Thursday, July 21, 2016

Privacy concerns in the Aadhaar Act, 2016

by Vrinda Bhandari and Renuka Sane.

On 23rd March 2016, the Government of India enacted the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("Aadhaar Act"), touted as India's biggest welfare legislation. The Act aims at the targeted delivery of subsidies, benefits, and services by providing unique identity numbers based on an individual's demographic and biometric information. The passage of this Act has been controversial, especially since the Lok Sabha rejected the amendments passed by the Rajya Sabha. Given the magnitude of data collection about individuals that would arise under the Aadhaar system, the law needs strong safeguards about privacy. In this article, we review the law from the viewpoint of concerns about privacy.

In this task, we use the conceptual framework that was constructed in our previous three articles: Protecting citizens from the State: The case for a privacy law (16 February 2016), Elements for the proposed privacy law (9 March 2016) and Analysing the Information Technology Act (2000) from the viewpoint of protection of privacy (18 March 2016). In these articles, we have setup an eight-fold path for evaluating laws from the viewpoint of privacy, which (in turn) builds on the nine privacy principles of Notice, Consent, Collection and Purpose Limitations, Access and Correction, Disclosure, Security, Openness, and Accountability. In this article, we use this approach to think about the Aadhaar Act, 2016.

Component 0: Objective of the law

By virtue of the large-scale and centralised collection, storage and use of an individual's demographic (e.g. name, date of birth, address) and biometric (e.g. iris scan, fingerprint, photograph etc.) information, the Aadhaar Act has great privacy implications. However, the Aadhaar Act does not consider privacy as one of its objectives. The word privacy does not even find mention in the Act. In fact, even the government's arguments in the Supreme Court during the challenge to Aadhaar, make it clear that it (and therefore, the Aadhar Act) does not view privacy as a fundamental right. Thus, while the text of this law is better than the UPA's 2010 draft, it is weak on privacy.

Component 1: Value of personal data

While the Aadhaar Act, on first blush, seems to understand the value of the information it collects, it is not underpinned by an understanding of the right to privacy. As discussed before, laws are shaped by the value we place on personal data, and function on an underlying premise of privacy being valuable in and of itself. However, the Aadhaar Act lacks any understanding or articulation of the  importance of privacy of personal data. Privacy considerations in the Act appear to be a minor afterthought, especially when juxtaposed with the needs of 'national security' which is given prominence in the Act.

Component 2: Scope and ambit of the law

The scope of the Aadhaar Act is a bit unclear since the working of key provisions have been left to regulations that are to be notified in the future. For instance, Section 2(g) of the Act defines 'biometric information' to mean photograph, finger print, Iris scan, or such other biological attributes of an individual as may be specified by regulations. It is thus possible that DNA can be included under this definition, and become part of a centralised government database. The consequences of DNA-based  profiling and its potential misuse are terrifying.

The Act oddly defines 'core biometric information' in Section 2(j), which is the same as biometric information, except that it excludes photographs.

Another example of the lack of clarity is found in Section 23(2)(k), which permits the Unique Identification Authority of India ("UIDAI") to share information about individuals in such manner as may be specified by regulations.

Similarly, Section 29(2) permits the sharing of identity information, other than core biometric information, in such manner as may be specified by regulations. Even more worryingly, Section 29(4) permits the publication and display of an individual's core biometric information or Aadhaar number for purposes as may be specified by regulations.

Together, these examples undermine the idea of a watertight database that will be used exclusively by the government for the purposes of giving subsidies, benefits or services. Even if the first wave of subordinate legislation is drafted with thought and care, the Act leaves the possibility of future changes to these rules and regulations in ways that undermine privacy.

Component 3: Coverage

The Aadhaar Act justifies the collection, storage, and use of personal data on the premise that it is a "condition for receipt of a subsidy, benefit or service", as stipulated under Section 7 of the Act. Thus, the Act is portrayed as covering (or regulating) only the interactions between the State and its residents.

However, a closer look reveals that under Section 57, the Act also facilitates interactions between private parties and residents of India by allowing "body corporate" to use the Aadhaar number for their own purpose. This raises concerns about violations of privacy when UIDAI shares data with private entities.

For instance, TrustID is an app that allows the user to verify any individual using their Aadhaar number, and offers a range of services including pre-employment, credit background, tenants, business partners, employers, and property owners' verification. It is not clear that the information access by TrustID is taking place in ways that protect the privacy of individuals. As Usha Ramanathan notes, many private companies have begun the process of trying to expand and leverage the uses of Aadhaar. The use of Aadhaar by a large number of private persons has long been touted as a contribution of the Aadhaar system to the Indian economy. There may be many conflicts about privacy in this process of expansion.

These applications suggest that the Aadhaar system will not be narrowly limited to the applications described in Section 7. The Act potentially covers everyone. It can include all the transactions conducted between an individual and the State in relation to benefits and subsidies; and the transactions between an individual and a corporate entity, where the private entity uses the Aadhaar number for identification and authentication.

The expanded scope of coverage, along with the absence of protection privacy, implies that this Act has reduced the overall privacy protections enjoyed by residents in India - whether in their interactions with the State to access subsidies/benefits or in their interactions with corporate entities.

Component 4: Collection and retention of personal data

With regard to data collection and its retention, it is important to provide an opt-in/opt-out clause to users, as this is consistent with the 'Choice and Consent' principle. This is particularly important in the Aadhaar Act, given our ownership over our own personal (demographic and biometric) data and the pervasiveness of our biometric data (e.g. we leave our fingerprints wherever we go).

The Aadhaar Act does not provide an opt-out clause, wherein Aadhaar number holders can choose to leave the system (and forego all its benefits) and ensure that their identity information is permanently removed from the Central Identities Data Repository.

Mr. Jairam Ramesh proposed an amendment to Clause 3 of the Bill in the Rajya Sabha, allowing a person to 'opt out' even if they had already enrolled, with the consequence that their authentication, biometric, and demographic information would be deleted from the system within 15 days. Although passed by the Rajya Sabha, the amendment was rejected by the Lok Sabha.

The absence of an opt-out clause is closely related to the issue of retention of personal information inasmuch as there are no time limits for the retention of data. This is unwelcome in light of the inherent non-revocability of biometric information and the fact that traces of our biometric data, for instance fingerprints, are left everywhere.

