The Finance Ministry has suggested that provisions relating to data protection be excluded from the national e-commerce policy, on grounds that the issue is best handled by MeitY, reports Mint. The report cites a government official as saying that the draft data protection bill, drafted by MeitY, is not restricted to e-commerce companies but applies to every industry and sector. Moreover, according to the official, the policy should look at data from the point of view of ‘competition’ and should list provisions such that data is misused to influence prices and ensure the level playing field for all sellers.

Issues with the draft e-Commerce policy when it came to data protection

Among the goals of the e-commerce policy was to address the regulatory gaps from the Personal Data Protection Bill. It recognized data as a national asset and collective resource. It said that Indians have a sovereign right over their data and this right cannot be extended to non Indians.

Why data provisions were being introduced in the e-commerce policy when the Personal Data Protection Bill is already in the works is a question raised by participants at MediaNama’s discussion on the e-commerce policy as well. A number of other issues in the e-commerce policy such as cross-border flow of data, data localisation, and government control over data were also contested. Some issues raised during MediaNama’s discussions on the Draft National E-Commerce Policy:

1. Jurisdiction, why undermine a consultation process? : Devika Agarwal of NASSCOM said introducing data data provisions through an e commerce policy undermines an extensive consultation process which has already taken place. Second, “the provisions which have been proposed in the policy go beyond affecting e-commerce, therefore, the so far as they relate to personal data, they should be dealt with under the personal Data Protection Bill.”

2. Conflict between e-commerce policy and PDP Bill: Some provisions are in direct conflict with the provisions of the PDP. Agarwal explained that paragraph 1.2 says that the business entity collecting or processes any sensitive data in India and stores that abroad will be subject to certain conditions. “Sensitive data has not been defined — are we going to assume that sensitive data referred to in the in the Policy is the same as sensitive personal data defined in the PDP?”..”Second, the e-commerce policy says that even with customer consent, data stored abroad shall not be made available to business entities or third parties. Now, if the policy constantly says that consumers should be empowered, that citizens should have control over their data, here you are contradicting that very same premise.”

3. Data localisation for creation of digital products in India: The ecommerce policy argues that India would be shutting the doors for creation of high-value digital products in the country and that we must retain control of data to ensure job creation in India. Nehaa Chaudhari of Ikigai Law argues that the harms of data localisation far, far outweigh any kind of potential benefits that you may have.” She explains that startups rely on cloud service providers for storing their data, and need their data centers located as close to its customer base / market as possible “my choice of data center is going to primarily depend on how close it is to my customer base or to my market. I’m going to want to keep my data as close to the market that I’m interested in primarily. The cost is another factor.”

Adnan Ansari of 9dot9 Insights, offered another objective, not made explicit in the Policy, of access to data. “Data localisation is eventually the means towards an end. This is the most obvious solution that at least the proponents of this policy see, because you are viewing data as a resource number one, and you want access, you want the government to have access to that particular data. So you want that data to be localised.”

4. Allowing movement of data for innovation: Coming to the practicalities involved in a requirement for data localisation, Chaudhari relays the concerns among startups. “Some startups that are trying to do cutting-edge stuff around R&D, or want to play around with certain services on data analytics services or AI/ML related stuff, then, in which data center around the world do you get that service? Because if I’m a cloud service provider it’s not necessary that I have rolled out a particular kind of service on mass and made it available around the world, especially if it’s a new service. Chances are that I’m going to test it out in a parent market and then subsequently roll it out wherever I think that there is maximum demand for that service. So if I’m a startup, and I want access to this cool new thing that’s come out, I should have at least temporarily if not permanently, the freedom to move my data overseas.”

5. Why does the government want to collect, localise and redistribute data? : Prasanto K Roy, weighs in with some context of regulatory objectives behind the nexus of data sharing and data localisation: “If you see, as far as payments is concerned, you have an enormous amount of stuff which happens on a global payment platform. The holy grail they believe in is that all that should be ultimately replicated here… So therefore, data is the resource which can be processed this IoT data we were talking about the belief is that you know, IoT data will become a very fundamental part of this tradable resource.”