegal, and Rahul Sharma, Founder of The Perspective and Grade Ace also participated.

MediaNama’s discussion on the Data Protection Bill 2021 was organised with support from Google, Flipkart, Meta and Star India, and in partnership with ADIF. To support a MediaNama discussion, please let us know here.

What problems will Indian businesses face?

1. Indian start-ups and entrepreneurs rely a lot on tools that might not be compliant: Nikhil Pahwa, Founder and Editor, MediaNama gave the following scenario of how a business in India might be using tools from around the world and will find it hard to comply with the data localisation mandate:

“If I am targeting the US market for drop shipping from Aliexpress to the US, and I’m running this business out of India, I might be using using Optimizely to optimize my page, I might be using MailChimp to mail my customers, I might be using a bunch of other services to identify products for drop shipping, I might be using PayPal as a payment gateway. In that sort of a global context, how exactly does this work because you know financial data is sensitive personal data here. If you look at Gujarat, and Ahmedabad in particular is a hub for all sorts of WordPress developing outfits that that create most many of the best themes globally. How does all of this survive data localization mandate, like how will those transactions actually take place is something I don’t understand.  Will they actually be able to function?”

In such instances, who is going to be liable, Pahwa asked. “Is it going to be like arbitrary implementation where they won’t go after that small WordPress development outfit out of Ahmedabad, but they might focus on the larger players?”

Adding to this example, George pointed out how Indian companies :

“An average small ecommerce store, right, will have at least 34 to 35 plugins. And these plugins will be different for different ecommerce stores. And we have millions of such stores operating out in the web. So that’s one just to layer that what Nikhil [Pahwa] brought to the table. But if I add one more layer to that, this is probably a business that’s functioning, they have 34 stable things, they are gonna use the next four or five years. But if you look at the way, you know, most young developers or founders have started to play around with right. Every other day you try out new services. And there is a new service, which may or may not be  fully complying with all our norms. And that’s a small startup. And lots of tools are the way in which we optimize productivity.”

2. Indian companies looking to go global will face a problem with the law: “If you’re imagining a future where Indian SAAS companies, Indian startups are going to be global unicorns, then those very companies will face a problem with this law because then they want to optimize things and they want to be near to customers in terms of what they are offering as services and solutions. Then this very law will come and bite them right because it will require them to segment the way they architect their data and solution. So I think that that entire thought process somewhere got a bit of a gloss over when we are thinking about our own domestic economy,” Aggarwal explained.

Advertisement. Scroll to continue reading.

3. Could stop companies from offering services in India: George explained how the norms can deter some companies from having a presence in India because of the compliance burden. “Even a simple Google Form circulated for getting information or let’s say salary levels or whatever, or even gender for that matter, will definitely come into the purview of this particular localization law,” George said. Adding to this, Roy gave the example of RBI-new norms for card information that has left many international players such as New York Times not knowing what to do for their Indian users.

“In the best case scenario, we’ll have compliance solutions by which we adhere to these norms. But in the worst case scenario, we’ll have a lot of companies deciding not to do business in India.  Behind the recent RBI regulation we had a couple of companies saying that, hey, we’re not able to understand how to comply with it, so in the interim, we’re going to stop services to your country.” – Sijo George


  • Relook the categorisation of data fiduciaries and significant data fiduciaries by taking into account millions of young entrepreneurs and developers out there, George recommended. “We have 1000s of solopreneurs, who operate just on platforms by running their businesses. So the challenges that open up in terms of completely sidelining them or just burdening them with additional compliance is could be very high if you don’t get the balance right,” George said.

“Balancing the ability to innovate for the large sections of youngsters will be the engine that powers India over the next decade or more. And that balance, I think it’s sort of missing. […] We have a brilliant opportunity to sort of catapult ourselves into a major powerhouse from the startup sector or anything else and this sort of completely missed that particular board.

  • Invest in awareness and capacity building: There have to be sufficient investments into awareness building, sufficient investments into capacity building, and a very phased implementation so that people have time to get adjusted to it, George recommended. We also need to ensure that as a country there is adequate data infrastructure there to support what the Bill requires, George added.
  • Start a fund to support businesses: “For the telecom sector for increasing service life and everything, we use a fund, an equivalent should be at least conceptualized in terms of getting people equipped in terms of making sure solutions are available. Otherwise, we will have a situation where almost everyone is on the wrong side of the law, and that’s not healthy for just any country for that matter,” George suggested.
  • Don’t hamper innovation: “We have made significant progress in terms of this law and it’s great. But I just think that the objective of maximizing privacy protection should not be something at the cost of hampering innovation. Just even in January, every day, we are counting new tech unicorns and it is going to be a flood when we think of the next decade in that sense. So I think maximizing innovation and maximizing privacy protection if you do that, that’s really the smart way of doing this law,” Aggarwal said.
  • Get key players like cloud service providers on board first: Roy recommended that when there is such enormous complexity in the ecosystem we can follow RBI’s template and have key platforms such as payment gateways and cloud service providers comply and have other companies use the services of these compliant platforms. But George pointed out that this will create antitrust issues as there will be a concentration of a few key players.

“They tell the regulated entities to regulate the others. One example of that is all the third party apps which are regulated through NPCI. And if you know, the NUE, which are competitors to NPCI, the same things will apply to them that all the associated entities and apps and so on will need to be, regulation will be enforced through them. So I think the same thing comes here that startups may be aware that platforms like cloud service providers, etc, will be actually liable.” –  Roy.

Update (Feb 1, 11:00 am): This post was rewritten following editorial direction

Also read:

Written By

I cover several beats such as Crypto, Telecom, and OTT at MediaNama. I can be found loitering at my local theatre when I am off work consuming movies by the dozen.

Free Reads


Paytm has started distancing itself from PPBL in light of the current negative spotlight on PPBL.


The move can be seen as an attempt by Paytm to distance itself from the troubled Paytm Payments Bank, which has been significantly restricted...


"Without Google’s abuse of its dominant position, the media companies would have received significantly higher revenues from advertising and paid lower fees for ad...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