Component 5: Use and processing of data

The principle of 'Purpose/Use Limitation' is lacking in the Act. For instance, Section 33(2) carves out an express exception to Section 29(1)(b)'s stipulation of "using" core biometric information for any purpose other than generation of Aadhaar numbers and authentication under this Act if it is in the interest of [undefined] `national security'.

Section 3(2) and Sections 8(2)(b) and 8(3) of the Act require the enrolling agencies to inform the individual about the manner in which their information shall be used and shared and ensure that their identity information is only used for submission to the Central Identities Data Repository.

At first blush, thus, the Act seems to incorporate principles of 'Purpose Limitation', especially since Section 41 imposes a penalty on the requesting entity for non-compliance. However, the lack of an effective enforcement mechanism, as discussed later, undermines these provisions. For instance, the Act does not detail how an Aadhaar number holder can escalate the issue (since only the UIDAI can file a complaint) or what standard will be used to determine whether the requesting entity has provided the information in a clear and suitable manner.

Further, the Aadhaar number holder's identity information can be used both by the State and body corporates, without any further regulation governing the use by third parties.

Component 6: Sharing and transferring of data

This component of privacy design focuses on the 'Disclosure' principle, namely the sharing of personal data with third parties. In the case of Aadhaar,  this entails the identity information of the Aadhaar number holder. One of the most controversial sections of the Aadhaar Act is Section 33, which provides for the disclosure of information, including identity information or authentication records, under certain circumstances.

Section 33(1) permits the disclosure of such information pursuant to a judicial order by a Court not inferior to that of a District Judge. Nevertheless, the proviso only requires a hearing to be given to the UIDAI, and not to the Aadhaar card holder, whose information is being disclosed. Consequently, this deprives the individual of their essential right to be heard.

Section 33(2) is even more controversial because it makes an exception to the security, confidentiality and disclosure provisions on the direction of the Joint Secretary in the interest of national security. Such a direction has to be reviewed by a three member 'Oversight Committee', consisting of the Cabinet Secretary, the Secretary of the Department of Legal Affairs and the Secretary of the Department of Electronics and Information Technology. The second proviso further provides that such a direction shall be valid for three months, after which it can be reviewed and extended every three months. This is problematic for various reasons.

  1. As Mr. Jairam Ramesh and Mr. Sitaram Yechury noted while moving an amendment to Section 33(2), "national security" is an undefined term, and thus there is no transparency concerning covert surveillance. Consequently, the Rajya Sabha passed an amendment to replace the phrase "national security" with "public emergency or in the interest of public safety" (as is present in the Telegraph Act dealing with wiretapping). Unfortunately, this amendment was rejected by the Lok Sabha, and Section 33 remained as is.
  2. The scope of Section 33 is vague and it seemingly permits, and even facilitates, the furnishing of personal information to any third party, if it is in the interest of `national security'.
  3. The Oversight Committee is basically a committee of three Executive nominees. Thus, the possibility of effective oversight remains low. 

Component 7: Rights of users

As discussed previously, the right to access and correct one's own information, the right to data breach notification, and the right to data portability are extremely important from the perspective of the user.

Unfortunately, the Aadhaar Act does not grant these rights to the Aadhaar number holder. With respect to the right of access, it is instructive to examine the proviso to Section 28(5) of the Act, which states that an Aadhaar number holder may "request" (not demand) the UIDAI to provide access to her identity information. Nevertheless, the proviso excludes requests for her core biometric information.

It is unclear what the powers of the UIDAI are to accept or deny such a request or why a carve out has been made to restrict access to one's own finger print/iris scan, especially considering they can be wrongly entered in the system, as has been documented in Rajasthan (where the biometric information of potential food ration beneficiaries did not match the data stored on the Aadhaar servers).

Correction or change of demographic information (e.g. on getting married) or biometric information is governed by Section 31 of the Act, which requires the Aadhaar number holder to "request" (not demand) the UIDAI to alter such information in their records. The section states that the UIDAI, on the receipt of such a request, "may, if it is satisfied" make such changes. It is unclear what the standard for such "satisfaction" is, and the Act does not prescribe any statutory penalty or means for judicial redress for the delay/failure to act. Given the centrality of the Aadhaar number in linking various databases and services, such truncated rights of access and correction are worrying.

The Aadhaar Act also fails to prescribe 'data breach notification' requirements, mandating the UIDAI to inform an individual, the Aadhaar number holder, that their identity (biomentric and demographic) information has been shared or used without their knowledge or consent. Similarly, there is no concept of 'data portability' since information cannot freely be transferred amongst different service providers, since there are no alternatives to the UIDAI.

Component 8: Supervision and redress mechanisms

Effective supervision and redress mechanisms require individuals to be informed when there is a breach of confidentiality or disclosure of their personal information.

Section 47 of the Act prescribes that only the UIDAI or its authorised officer can file a criminal complaint under the Act. Thus, all the criminal penalties prescribed under the Act (e.g. for disclosing identity information under Section 37 or for unauthorised access to the Central Identities Data Repository under Section 38) can only be initiated by the UIDAI, and not the aggrieved Aadhaar number holder.

Consequently, even though the Act prescribes civil and criminal remedies for unauthorised access, use, or disclosure by the prescribed authority, the criminal remedy is not available to the aggrieved Aadhaar number holder. Such a person only has recourse to civil law, and the fines prescribed under the Act.

Unfortunately, a conjoint reading of Sections 28 and 47 of the Act disclose the possibility of conflict of interest since it may be in UIDAI's interest to cover up breaches of privacy. Without the UIDAI's proactive action, an individual Aadhaar number holder is left without remedy.

Section 30 of the Act treats biometric information as "sensitive personal data or information", as understood in Section 43A of the Information Technology Act. The treatment of such information under the IT Act has been dealt with in detail in our previous post. The IT Act itself fails to handle sensitive personal data or information in ways that embed privacy concerns.

Finally, as discussed in the sections above, the supervision mechanism for one of the Aadhaar Act's most controversial sections (Section 33), is the constitution of an 'Oversight Committee'. This Committee is tasked with reviewing the disclosures made in the interest of `national security', and thus serves to fulfill the 'Accountability' and 'Security' principles of privacy law. However, this three member Committee comprises of three government bureaucrats, especially after the Lok Sabha rejected the Rajya Sabha amendment to include either the CVC or the CAG as part of the Committee.


