This report is the third in our series covering the discussion on India’s Draft E-commerce Policy (whose fate still hangs unclear). Read the rest here.

“It is just a draft for discussion, it is not a law. Give your points, if you have an alternative view, which would fulfill the objectives of digital industry and of public purposes, very well. If in the end we agree that yes, there is no need of localisation… and this is how I’m going to do it, it’s very fine,” said Parminder Jeet Singh, Executive Director, IT for Change and a member of the National e-commerce think tank which drafted the e-commerce policy.

“But a push back about how this is a stupid policy and stupid start, where people have no idea what they are doing, it is not okay. There are very important ideas which have been put forward,” Singh added.

Singh said that the draft policy laid out ‘important ideas’ that would help India build a solid framework, not just for the e-commerce sector, but also to the much larger aspect of data ownership. However, other panelists and attendees raised concerns over the lack of public consultation during the course of the this policy’s development.

The following are some of the key points made at the #NAMApolicy discussion on India’s Draft E-commerce Policy held in Delhi on the 26th of September 2018. Please note that these points are not necessarily listed in the order they were made and are not verbatim excerpts of the speakers’ remarks. We’ve edited them for brevity.

On Data ownership

  • There is an academic discussion behind data ownership that’s pretty advanced. Justice Srikrishna himself said that we are not able to reach to a point, where we could substantially decide on data ownership. Because the legal way of looking at it is different, ownership is for property, it gives it property rights. One, the theory is not developed yet to come up with that concept so easily. (Venkatesh Krishnamoorthy, Country Manager for India, BSA: The Software Alliance)
  • Groundwork for data ownership norms: Unlike the intellectual property law which has a global existence, there is no existence of data ownership laws and this policy has put the first stake in the ground to start talking about data ownership laws, which are important. (Parminder Jeet Singh)
  • What is localisation trying to do? This policy talks about collective data, it uses a term, community data. It has also been recognised by the Srikrishna report. It talks about certain types of data, whose ownership is not very clear. (Parminder Jeet Singh)
  • We are starting a new epoch. We cannot make a law and say this is how it is. Ownership is a very important thing. It is by practice that ownership starts getting shape. Look at the example of GDPR, it does not mention the word ownership. However it says data portability. People are saying that if you have data portability rights, then you have data ownership. I am saying that practices start developing the concept – as GDPR’s concept of data portability is being interpreted as personal ownership of one’s data. You are starting to develop an ocean of a collective ownership of data. In these practices, that big, important political economy of data ownership will be sorted out in the coming years. (Parminder Jeet Singh)

I think that the report does a good job in identifying that there are different kinds of data sets. I think it will be easier to start looking at it as compartmentalised data groups, as opposed to looking at it with this holistic idea of data ownership. (Krishnamoorthy)

  • Taking cues from IP rights: When it comes to non-personal data, there are already substantial ideas about how we talk about ownership of data that is purely Intellectual Property rights. There are ways in which we can distinguish them. One of the doctrines of IP rights is that when a person has applied labour to it, and this goes all the way back to Milesian ideas about liberty, it is considered their property. So if you aggregate a data set and applied effort to it… is that effort worth anything? Is that effort to be promoted? (participant)

I am not very clear that Delhi’s commuting data (Delhi’s traffic conditions over the last 10 or so days) which has been gathered by Google and Uber, actually belongs to Uber and Google. If tomorrow, Delhi decides to implement smart traffic planning, then they will need this data. Would they have to buy this data from Uber or Google? No property ownership laws exist as per now. But even scholarship around the ownership of data hasn’t started. That’s what this policy is tasked to do. And who’d do it? Who is on the losing end? If developing countries are losing the most, India being sucked out of the two polar situations, we should be the first ones to talk about ownership issues. (Singh)

  • Is Control equal to ownership? When it comes to personal data, I feel that the debate has gone very far beyond what was necessary. I always thought that the idea of ownership for personal data was shorthand for the amount of control that you would be willing to give the subject to the particular personal data. (participant)

“There is a lack of understanding about what personal data is for everybody else apart from the data subject. A person can say that this is my thing because a system of ownership and property has been created, by which allocation of this to a particular person, who has paid for it, will result in beneficial situation. The idea that personal data has to be entirely within the control of the data subject seems to ignore that the only way you can know a person and the only way you decide how to treat or approach a person is by knowing their features. Otherwise they are a homogeneous mass. I do not know how to treat one person differently from another”. (participant)

