Asheeta RegidiFeb 26, 2019 19:41:53 IST
The Department for Promotion of Industry and Internal Trade released a new draft National E-commerce Policy for stakeholder comments on 23 February 2019. The new policy contains several new recommendations, such as on infrastructure development, import rules, preventing trademark infringement, and so on. This article focusses on the data protection aspect of the Policy, which provides deeper insight into the direction data protection is likely to take in India.
The Policy takes forward key proposals of the draft Personal Data Protection Bill, 2018 (the PDP Bill), in particular by advocating the ‘nationalisation’ of data, including through imposing data localization requirements. Enabling the monetization of this data is a key focus. Another key feature is that the Policy, in a jurisdictional overreach similar to TRAI last year, is seeking to establish policies for a broader range of data than just e-commerce data. The proposed policies and restrictions are to apply additionally to social media companies, search engines, and IoT devices and data analytics as well.
Data as capital
The Policy takes a similar approach as the PDP Bill, by, firstly, naming an individual as the owner of his data, and emphasizing the need for express consent for processing the data. Thereafter, the Policy treats data as an asset, which is to be put to use as required. The Policy expressly labels data as a ‘valuable resource’ and as ‘digital capital’, to be treated as capital on par with financial capital of a corporation. Noting the competitive edge that this digital capital gives, a level playing field is sought to be created by streamlining access to such data with corporations by MSMEs (Micro, Small and Medium Enterprises) and start-ups.
Such sharing may not be welcome by the corporations given their investment in collecting and creating it, while benefits to smaller enterprises may be limited since such sharing is likely to be anonymized. The Policy mentions the need for privacy protection and describes anonymization as a ‘start’. The PDP Bill, in fact, requires the anonymization of data before its use for research purposes or for big data analytics. However, the Policy also supports the use of data for targeted advertisements, personalized recommendations and data strategies to further competition and growth, acts which will need identifiable data in order to be effective, making it unclear to what extent anonymization will be used as a protection.
Data as a sovereign, national asset
Additionally, the Policy argues that the data of Indians belong to Indians and that the data of a country is “best thought of as a collective resource, a national asset, that the government holds in trust, but rights to which can be permitted.” By extension, the Indian government, Indian companies and Indian citizens will be allowed a sovereign right to Indian data, which cannot be extended to non-Indians. Access to such data by non-Indians, the Policy states, can be ‘negotiated in the national interest’.
This approach, in fact, is in furtherance of the approach taken by the PDP Bill, which, as argued here, only gives an individual a say in whether or not to give his data (unless an exemption like state processing or a law applies, where even this consent is not required), and thereafter primarily expects the individual to trust that his data is being used in a manner that is in his interest. This is evidenced by, for instance, the absence of key rights such as the right to erasure, which give an individual some control over his data, and the dilution of the purpose limitation principle by allowing the processing of data for any ‘compatible purposes’, which can be unspecified and even unidentified at the time of collection.
Restrictions on cross-border transfer of data
In order to establish its sovereignty over the data, the Policy proposes detailed restrictions on the cross-border transfer of data. First, data from IoT devices in public spaces and data generated by users in India by various sources, including e-commerce platforms, social media, search engines, etc. cannot be transferred abroad.
Next, for other categories of data, whenever sensitive data of Indians is stored abroad, access by other business entities or third parties is restricted even if the customer consents to it. Access by a foreign government needs prior permission from the Indian authorities. Failing to meet these requirements will lead to consequences which are not prescribed at present.
Lastly, certain types of data are exempted from these restrictions on cross-border data flow:
- Data not collected in India
- B2B data shared between business entities under a commercial contract
- Data flowing through software and cloud computing services (which has no personal implications)
- Data shared internally by multi-national companies, excluding data generated by Indian users from sources like e-commerce platforms, social media activities, search engines, etc.
The justification offered by the Policy for these restrictions is that not doing so would shut the doors to creating high-value digital products in India. Job creation through data analytics and cloud computing as an economic activity in India are some other justifications used. However, it is unclear why data localization is the only solution for this, or if data localization of this nature is practically possible. Consider payment data, for instance, where a transaction involves an overseas bank or an entity which needs the data to meet its obligations under overseas laws. A key point here is that all e-commerce apps and sites that are available for download in India are proposed to be required to have a registered business entity in India.
A broad interpretation of ‘E-commerce’ and overlapping jurisdictions
Further, a reading of these rules and the Policy, in general, indicates that ‘e-commerce’ has been interpreted broadly to include digital activities of various natures, including social media companies, data analytics and even cloud computing, as opposed to regulating traditional online marketplaces like Amazon and Flipkart.
This extension is reminiscent of that made by TRAI in 2018 in its Recommendations on Privacy, Security and Ownership of Data in the Telecom sector, where the recommendations were intended to apply to the entire digital ecosystem in the telecommunication space. This effectively encompassed a much wider spectrum of entities than traditionally regulated by TRAI, including browsers, handsets, tablets, OTT services, applications and the like. A similar overlap was also seen in the financial sector, with overlapping privacy rules being issued for mobile wallets, by the RBI on the one hand and Meity on the other.
Overlaps of this nature are becoming common as activities and the legislation governing them increasingly move towards the digital space. This can lead to conflicting regulations (as with TRAI’s approach to privacy which varied greatly from that of the PDP Bill, see here) and compliance issues for companies.
It will have to be seen if the Policy is an indication of how data regulations will work once India has a finalized data protection law —with one general, overarching privacy law backed by sector-specific regulations and policies. Sector-specific discussions are required, for instance, sensitive sectors such as the financial or medical sector will have separate requirements. Further, if the government goes ahead with the imposition of data localization as required under the PDP Bill, despite the many objections raised to it, then this will also necessitate sector-specific discussions on whether the data generated therein should be subject to data mirroring requirements or if it's ‘critical personal data’ to be subject to data localization requirements.
Issues, however, will arise when such sector-specific laws and the primary law are not aligned with each other. The new Policy, for instance, in its discussion on the use of artificial intelligence, states that the government must reserve its right to seek disclosure of source code and algorithms. This is a right that is missing under the PDP Bill, in relation to individuals or the State. In addition to conflicting regulations, another issue that arises is of the issue of regulations by a department that doesn’t have a full view of the subject.
Is data sovereignty the only solution?
In terms of the individual, the draft Policy doesn’t propose any steps which further the protections to an individual beyond that under the PDP Bill, since its primary focus is on monetizing the data to the fullest extent possible. For the private sector, the proposals will be of concern given the barriers they create, such as for international transactions or for foreign businesses to trade in India. The primary benefit appears to be to the government in terms of control over the data and to completely domestic businesses.
If nations around the world take a similar stance, then this will lead to data silos instead of a free flow of data, a move that cannot be good for progress. One wonders if data sovereignty is really the only solution for ensuring security or progress in the country.
The author is a lawyer specializing in technology, privacy and cyber laws.