In this group of four articles, we have established a systematic eight-fold path for analysing laws from the viewpoint of concerns of privacy. We have used this framework to analyse two laws: The IT Act, 2000, and the Aadhaar Act, 2016. Both these laws have important failures in enshrining privacy. These laws thus hamper India's emergence as a mature democracy.

Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi.

Author: Vrinda Bhandari

Vrinda Bhandari is a practicing advocate in Delhi.

Monday, July 11, 2016

The gains to US GDP from a Doing Business score of 100

by Dhananjay Ghei and Nikita Singh.

Can a country achieve growth by implementing large pro-business reforms? If yes, then how much growth is really possible from such reforms? In a recent WSJ op-ed, Cochrane takes a stab at this question for the United States. Using data from the World Bank's ease of doing business index, Cochrane claims there is a log-linear relationship between GDP per person and business climate. By extrapolating this relationship out of sample, he predicts that the US would register a 209% improvement in per capita income (or, 6% additional annual growth if the required reforms are implemented over the next 20 years) by achieving the ease of doing business index value of 100.

Brad Delong disagrees. He fits a fourth-degree polynomial on the same data. He justifies this on the grounds that the third degree coefficient is negative and statistically significant. His forecast shows that an increase in the index value beyond 90 would actually lead to a lower GDP per person. Figure 1 juxtaposes the log-linear and polynomial regression fit, and we can see how the two views are sharply different. The straight line yields higher and higher GDP as you go to 100; the polynomial droops off at the end.

Figure 1: The analysis of John Cochrane and Brad DeLong

Areas of concern

There are many areas of concern with this analysis:

  1. Assuming linearity is surely a stretch. But polynomial regressions are a bad way to deal with nonlinearity. In particular, polynomial regressions are very fragile at the end points. This can be easily seen in Figure 2 as the prediction interval increases at edges of the data. In addition, extrapolation using a polynomial is almost always sure to give a wrong answer as the curvature of the polynomial is unidentified outside the sample.
  2. Using a cross-sectional regression with one variable is a poor guide to the causal relationships. Labour and capital matter to GDP per capita. There are stark differences in law and governance, institutions and culture across countries; it is unlikely that the doing business score is a sufficient statistic.
  3. Hallward-Driemeier and Pritchett (2015) show that the "doing business index" is not a good reflection of how the laws on paper are implemented in reality. The main point of their argument is that better de jure regulations do not necessarily imply improved de facto outcomes specially when a country has weak governmental capabilities for implementation and enforcement. Even if the US does well on the rule of law, and this gap between rules and deals is absent, this is a serious issue for many (most?) observations in the dataset.

Figure 2: The 95% prediction interval for the polynomial regression

Can we do better?

Criticisms 2 and 3 are hard to handle. But a little bit of statistics helps us do better on the first. We use non-parametric regression as a way to have nonlinearity in the relationship between business climate and GDP per person without having to take a stand on a particular functional form. This involves three steps:

  1. Selecting an optimum bandwidth using cross-validation
  2. Estimating a nonparametric model using the chosen bandwidth
  3. Tests of statistical significance and specification

We use a second order Gaussian kernel and fit a local linear estimator to identify the functional form in sample. Business climate is significant at 1% level in the local linear non-parametric model. Moreover, based on a lower cross validation score, the non-parametric regression is favoured.  In addition, we do a bunch of robustness tests by changing the type of kernel and regression. The results do not change much in either of the cases. These calculations were done in  R using the np package.

Figure 3: Non-parametric regression gives us the best of both worlds

The results, shown above, show that there is nonlinearity in the data. The linear model used by Cochrane is not appropriate. But we're better off as compared with using a polynomial regression; the confidence interval is tighter at the edges.

Figure 4 superposes the three models. The coloured dots show the predicted value of GDP per person using the three different specifications when the doing business index takes the value of 100.

Figure 4: Comparing the three predictions

Our nonparametric estimate shows that gains from achieving a score beyond 90 are increasing and somewhere in between Cochrane and DeLong's numbers. Cochrane predicts that the US would achieve 6% additional annual growth for 20 years by moving to a score of 100. If we go out of sample to estimate using the nonparametric fit, this shows an annual growth of 2.22% for the next 20 years. This is not something to laugh at, but it's a smaller, and we think a more plausible estimate.


Hallward-Driemeier, Mary and Lant Pritchett. 2015. "How Business Is Done in the Developing World: Deals versus Rules." Journal of Economic Perspectives, 29(3): 121-40.

Tristen Hayfield and Jeffrey S. Racine (2008). Nonparametric Econometrics: The np Package. Journal of Statistical Software 27(5). URL

Dhananjay Ghei is a researcher at the National Institute of Public Finance and Policy. Nikita Singh is a MRes. student at London School of Economics and Political Science. The authors thank Ajay Shah for valuable discussions and feedback.

Interesting readings

Worst case analysis for the banking crisis by Ajay Shah in The Business Standard, 11 July.

The Human Cost of Zoning in Indian Cities by Shanu Athiparambath in The Fee, 10 July.

The Silent Role of Credit Ratings in India's Bad Loan Crisis by Praveen Chakravarty in The Bloomberg Quint, 08 July.

For friendlier laws by Bibek Debroy in The Indian Express, 07 July.

Flying an unregistered drone in Ghana could send you to jail for 30 years by Yomi Kazeem in The Quartz, 07 July.

Bill seeking to amend Sarfaesi Act, 2002 needs to be reconstructed by ET Edit in The Economic Times, 06 July.

"I would like to share some sad stories from economics related to these issues" by Andrew Gelman in Statistical Modeling, Causal Inference, and Social Science, 06 July.

Central banks as 'pawnbrokers' by Suyash Rai in The Business Standard, 05 July.

Meet Justice Sanjay Kishan Kaul, who defended Perumal Murugan and MF Husain by FP Staff in The First Post, 05 July.

India offers rupee-dollar market on a platter to Dubai, Singapore by Mobis Philipose in The Mint, 05 July.

When Gujarat's Kachchhi Traders Had the World in Their Palms by Tirthankar Roy in The Wire, 04 July.