  • Another category of data: In regards to ownership, a distinction needs to be drawn between sensitive personal data and personal data…. what are these kinds of data which should be considered sensitive? Can something be short of sensitive data, a third category of data, which isn’t sensitive but definitely worthy of protection.(participant)
  • Community data: To give an example of collective ownership, you can collectively aim at minority, at the LGBT community of Delhi, without recognising each member. Just do something which will hurt all of them, and that data, therefore belongs to that community. About where they go in the night or which restaurants they visit, there is a lot of collective ownership. (Singh)
  • More than ownership: About aggregation of data and profiles, where you as a whole are encapsulated in one profile. We should distinguish between different kinds of data because we talk about it in relation to other things and contexts… not just in the context of one kind of relation, like ownership. We talk about ownership, leasing, fiduciary relationships and bailment. We talk about these huge range of legal relations that a person can have with a thing. We have to approach data in a very similar manner and that can only be done if we are willing to differentiate kinds of data. That requires a more complex exercise than just calling it community data. (participant)
  • No exchange value for data: Data does not have a good exchange value, it has a good use and abuse value. Data, unlike other things, once you make a sale, it’s not gone from you. I take money for my IP and I can runway enjoy it. When I take money for my data, it is always a comeback, because data is about me and it’s about new social relationships therefore, it always comes back to me. There is no good exchange value because the exchange is never complete. (Singh)

Categories of data

  • Creating new categories: Section 2.3 of the draft e-commerce policy says – following categories of data would be required to be stored exclusively in India and suitable framework developed for sharing data within the country. (Adnan Ansari, 9Dot9 Insights)
  • The e-commerce policy talks about social media data. They are inventing new categories of data. They have put a list of data sets that have to be localised. The question is all this should be consulted and the process should be much more robust. (Krishnamoorthy)
  • This particular committee doesn’t even see categories data sets as personal data and non-personal data. It just goes on to a broader ambit of categorisation. You start with something basic and then go beyond that which is non personal data. (Krishnamoorthy)
  • Data generated by users India from various sources, including e-commerce platforms, social media, search engine etc. The creation of innovative digital products within India would be promoted, including by fast tracking work on national encryption policy. This is section 2.3. (Ansari)
  • IOT data could be community data, it could be agriculture data, it could be environment or climate data, it could be traffic data of public spaces where sensors are used to get the data. Actually people say your mobile is an IOT device in many ways. (Singh)

Community data, is a new category of data. This is happening in WTO and other bodies that are dealing with ownership and data issues. The control architecture has changed. Earlier it was about what kind of information can enter your national borders, now countries are trying to create a regulatory policy frameworks that prevents data from leaving the borders of that country. The categories of data, it maybe community data, payments data, sensitive data, government data, commercial data, are being used to define public policies and the national security exemptions. This is going to become problematic in my opinion in the future. (Jyoti Panday, IIM-A Idea TCOE, participant)

  • Poorly worded policy: Regarding derivative data.. if a large company releases a report on how India spends. Maybe a small company, which is working offline, could start thinking about selling online… I think that’s how the draft e-commerce policy was probably envisaged, but it was not worded that way. (Ansari)
  • In sync with the data protection bill: The Srikrishna committee report actually encourages that a law should be made about community data. It is absolutely in conjunction with the e-commerce policy. The (e-commerce) committee says everything is superseded in the personal data protection bill, while the draft data protection bill asks the government to make a new law about community data. This (e-commerce policy) is the law. (Singh)

Issues with data localisation

  • Impact on cyber security: Data localisation affects data security. The best practice for cyber security is to make sure you compartmentalise data sets, that you maintain redundant data sets across the world. That’s just basic hygiene. (Krishnamoorthy)
  • Impact on businesses: It may also prevent companies from offering services that they currently offer. For instance, an e-commerce provider, who wants to do analytics, a specific niche form of analytics which is now being offered only in a global market, say in a server in Singapore. They will take that data, store it in Singapore, get that particular analytics done and beam it back to the consumer here. (Krishnamoorthy)
  • I represent small niche companies like Octa and DocuSign which offer products to a limited number of consumers and if you are asking firms like these to localise data, they probably won’t be able to offer their services anymore. (Krishnamoorthy)

A lot of Indians poached by foreign companies are coming back and starting their own companies. We should encourage them and other companies to operate in India. Would you want to do that in a mandated way or do you want to do in an incentivised manner? That’s a question that we need to ask at a policy level. (Krishnamoorthy)

  • I find that there’s a disparity between the e-commerce policy and the Justice Srikrishna report because the former uses critical, personal, sensitive information infrastructure, that needs to be localised. But the e-commerce policy says that all data related to e-commerce needs to be exclusively stored in India. (Ansari)
  • The e-commerce policy is mandating a standard for encryption, which will be contested at both the WTO and the regional agreements, because if you start mandating encryption standards, companies are going to have problems. (Panday)

Data sharing

  • The e-commerce policy seeks to monetize data localising by developing a framework of data sharing for digital industry. There has to be means to share the data because that’s how we can develop. Data infrastructure is the term being used, these sharing arrangements are what we need. You could say, why can’t we still share data if it is not localised? If the data escapes your territory, you can’t enforce laws on it. Even India’s AI strategy, which is NITI Ayog’s AI strategy, says companies should be mandated to share data for social good (Singh)

A national policy is talking about mandating a company, which is doing business in India, to give over data, I am really worried about it. Why would a company that has built the technology to use data handover all the data? (Krishnamoorthy)

