By Arpan Chaturvedi
The just-released draft national e-commerce policy has placed considerable emphasis on data and its ownership but has also taken a confusing view on rights, say experts.
Granting data the status of “capital”, the report dwells on network effects that allow a handful of companies to dominate the digital economy. Hence it emphasises individual rights. Even over anonymised data.
“An individual consumer/user who generates data retains ownership rights over his/her data.”
Curiously, it also refers to data as a “collective resource”.
“The data of a country, therefore, is best thought of a collective resource, a national asset, that the government holds in trust, but rights to which can be permitted. The analogy of a mine of natural resource or spectrum works here.”
As a result, the draft report largely looks at the issue from an economic lens rather than a rights protecting lens, said advocate Apar Gupta.
’Even though the report starts with data being an individual’s right, it doesn’t actually respect the individual choice at the end. It seems to restrict it within a larger economic framework which makes it subservient to the larger economic interests of the country.
— Apar Gupta, Advocate
To be sure, the report does refer to the ongoing work on a data protection bill. But it also links data to the interest of local business (creation of high value digital products) and job creation.
In effect, the report seems focused on restricting foreign access to data by proposing a legal framework to control cross border flow of data generated by Indian users on e-commerce platforms, social media and search engines, among others.
Some of the proposed restrictions on businesses, that collect or process sensitive data in India and store it abroad, are:
a) All such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer consent;
b) All such data stored abroad shall not be made available to a third party, for any purpose, even if the customer consents to it;
c) All such data stored abroad shall not be made available to a foreign government, without the prior permission of Indian authorities;
d) A request from Indian authorities to have access to all such data stored abroad, shall be complied with immediately;
e) Any violation of the conditions mentioned above shall face the prescribed consequences (to be formulated by the Government).
Exemptions would apply to purely business data sent to India as part of a commercial contract between a business entity located outside India and an Indian business entity and cross border flows of internal data by multinational companies.
Senior Supreme Court lawyer Sajjan Poovaya labels it a ‘socialist’ approach which will end up penalising big service providers like Facebook and Google, making them less inclined to launch new products in India.
What this document doesn’t realise is the sheer practical impossibilities of controlling trans-national data flow particularly when it comes to across the platform collection of data. This laudable object of saying that data must be kept in the country, while it looks good when you look at it in a vacuum, it is impractical.
— Sajjan Poovaya, Senior Advocate, Supreme Court
An approach of facilitation rather than penalisation would be better, Poovaya said. It can be on the lines on a quid pro quo model where foreign companies are asked to introduce some measures such as moving a certain number of jobs or undertaking processing inside the country.
The establishment of another data authority has been proposed in the report—“for sharing of community data that serves larger public interest (subject to addressing privacy-related issues) with start-ups and firms”.
The government has invited comments and suggestions on the draft report, to be submitted on or before Mar. 9, 2019.