RBI should not regulate asset reconstruction companies by Pratik Datta and Rajeswari Sengupta in The Business Standard, 02 July.

We are still not a fully open, competitive economy... too much government interference: P Chidambaram by Shaji Vikraman in The Indian Express, 06 July.

National Doctor's Day: Greed, lack of firm laws allow unethical practices to flourish by Dr P. Raghu Ram in The First Post, 01 July.

Asset quality and bank loan ratings by Harsh Vardhan in The Mint, 01 July.

Regulation of the medical profession by Gopinath N. Shenoy in NIPFP YouTube Channel.

Against Prestige by Robin Hanson in The Overcomingbias Blog, 30 June.

A Rant on Peer Review by George J. Borjas in The Labor Econ Blog, 30 June.

Luck Runs Out for a Leader of 'Brexit' Campaign by Sarah Lyall in The New York Times, 30 June.

Inflation targeting: A long way to go by Rajeswari Sengupta in The Mint, 29 June.

Time has come for 'Move India' by Pradeep S. Mehta in The Hindu Businessline, 29 June.

The Multiplier Debate and the Eurozone Crisis by Joshua Felman on NIPFP YouTube Channel.

'Badass Librarians' Foil al Qaeda, Save Ancient Manuscripts by Simon Worrall in The National Geographic, 12 June.

Integrating Regulatory Impact Assessment in lawmaking in India on NIPFP YouTube Channel.

Dissenting Diagnosis by Arun Gadre and Abhay Shukla on NIPFP YouTube Channel.

Friday, July 08, 2016

Tata-Docomo: What went wrong, and what we need to do different

by Bhargavi Zaveri and Radhika Pandey.


An international arbitration tribunal recently reportedly ordered Tata Sons to pay $1.17 billion to NTT Docomo for breach of a contract between Tata Sons and Docomo. The contract obligated Tata Sons to buy back the shares held by Docomo in Tata Teleservices at a pre-agreed price that was higher than the `fair market value' of Tata Teleservices. Paying Docomo this price for its shares would have violated the regulatory framework governing capital controls in India, which prohibits a non-resident from 'putting' her shares on a resident at a pre-determined price.

The Tatas had reportedly applied to the Reserve Bank of India for an exemption from this restriction. RBI was reportedly keen to allow a one time exemption from its regulations. An earlier article on this blog expressed concern about an individual transaction being exempted from FEMA: while such an exemption may bring temporary cheer to an individual investor, it is more important to (a) stick to the rule of law; and (b) fix the mistakes in FEMA, as opposed to applying discretion in exempting some persons from the the bad law. When the matter was referred to the Central Government, the Central Government argued against case-by-case departures from the law, exhorted RBI to carry out deeper regulatory reform, and refused to grant this ad-hoc exemption.

Now we have the arbitration award. This arbitration award will likely lead to the following fall-out:

  1. Docomo will apply for enforcement of the award in India.
  2. Tata will argue that the pre-agreed contractual price cannot be paid, as it violates the laws governing foreign exchange transactions in India.
  3. If the Indian court refuses to allow the award to be enforced, the global press will write about the repercussions of this on India's competitiveness as an investment destination.

This situation is likely to come up in all transactions where foreigners seek to exit their Indian ventures by asking their Indian partners or the Indian company to buy-back the shares held by the foreigners at a contractually agreed price. The root of this problem lies in the capital controls framework which imposes restrictions on the manner in which a foreigner may exit from an Indian venture.

In this article, we argue that the restrictions on the exercise of put options by non-residents lacks an economic rationale. We then attempt to sketch a broad outline for designing a clean and coherent legal framework for governing capital controls in India.

Put options as an exit mechanism

Put options are a very common tool for exiting an investment. Typically, in an investment agreement, investors negotiate several time-bound exit rights for themselves, such as:

  1. Exit by an IPO or offer for sale by existing shareholders on the exchange - The investee company will list and the investor will sell her shares pursuant to the listing.
  2. Put or buy-back options - The investee company or the Indian promoter will buy or procure a buyer for, the shares held by the non-resident. The timing for the exercise of such options is linked to specific triggers. For example, in the Tata-Docomo agreement, Docomo reportedly had an option to put its shares on Tata within three years at half the value of the orignal investment. Similarly, investors often negotiate a put option linked to the investee's failure to achieve performance targets and the like.
  3. Tag and drag along rights - Depending on the stake held, the investor may negotiate a right that where any other shareholder in the investee company sells her shares, the selling shareholder will be bound to ask the new purchaser to buy the other shareholders' stake as well (i.e. the investors 'tag along' with an exiting shareholder). Where the investor sells her stake, she may require another shareholder in the investee company to also sell her shares to the same purchaser (i.e. the investor may 'drag along' another shareholder).

Flip-flops on put options

From a capital controls perspective, RBI had reportedly been objecting to the creation of put options in favour of non-residents prior to 2011, even when the law did not explicitly prohibit the creation of such rights. Thereafter, on September 30, 2011, the Department of Industrial Policy and Promotion (DIPP) issued a press release declaring that a put option in favour of non-residents would be regulated like an external commercial borrowing (which, at that time, meant that it would be regulated under the framework applicable to foreign currency denominated borrowings). DIPP mandated that:

Equity instruments issued/transferred to non-residents having in-built options ... would lose their equity character and such instruments would have to comply with the extant ECB [External Commercial Borrowing] guidelines.

This effectively meant that the proceeds of such shares could be used only for permissible end-uses and that there would be a cap on return on such equity, etc. After a month of heavy lobbying by parties that had already contracted such rights, the DIPP withdrew its restriction. After more than a year of uncertainty on this issue, RBI issued a circular which represented a somewhat compromised position by allowing put options in favour of non-residents, subject to certain conditions:

  1. The non-resident investor should have been locked in for a minimum period of one year, that is, she cannot exercise the put option unless she has held shares in the company for atleast a year.
  2. The non-resident should exit without an assured or pre-agreed return. This restriction fundamentally defeats the reason for negotiating a put option which is intended to protect the investor from a downside.
  3. Until 2014, the price payable to a non-resident when she 'put' her shares on a resident, could not exceed return on equity (calculated as Profit After Tax divided by Net worth) as per the latest audited balance sheet of the investee company. From 2014 onwards, the price cannot exceed the fair market value of the shares arrived at as per any internationally accepted pricing methodology in the case of unlisted companies and the price of the shares on the floor of the exchange in case of listed companies.

