By Nikhil Sud, Regulatory Affairs Specialist, Albright Stonebridge Group
India’s draft e-commerce policy, dated February 23, imposes various obligations including in connection with data. In several ways – five of which are discussed below – the policy’s data obligations risk discouraging investment and innovation in India from international companies and (perhaps inadvertently) from Indian ones, to the detriment of Indian consumers.
First, the policy may create inconsistencies with the cross-sector personal data protection bill (PDP bill) that India’s Ministry of Electronics and Information Technology (MeitY) is developing. As reflected below, certain details differ or appear to differ, given the policy’s ambiguity. The policy acknowledges the PDP bill and separately notes that policymakers will seek consistency with the government’s e-commerce initiatives. Policymakers must deliver on this promise; without consistency, companies may face significant uncertainty and conflicting obligations.
Second, the policy defines e-commerce so broadly that it arguably applies to all web services. This potentially overbroad scope dramatically amplifies the risks the policy poses. It also reinforces the need for consistency with the PDP bill.
Third, the policy calls for data localization. Localization risks raising companies’ costs and reducing the quality of their services (including security). It is also unnecessary for law-enforcement (as Section 1.2 of the policy implies by acknowledging access to data stored abroad). It is also inconsistent with the approaches of the EU, the US, and an emerging market like Brazil. Further, localization can undermine even Indian companies – such as SMEs using global cloud providers; or those that offer services internationally, but store data in India and may be precluded by other countries’ retaliatory measures.
Despite these concerns, the policy imposes potentially harsh and unclear restrictions on cross-border data flow. Section 1.1 requires “restrictions” but does not specify them – perhaps deferring to the PDP bill or, counter-intuitively, to a different but also ambiguous section of the policy (Section 2.2, addressing infrastructure development) that notes “Steps will be taken to develop capacity for data storage in India… A period of three years would be given to allow industry to adjust,” which some observers interpret as banning (except for expressly exempt types of data) cross-border data flow – far exceeding the PDP bill.
However, that interpretation is undermined by the policy’s Section 1.2, which acknowledges that “sensitive data” can move abroad (unless the policy intends Section 1.2 to apply only during the three-year period mentioned above – which is unclear).
Fourth, Section 1.2 of the policy treats sensitive data transferred abroad harshly and ambiguously. For example, it prevents sharing such data with third parties despite consumer consent. This far exceeds the PDP bill, and risks excluding Indian consumers from an ecosystem of interrelated innovative services. Policymakers should instead ensure consent is meaningful and apply thoughtful data protection measures to third parties. Additionally, the meaning of “sensitive data” is unclear. Does it mean “sensitive personal data” or “critical data” (two different concepts the PDP bill identifies)? Or does it mean something else?
Fifth, the policy suggests that successful international companies share their data with Indian competitors. This approach is the antithesis of fair competition, because it conflates success with the abuse of dominance (a critical distinction) and because it uses national origin as the guiding principle (to decide which company benefits) rather than the price and quality of services.
It risks discouraging international companies from innovating, because once they reach a certain size, they may be asked to share their resources with competitors. It also risks discouraging Indian companies from innovating, because they can free-ride on their international competitors. This can profoundly damage India’s already vibrant digital space where international companies compete alongside numerous thriving Indian companies, providing consumers top-notch services.
About the author: Nikhil Sud serves as Regulatory Affairs Specialist at the Albright Stonebridge Group. He is a lawyer by training, and specializes in legal and policy issues relating to technology.
The author has written this article on MediaNama’s invitation.
Edit: The headline has been updated to fix a typo.