The Department for Promotion of Industry and Internal Trade (‘DIPP’) released, on 23 February 2019, the Draft National e-Commerce Policy (‘the Draft Policy’). In particular, the Draft Policy aims to protect data generated in India, enhance data security and prevent violations of privacy. In addition, the Draft Policy outlines the creation of a legal framework to regulate the cross-border flows of data collected through sources, including Internet of Things (‘IoT’) devices stored in public areas and data generated by users in India on e-commerce platforms, social media and search engines.
Mathew Chacko and Aadya Misra, Partner and Associate respectively at Spice Route Legal, told DataGuidance, “One of the noteworthy aspects introduced by the Draft Policy is the [processing] of data, data localisation, and the export of data […] The Draft Policy intends to curb the cross-border transfer of data if the data is sourced from public spaces. This is going to have a serious impact on how most of the tech giants, including Google, Facebook, and Amazon do business in India. Software as a service platforms may be hit as well because these restrictions would apply if the intended cross-border transfer concerns personal data.”
Furthermore, the Draft Policy outlines that a business entity collecting or processing sensitive data in India and storing it abroad, should not make the data available to a third party for any purpose, even if the customer consents to it. In addition, the Draft Policy highlights that all data stored abroad should not be made available to a foreign government without the prior permission of Indian authorities and that a request from the Indian authorities to access data stored abroad must be complied with.
The Draft Policy intends to curb the cross-border transfer of data if the data is sourced from public spaces
Chacko and Misra outlined, “The Draft Policy seems to dismiss customer consent with respect to the [processing] of personal data […] The question that arises therefore, is whether individuals actually have control over their data, and whether the ability to choose how their data may or may not be used is affected. While one can appreciate the position on the growth of domestic services, it should not be at the cost of individuals’ rights that have resulted from a hard-won battle for privacy, data protection, and the ability to exercise rights over how personal data is used.”
Moreover, the Draft Policy aims to develop a framework for sharing data collected by IoT devices installed in public places with start-ups and firms to address privacy related issues. Furthermore, the Draft Policy outlines that the implementation of the framework would be undertaken by a ‘data authority,’ which would be established for this purpose.
Supratim Chakraborty, Partner at Khaitan & Co LLP, concluded, “The Draft Policy mentions that larger public interest or public good is an evolving concept and envisages the creation of a data authority. It is important to note that the Personal Data Protection Bill, 2018 already provides for the constitution of a Data Protection Authority of India and that data privacy and protection obligations are already scattered across directions from numerous sectoral regulators such as the Reserve Bank of India. Therefore, it would be interesting to note the roles and objectives of this new data authority going forward.”
CLAUDIA STRUGNELL Privacy Analyst