The futility of restrictions on rupee-denominated instruments

The claimed reason offered for restricting non-residents from obtaining an assured pre-agreed return on the exercise of put options is: a put option with a pre-agreed price would make the contract akin to debt. As RBI has a relatively stricter regulatory framework governing issuance of debt instruments by Indian residents to non-residents, allowing non-residents to obtain an assured return on put options would allow them to circumvent the RBI-framework governing debt. This argument is incorrect at several levels.

If there is an equity spot asset at $S$, and there is a put and call option at an exercise price $X$ on date $T$, where the options are valued at $P$ and $C$, and the interest rate is $r$, then put-call parity tells us that $S+P = C + X(1+r)^{-T}$. In other words, a spot investment that's risk-managed using a put option is not tantamount to a bond. It's tantamount to a complicated combination of a bond and a call option.

The rights in a default situation are different. There is neither any underlying security if the company or the promoter defaults on the put nor does the default on put give the non-resident rights which a creditor generally has (such triggering dissolution, etc.).

Even if you ignore the call option part, and focus on the rupee debt, the rationale for capital controls on these is absent. There is no systemic risk arising from foreign investment in Rupee-denominated instruments, where the currency risk is borne by a non-resident. As explained in the Report of the Committee to Review the Framework of Access to Domestic and Overseas Capital Markets (popularly referred to as the Sahoo Committee Report on External Commercial Borrowings), systemic risk is limited to the situations where the currency risk is borne by the resident. When a firm undertakes foreign currency borrowing, its balance sheet is exposed to exchange rate fluctuations. If there are numerous firms that undertake foreign currency exposure that is not hedged, there is a possibility of co-related failure in the event of a large exchange rate movement. However, a rupee-denominated loan by a non-resident to an Indian resident is akin to a loan given by an Indian resident to another Indian resident. We do not impose any restrictions on the contractual arrangements involving put options amongst residents.

In keeping with this thinking, the regulatory framework for Rupee-denominated borrowings has been relatively liberalised in the recent past. For instance, there is no cap on the interest rate that can be charged by a non-resident for the Rupee-loans advanced by her to the Indian borrower. In light of such liberalisation, there is no case for continuing with the same restrictive regime for put options, under the apprehension that parties will structure debt flows as equity with put options.

Transitioning toward a clean regulatory framework for foreign capital flows

In India, there are multiple levels of capital controls through different methods such as sectoral caps to control quantum of inflows, conditionalities to control kind of inflows and end-uses, exemptions for certain investment routes, penalising other investment routes, etc. Restrictions of this kind do not belong in an aspiring emerging market.

An extensive academic literature has hypothesised that economic agents learn to evade capital controls over time (Browne and Mcnelis (1990), Mathieson and Suarez (1991) and Patnaik and Shah (2012)). We in India take cognisance of the methods agents employ, and impose further controls to plug such evasion, adding hundreds of pages of complicated law and bureaucratic overhead. This complex maze of restrictions increases the costs of administering the law on capital controls, increases transaction costs for economic agents and fails to address the real issue where capital controls have value: the systemic risk associated with unhedged foreign currency denominated borrowings.

The story of restrictions on put options is revealing: (a) RBI created a restrictive framework for foreign denominated debt that lacked economic rationale; (b) It then suspected that economic agents were structuring their transactions as put options on equity to over-ride the restrictions. This was followed by uncertainty on the enforceability of such put options. (c) RBI modified the law to alter contractual rights of parties that had contracted put options on rupee-denominated instruments, thereby vitiating genuine transactions along with suspected ones which may have intended to evade the law. (Also, see another recent example being played out in China.)

This regulatory risk and cost of dealing with bureaucracy is driving up the cost of doing business in India. Unless we undertake deeper reform, we will see this story playing out time and again. This calls for a neat and coherent legal framework of the kind codified in the draft Indian Financial Code Version 1.1, which, in turn, is a culmination of the U.K. Sinha-led Report of the Working Group on Foreign Investment and the Justice B.N.Srikrishna-led Financial Sector Legislative Reforms Commission. This clean framework is based on three core principles:

  1. Barriers, if any, on inflows must be placed at the point of entry. For example, sectoral caps are a barrier at the point of entry.
  2. Once the entry barrier is crossed, all investments of a kind, whether made by residents or non-residents, must be treated equally. For example, local sourcing norms must not be imposed on non-residents if they are not so imposed on residents. Put options must be allowed in favour of non-residents if they are so allowed for residents.
  3. Government approval for an investment, if at all, must be mandated only for considerations of national security, that is, for investment in critical technology and critical infrastructure.

The Finance Act, 2015 amended the Foreign Exchange Management Act, 1999 to allow the Central Government to regulate all capital flows which did not constitute debt. This was a major milestone in Indian financial reform. The power to transition the current regulatory framework into a clean law, to the extent applicable to flows which are not in the nature of debt, now vests in the Ministry of Finance. An extensive body of work in this field has been done in the last decade. The time is ripe to start implementing it and avoiding more Tata-Docomo like disputes and the ensuing damage to India's competitiveness as an investment destination.


Donald J. Mathieson and Liliana Rojas-Suarez, Liberalization of the Capital Account: Experiences and Issues, IMF Working Paper (1992).

Browne, Francis and Paul D. Mcnelis, Exchange Controls and Interest Rate Determination with Traded and Non-traded Assets: the Irish-United Kingdom Experience, Journal of International Money and Finance, Vol.9, No.1 (March 1990), pp. 41-59.

Ila Patnaik and Ajay Shah, Did the Indian capital controls work as a tool for macroeconomic policy, IMF Economic Review, Vol. 60, Issue 3 (September 2012), pp. 439--464. The authors are researchers at the National Institute for Public Finance and Policy.

The authors are researchers at the National Institute for Public Finance and Policy.

Wednesday, June 29, 2016

Google banning advertisements of payday loans: Is this vigilante justice?

by Ajay Shah.