  • There are already three to four big companies which have started singing data sharing agreements. (Krishnamoorthy)
  • The e-commerce policy does not mandate data sharing. It says that it will have a data sharing arrangement. It only mandates data localisation. (Singh)
  • Section 2.42 of the e-commerce bill says that ‘data stored in India should be shared with startups meeting a stipulated criteria, turnover of Rs 50 crores etc.’ I’m directly quoting from the policy. (Ansari)
  • I just want to give some examples of data sharing. There is a directive of EU and corresponding open banking rules in the UK, which force big banks to share their data with startups. These banks are not happy but it is forced and it is mandated. The second example is of training data for self-driving cars. Self-driving cars are very complicated things, they need data in every weather condition of every place. The more data they have, the safer they are. The problem is no single company is going to have all the data and if they don’t have all the data, it’s not safe enough. There are a lot of people who are talking about mandating sharing of training data because that alone will make these cars safe. But not to share that kind of data which takes away their competitive advantage. These are advanced discussions. (Singh)

Economic utility of data

  • One of the main objectives we are seeking from data localisation is using the economic utility of data. We need to ask how exactly can we achieve this full economic utility of data? Because, at the moment, all the research, including the white paper of the Justice Srikrishna committee, has only been pointing at the negative effects of localisation on GDP. On the contrary, I have not particularly seen any positive effects of data localisation on the GDP. (Ansari)
  • Can companies monetize data and sell it to other companies? We need to reverse this logic and look at the fact that localisation is not the ends that you are seeking. The end that you are seeking is using that data for economic transformation and development. (Ansari)
  • Personal data is not the only kind of data that is important. Derivative data of many kinds are more important in terms of economically important data. (Singh)
  • The Srikrishna committee report and the bill which will follow is going to be ‘the’ protection bill here. No e-commerce policy can go beyond it and it will be consent based movement of data. There are many layers of data that are not personal data and much of it (economic utilisation of data) is about that. (Singh)

Consent

  • If the data protection bill becomes a law, and if we are talking about personal data, without consent, the data cannot be given, even to a sharing entity. (Singh)
  • On consent, I think when and if the policy comes out, because it makes a reference to the justice Srikrishna Committee report, it would refer back to the justice Srikrishna Committee report and the draft bill. (Ansari)

Other notes:

  • We need to recognise that.. digitalisation or digital industrialization is something epochal. I consider this to be as big as industrialization was some 250 years back. I need to say this because the policy is also looking at that kind of changes. (Singh)
  • It’s not about one industry, many interest are involved here. Because they are not in the room and because they have not shared their view, you may not know this, but farmers have a view on data. I worked with many farmer groups to know this. Similarly, traders, hawkers, labor unions, all have a view on data. (Singh)
  • There is this tendency about how the government doesn’t know what it’s doing and how bureaucrats are idiots. But keeping in mind the kind of challenges they faced, I think they have done a pretty good job with the policy. The government did not push its head under the sand as most developing governments are doing. They started doing things with their hand and did whatever they did, rather than realising seven, eight or 20 years later, that they should have done something. (Singh)
  • People have a misconception about the e-commerce policy, it hasn’t asked for data localisation to protect data or for legal enforcement. In fact, it very clearly says that the Srikrishna (committee’s) report is looking at it. The e-commerce policy is looking for a particular kind of data localisation, which is about economic ownership of data, that alone and nothing else. (Singh)
  • The policy was supposed to be put for public consultation two weeks after the draft was prepared. It has been stopped now. What is happening now is not public consultation. It is worse than public consultation. I think back door lobbying is worse than public consultations. There should be law for making policies. (Singh)
  • Eric Schmidt has said that the internet in splitting into two, China led Internet and the US led internet. Do you expect the Government of India to sit on its haunches and wait for this to happen and do nothing? This is the first effort that an Indian government has made at an digital industrialisation. You need to contribute to that. Don’t say that this policy is not needed. A nuanced data ownership and localisation policy is only India’s option at a global leadership level, which we should try and take. (Singh)

When people tell me that my data would be safer in the US than in India, it really gives me shivers. That’s the only overlap e-commerce policy has with the Srikrishna committee’s report. (Singh)

  • Privacy International has recently published that it has become clear that UK’s surveillance agencies were looking at Privacy International. This is a very significant moment in our technology policy making because so far surveillance agencies could claim that our programmes are not mass surveillance, they don’t take in data. (Panday)
  • PhonePe recently announced its support for data localisation. The company already has transactional data, which it may choose to anonymize, but it has already built a profile of how I am spending and what kind of savings I have. Like The e-commerce framework is developing, there is a payments and financial services framework also being developed. Now PhonePe is sitting on all of this transactional data and wanting to enter into credit and lending verticals, then what are the limitations on a company that has accumulated that kind of transactional data, that is able to profile me, from entering into other markets that can help it capitalise on that information and build products. (Panday)

*

We are bringing #NAMApolicy on India’s draft National E–commerce Policy to Bangalore on Wednesday, October 10. Apply here to attend.