“The fundamental question here is this: when we already have a personal data protection bill in the pipelines, which the draft of which has been finalised, then why is the government trying to introduce data provisions through an e commerce policy?”, asks a participant at the discussion. The #NAMApolicy discussion on the draft of the National E-Commerce Policy threw up brought out a certain collective confusion on data protection as dealt with by the draft. The Policy makes a clumsy attempt of sorting out data protection as part of its aim of keeping data within India. Read our complete analysis of the Policy here. This discussion was
Jurisdiction of DPIIT: Conflict with the PDP Bill?
Some of the points brought up during the discussion were aimed at how the matter of jurisdiction would play out, with the Sri Krishna Committee having released the Personal Data Protection Bill. Devika Agarwal of NASSCOM explains:
“Why is the government trying to introduce data provisions through an e commerce policy? Because I’m doing so you’re undermining an extensive consultation process which has already taken place? That is one question. And the second, the provisions which have been proposed in the policy go beyond affecting e-commerce, therefore, the so far as they relate to personal data, they should be dealt with under the personal Data Protection Bill.”
Nehaa Chaudhari of Ikigai Law offers a partial defence for the inclusion of data protection in the Policy: “If you look at the Allocation of Business Rules… the difficulty is that the scope of each of these things is not been defined. So you don’t know everything that goes into developing and nurturing the startup ecosystem. If you say that having a conversation on data sharing is absolutely critical to nurturing India startup ecosystem, which is an argument that has been made repeatedly over the past two years in data protection conversations across the country, the DPIIT could well argue that there’s nothing wrong with including some of these things in an e-commerce policy, because they’re well within their mandate to make recommendations on some of these aspects.” There is however some consensus on a certain degree of over-regulation by the Policy in terms of data protection. Chaudhari continues, “Some things are just I don’t see them having a place in the e commerce policy. All of this is well within the remit of MEITY and that’s the ministry that should be making recommendations on everything that you just said.”
Agarwal highlights a further level of substantive conflict brought about by the policy. “It’s not just the data provisions being in the wrong policy. Some provisions are in direct conflict with the provisions of the PDP. For instance, paragraph 1.2 says that the business entity collecting or processes any sensitive data in India and stores that abroad will be subject to certain conditions. Sensitive data has not been defined — are we going to assume that sensitive data referred to in the in the Policy is the same as sensitive personal data defined in the PDP? The second problem is that in outlining the conditions also says that even with customer consent, data stored abroad shall not be made available to business entities or third parties. Now, if the policy constantly says that consumers should be empowered, that citizens should have control over their data, here you are contradicting that very same premise.”
Data Localisation and its objectives: Job creation? Access to data? Access by who?
It is pointed out that the Policy highlights the creation of high value digital products within India as an objective behind restrictions on cross border data flow. Chaudhari explains why she isn’t convinced by this argument. “I don’t see that taking place, honestly. And I do think that the harms of data localisation far, far outweigh any kind of potential benefits that you may have. We do work with startups, we see many of them relying on cloud service providers for storing their data. So if you’re storing your data on a cloud service platform, you have the option of choosing which data center you want your data to be located in. If my business is centered in the United States, or it’s centered in the European Union or centered in Singapore, my choice of data center is going to primarily depend on how close it is to my customer base or to my market. I’m going to want to keep my data as close to the market that I’m interested in primarily. The cost is another factor.”
Adnan Ansari of 9dot9 Insights, offers another objective, not made explicit in the Policy, of access to data. “Data localisation is eventually the means towards an end. This is the most obvious solution that at least the proponents of this policy see, because you are viewing data as a resource number one, and you want access, you want the government to have access to that particular data. So you want that data to be localised.”
“My understanding — and again, this is coming from this particular policy in the earlier draft — it actually talks about AI in certain places, it talks about how in order to build an API infrastructure in the country, you need to have access to data. It sort of makes it a broader political economy question where it says that data should be owned by the country.” When asked how that helps development of AI, he responds: “So that’s where the policy talks about sharing of data with smaller enterprises, that you have to share the data, you have to make it readily readily available to smaller enterprises to basically perform data analytics functions and so on. The policy does talk about the data being owned by the collective in some sense.
“But the point that I want to make over here is when data access is still the end that you want to achieve, data localisation is just a means, where it says that it has to reside in India. The question that I want to counter to that is, let’s say, if we accept all of this, why not involve the market, and let there be data markets where this data could be shared? The bill just talks about data protection, but we have not sort of really unwind unbound the economic utility of the data that carry that it carries.”
The Cost of Data Localisation
Coming to the practicalities involved in a requirement for data localisation, Chaudhari relays the concerns of clients: “Like I said, the choice of data center has been motivated by latency, and the market where it makes more sense for them to keep their data. And sometimes for a lot of folks that are really trying to do cutting-edge stuff around R&D, or want to play around with certain services on data analytics services or AI/ML related stuff, then, in which data center around the world do you get that service? Because if I’m a cloud service provider it’s not necessary that I have rolled out a particular kind of service on mass and made it available around the world, especially if it’s a new service. Chances are that I’m going to test it out in a parent market and then subsequently roll it out wherever I think that there is maximum demand for that service. So if I’m a startup, and I want access to this cool new thing that’s come out, I should have at least temporarily if not permanently, the freedom to move my data overseas. And I’m just thinking in terms of business, allow me to move my data where I see fit.”
“I know from our clients that technically, it is possible, except then you’re just creating redundant data sets. And we don’t necessarily see sense in splitting up our data, sometimes it’s not possible, because you want one dataset to be interact with another. So you’re always going to be sort of going back and forth in terms of what are the cost implications involved. Honestly, most of them will just say that we will use a cloud service platform.”
“At the end of the day, I have to work out to whether a suitable CSP is in my country, whether the options that are available to me are able to service my needs. And again, if I’m not a startup whose primary or any company whose primary market is India, I don’t want to keep my data here, I want to keep it as close to my customers as possible, because latency is an important factor, particularly depending on the kind of business that you’re running, like video streaming.”
Adnan Alam of Nutanix confirms the cost of localising data onto servers within India: “Usually applications or products are not designed to take into account where the data would reside. It might bring up issues like Neha said, of latency and costs. Cloud service providers typically charge 40-50% more in the Mumbai data center than they would in the cheapest data center in the US where energy and land are cheap.”