The State must have a monopoly on violence. In democracies, the coercive power of the State is enveloped in the rule of law. There is separation of powers: Parliament writes criminal law, the Police enforces this law, and a judge awards the sentence. Laws are legitimate either when they are written by Parliament (where legislators have won elections), or when narrow authority for drafting subordinate legislation is given to officials along with a sound regulation-making process. The accused knows the law, is given a hearing, and must be proven guilty beyond all reasonable doubt. The order must be written through a quasi-judicial procedure. It cannot merely hand down punishment; it must be a reasoned order. The accused must have the ability to appeal the order.

Most States are flawed creatures, and many of these things do not work correctly at present. As an example, these foundations of liberal democracy are found in the Indian Financial Code but not in the existing financial law and financial agencies. But the previous paragraph gives us a compact sense of the machinery of sound liberal democracies. The problem faced in constructing this civilised behaviour is politicians and officials who desire unaccountable power [example].

Vigilante justice

There are other ways in which we can go astray. One of them is to slip into vigilante justice: where coercion is imposed by ordinary citizens. A mob who beats up a person who is accused of a crime is a throwback to the medieval ages. It is not rule of law.

We have to be vigilant in detecting and blocking vigilantism. As an example, consider the RBI concept of `Wilful Defaulters'. Under this framework, private persons are supposed to identify `wilful defaulters', and once this is done, the coercive power of the State is used to force all private persons to punish the chosen one. However, private persons cannot run a rule of law process to identify wilful defaulters in a fair manner. This regulation puts the coercive power of the State in the hands of private persons; it is tantamount to State-sanctioned vigilantism. It is not rule of law.

Google and payday lenders

From this perspective, we should worry about Google blocking advertisements of payday lenders. This falls in the context of Google blocking ads by many kinds of sellers.

Google would say: But we are not the State; we're just your friendly local restaurant that decided to stop selling sugar water. It is the legitimate right of a firm to do business with those that it likes. E.g. an ordinary firm can decide that it does not like to do business with (say) Christians. The reason for concern is that things are different with a dominant player like Google. If Google decides to block ads by person X, that matters disproportionately, as Google has something like 70% market share in digital advertising in the US and very large market shares in most countries of the world.

Checks and balances of the State are missing. Because Google is so important in shaping the way people access Internet content, this action by Google is uncomfortably akin to State action which prohibits advertisements of payday lenders. Action by Google, who is a corporation and is not the State, is faulty in that Google does not work by the machinery described in the first paragraph:

  • Preventing a private person (a payday lender) from showing me advertisements is coercion. This should be the monopoly of the State.
  • Google chooses what industries are harmful for consumers. This `legislative' power is illegitimate as it is not grounded in Parliamentary law.
  • The persons who are adversely affected have no recourse. to the due process of law.

Are you sure? Some people believe that the end justifies the means; they are convinced payday lending is bad, and don't care how it is obstructed. But who can know these things for certain?  As an example, many people believe that micro-finance lending in India suffers from problems similar to those of payday lending in the US. However, careful research on this question has shown that this preconception is wrong. The realities of these complex questions generally go beyond media viewpoints. What if payday lending is actually good for the people who buy it? We are protected from mistakes by the deliberative and public legislative process, where diverse viewpoints are debated in public. Google is a private person and is not required to use such a legislative process. This makes their do-gooding dangerous.

A slippery slope. Today it is payday lending. What comes next? Humans follow ads shown by Google in all sorts of self-destructive ways. Humans use Google search to find ways to inflict pain and harm upon other humans. Google does not kill people, people kill people.

A more appropriate stance. In other contexts, Google has been more careful. Examples include child porn and sex determination ads, where the decision to coerce is grounded in the State, and Google is just taking instructions. Their behaviour on payday lending is out of line when compared with their own restraint in these other situations. Google appears to now be doing a lot of censorship, which raises important questions such as this one.

If payday lending is bad for its customers, how should it be tackled?

If payday lending has problems, the solution to this lies in financial regulation. This is the business of the State, and not a do-gooding IT company. The machinery of consumer protection in the Indian Financial Code is the mechanism through which the State should exercise coercive power and diminish the damage that payday lending can potentially do. This must be a deliberate and careful process, with checks and balances.

I thank Naman Pugalia and Renuka Sane for useful discussions.

Monday, June 27, 2016

Interesting readings

Great institutions, not great men by Ajay Shah in The Business Standard, 27 June.

Across the aisle- Economic reforms: Act I, Scene I by P Chidambaram in The Indian Express, 26 June.

A Brexit conspiracy theory nails the no-win situation Boris Johnson now finds himself in by Indrani Sen in Quartz, 25 June.

As stray elephant dies soon after capture, lessons from the Anamalais in containing animal conflict by Anand Kumar in Scroll, 23 June.

India sets new record in space mission; PSLV C34 successfully injects 20 satellites into orbit by U Tejonmayam in The Times of India, 22 June.

In Berlin, Unraveling a Family Mystery by Ralph Blumenthal in The New York Times, 22 June.

How to smear your enemies and silence your critics, Chinese Communist Party style by Ilaria Maria Sala and Heather Timmons in Quartz, 22 June.

Prof who criticised Modi, Irani jailed over Lord Rama comments by Cynthia Stephen in The Hindustan Times, 21 June.

Why Uber Keeps Raising Billions by Andrew Ross Sorkin in The New York Times, 20 June.

Focus on how to man institutions by Somasekhar Sundaresan in The Business Standard, 20 June.

How Raghuram Rajan won over the union workers at RBI by Joel Rebello in The Economic Times, 20 June.

How American Politics Went Insane by Jonathan Rauch in The The Atlantic, July-August 2016.

Thursday, June 23, 2016

India needs drones

by Shefali Malhotra and Shubho Roy.

The two vital raw materials that went into the Indian software miracle was access to computer hardware and access to data communications. The first became possible when customs tariffs were removed, and the second became possible by opening up to private and foreign telecom companies. When thinking about another new industry, drones, it's useful to imagine: What would have happened to the Indian software industry if the coercive power of the State was deployed to ban computer usage by civilians? Registering to fly a drone in Nigeria costs \$4,000 and \$5 in the US. So far,  India has banned all civilian use of drones, i.e. the cost of registration to fly a drone in India is much higher than that in Nigeria.

Drones have a variety of civil/commercial applications. In areas like crop insurance, soil mapping, disaster, conservation, traffic management, crowd management, photography and filming, drones may be a game changer. All these applications are hobbled by the ban.

The DGCA has come up with draft regulations which is designed to allow civilians to use drones. These draft regulations are not accompanied by an analysis of the costs of complying with the regulations. Moreover, these regulations do not seem to consider the needs of a nascent industry. Consequently, drone applications will remain extremely expensive in India. Capabilities in technology flow from a vibrant user community which demands increased sophistication; as long as India does not avidly use drones, we will not become designers and makers of drones. India's expertise in software and technology gives India an edge in this important emerging area. However, if the regulatory regime is hostile to the development of technology; India will soon fall behind.

One example of an application of drones: Crop insurance

Insurance depends on verifying two facts. Did the insured event actually occur? And how much was the damage (monetary terms) to the insured? Today, when a Haryanvi farmers' crop gets ruined by hail, there are two problems for the insurance company and the farmer. First, did the hail storm actually take place? India does not have accurate village/taluka level weather data. Second, how much of the crop was actually damaged by the hail storm and not removed by the farmer to inflate the insurance claim? Answering these questions in rural Haryana is not easy.

While these facts could be ascertained by sending persons called "claim verifiers/processors" to farms, it is very costly to send individuals to each insured farm on repeated visits to verify claims. As farm sizes are small, the transaction costs of settling insurance claims become very high. This in turn makes insurance commercially unviable for insurers or the premium is too high for farmers to pay.

Drones can change this industry for the better and make crop insurance much cheaper for the insurance company and the farmer. Here is the arrangement that can be used.

When the farmer makes the initial purchase of insurance, an agent of the insurance company would map the latitude-longitude of borders of the farm. The insurance company can charter high altitude drones to collect accurate weather data. Lower flying drones can take high resolution pictures of the farm right after an insured event (hail storm) takes places. These photographs can allow an insurance company to establish if the hail storm actually damaged the crops and also the extent of damage.

Drones will be substantially faster, cheaper and probably more accurate than human verifiers. Drones can also cover much larger areas in much lesser time than individual human claim verifiers. The high quality aerial images can be processed by computers to determine whether the damage was by hail (rather than being a false claim where the crop had been harvested) and even the extent of damage. The insurance company can process the information and transmit the insurance payout directly to the farmers account. No human intervention. In future disputes about insurance claims, these high quality images can form the best evidence to determine the truth.

This is not just a hypothetical illustration. It is coming about in India.

Some other application areas

Farmers in other countries are already using drones to identify soil conditions, health of crops, watering needs, etc. Some of these drones cost less than Rs.5000 [link].

Farmer in China spraying crops using a drone

India has one of the lowest police to citizens ratio. Drones can increase the effectiveness of the few policemen. Common policing work like crowd management, traffic, security in large events can be helped by drones. In such areas drones are force multipliers where the Indian state can provide basic public goods like security to more citizens at lower costs. The Andhra Pradesh police has begun moving in this direction.

The need for regulation

Any proposal to regulate must be backed by a full articulation of the underlying market failure. In the case of drones, there are two dimensions. One element of the market failure is the possibility of negative externalities in the form of harm to innocent bystanders. The other element is the possibility that drones are new weapons for committing old (IPC) crimes.

Drones are aircraft without pilots and passengers. Therefore, regulations governing certification of safety for pilots and passengers are not applicable for drones. However, just like an aircraft, drones can fly over properties and persons without their consent. Badly made or badly flown drones crashing into people or property is a concern. This justifies basic safety/quality standards for drones, and some level of competence for the drone operator.

Drones can now enable a class of crimes which were previously hard to organise. Drones have fundamentally changed the nature of privacy in ones home. High walls and thick screens are no protection against snooping by a drone which could be operated by a media company, government agency or a personal enemy. Drones can also be used to carry out attacks by dispersing chemicals or mounting weapons. Drones can be used to spy on military establishments or carry out attacks on industrial/nuclear installations. While the easy answer for a lazy government is to ban drones, this is a very intrusive intervention. A better tradeoff in security would be to create checks and balances which permit society to gain from applications of drone technology while avoiding the problems. A natural point of departure is the registration system for cars.

India should develop the regulatory framework for drones now. Other countries are already doing this. Delaying the process will impede innovation in drones and derail development of the drone market. India will fall behind in the global drone market. One day, when India wakes up to civilian applications, we will then be a mere importer of drone technology as this knowledge will not have spread deeply in the country.

Approach to regulation

There are three approaches to regulating drones:
  1. Banning them: Prohibit the civilian use of drones. This is where we are today.
  2. Regulating them: Regulate civilian use of drones to minimise the harm to others and prevent the potential misuse of drones.
  3. Regulating and encouraging them: Positive interventions by the government to facilitate innovation.  

Regulating drones

This approach requires drone operators to comply with safety and security standards. At the same time, the cost of compliance should be borne in mind so as to not make investment in the drone industry unviable. Other jurisdictions are balancing these two competing interests through a multi-pronged approach.

Risk based regulation
The riskier the drone operation, the greater propensity it has to cause harm to others. It follows that risky drone operations must have higher standards of compliance with safety and security requirements. For example, the US law creates a distinction between drone operations conducted for research or recreational purpose (in demarcated areas) and drone operations conducted for non-recreational/commercial purpose; which may fly over strangers who did not consent to drone over-flight. In the former case, the drone operator does not require US Federal Aviation Authority (FAA) approval, but must operate safely and in accordance with law. In the latter case, the drone operator requires specific authorisation from the FAA.
The EU and UK categorise drone operations depending on the level of risk. For example, a drone operating over the open sea is less risky than a drone operating over spectators in a stadium. In the former case, a drone operation may not require any approval but may have operational limitations, such as, the drone operator should maintain visual line of sight with the drone and the drone operation should not be conducted above 400 feet. In the latter case, the drone operation may require multiple approvals, such as, design and production approval, air worthiness approval, operational approval and proof of pilot competency.
No-fly zones
Certain areas, like nuclear installations and ammo-dumps, are sensitive. Drone accidents in such areas may cause widespread devastation. There are other sensitive areas where any breach of the security protocol may cause a national security threat, like the border of a country. Hence, there is a need for airspace restrictions to minimise the perceived harm in sensitive areas. For example, the US FAA prescribes fly and no-fly zones based on airspace-centric security requirements. These airspace restrictions are used to protect special security events, sensitive operations, high-risk areas, etc. As an example, Raisina Hill may be classified as a restricted airspace area.
Drones as weapons
Drones may be used for criminal activity, such as a terrorist attack. Developing some standards of compliance will help minimise the risk of such criminal use. For example, drone operators in the US are mandated to display the registration number of the drone, on the drone. This enables easy identification of the drone operator in the event of a criminal activity. Singapore criminalises carriage of prohibited items, like a weapon, on a drone and discharging anything, whether gaseous, liquid or solid, from a flying drone.
Drones have been used to track unsuspecting individuals and trespass into private property or a restricted area. To prevent this, Singapore has criminalised taking photographs of a protected area (as declared by the Singapore Government) using drones. In the US, any government operated drone operation is required to comply with the provisions of the US Constitution, Federal law and other applicable regulations and policies on privacy, like the Privacy Act, 1974. The US FAA has also formulated guidelines to encourage private parties to advance privacy, transparency and accountability during commercial and non-commercial drone operations and prevent unintentional violation of the privacy of others. For example, a drone operator is encouraged to provide prior notice to individuals of the time frame and area where the drone is intentionally collecting data and develop a privacy policy for the collected data. The UK CAA has also framed similar guidelines.

Encouraging drones

Alongside these enforcement perspectives, there is a need for positive interventions by the government to facilitate drone innovation. This approach recognises that the drone industry is in a nascent stage. The quality and pace of innovation in drones will not only depend on the players involved, but also the regulatory framework within which the innovation is taking place. These interventions may not be in the form of fiscal incentives (the most commonly used in India) but more in the nature of creating an enabling environment for the private sector to innovate and operate.

This may require a change in laws that discourage the suppliers and users of the drone industry. For example, drones actively interact with other users of airspace and should operate without causing harm to these users. To ensure this, the US FAA carries out safety studies to support safe integration of drones in the national airspace system. It may also require some institutional changes to facilitate the development of the drone industry. For example, the US FAA allocates research and test sites within the US to allow drone testing and enable development of drone technology in a safe environment.

The UK Civil Aviation Authority (CAA) supports the research and development process in the drone industry by facilitating full and open consultation with the developers of drone technology so that the CAA can provide guidance on the applicable rules and regulations. The US FAA coordinates with other Federal Agencies and the international community to designate permanent areas in the Arctic where small drones can operate 24 hours for research and commercial purposes. The US FAA has recently entered into a partnership with the drone industry to explore next steps in drone operations beyong the scope of the applicable law.

Next steps

The DGCA draft guidelines is a step in the right direction. However, the guidelines leave much to be desired. India needs to move on to formulating a regulatory framework which regulates and encourages the drone industry. It has some natural advantage (expertise in software technology and IT) which may allow it to be a key player in the global drone market. However, if India squanders away the lead by not creating a conducive environment for drones, it will end up lagging behind other nations.

Minimising the regulatory burden

There is a need to regulate the drone industry to minimise the risk of harm that it may cause to third parties. On the other hand the cost of compliance should not be higher than the profits/benefits. High regulatory cost will discourage players (especially small firms) from entering the market and will nip the industry in the bud. The draft regulations (in some places) have very high costs of compliance, without any attendant benefit to the society. This is a result of the vague language used in the draft regulations.

An example of vague language increasing the cost of the compliance is the requirement of permission for low drone flights. Regulation 5.3 of the draft regulation states:

the operator shall obtain permission from local administration, the concerned ADC.

The guidelines are silent on what is 'local administration'. Is it the district magistrate, local police station, local court? No one knows. It is also not clear whether you need permission from "local authorities" and "the concerned ADC" or "the concerned ADC" is the "local authority". The abbreviated term ADC is not expanded or explained anywhere in the guidelines.

Such vagueness drives up the cost of technology adoption by small firms. These firms would have to  run from pillar to post to get the above "permission". Since these local authorities will also not know whether they are the right "local authorities", and lack a guidance document based on which they can to analyse applications, they will probably take inordinately long or refuse.

The draft guidelines is peppered with other technical terms, like "Temporary Segregated Areas (TSA)" and "Temporary Reserved Areas (TRA)", which are also referred to but not defined. There is also no cross-reference in the guidelines allowing a reader to find what they mean and which areas they apply to. They may be the terms of art for airlines, but such opacity hampers the large technology community who must tinker with drones.

Making regulations user-friendly

Till now, the airspace was used by a niche population, pilots. Hence, if airspace regulations were not easily available and were technical, it was not a problem. With the coming of drones, airspace will become accessible to a large section of the population from a 16 year old kid to hobbyists, researchers, companies large and small, government, etc. Airspace regulations must now become comprehensible and reader-friendly. For example, it is crucial for a drone operator to know areas where a drone can be used and areas where it cannot. The draft guidelines state that drone operations cannot be carried out in notified prohibited area, restricted area, danger area, TSA and TRA.

However, the draft guidelines do not provide much guidance on what constitutes these areas or even where one can find these areas. Although, the regulations refer to the Aeronautical Information Publication (AIP) regarding details of these terms, the AIP is not readily accessible to the general public. In contrast, the US FAA has developed an app (B4UFLY) illustrating the fly and no-fly areas for ready reference of drone operators. Using this app, a 12 year old child can understand where to fly a drone.

Screen showing no fly zones in the US


Induction of drone technology into India is, at present, very costly. When authorities, processes and systems are unclear in a law, the potential cost of getting a drone permission can literally be infinite. There is no way to know which authority to apply and the authority itself does not know whether he/she has the power to grant an application. We need clearer regulations, and we need a regulatory framework to support the industry.


Subtitle B, Title III of the US FAA Modernisation and Reform Act, 2012.

EASA Proposal to Create Common Rules for Operating Drones in Europe (September 2015).

CAA CAP 722: Unmanned Aircraft System Operations in UK Airspace: Guidance (March 2015).

Singapore Unmanned Aircraft (Public Safety and Security) Act 2015 (No. 16 of 2015).

Johan Hauknes and Lennart Nordgren, Economic rationale of government involvement in innovation and the supply of innovation-related services, STEP Report Series R-08 (1999).

The authors are researchers at the National Institute for Public Finance and Policy. They thank Sumant Prashant, Bhargavi Zaveri and Pratik Datta for discussions.