India’s Draft E-Commerce Policy: A Need To Look Beyond Data As The New Oil – Analysis

By Shashidhar KJ

India’s e-commerce industry, estimated at around $39 billion in 2017, is expected to grow to $200 billion by 2026. Business-to-business (B2B) e-commerce is expected to grow from $300 billion to around $700 billion by 2020.

However, limiting the impact of e-commerce on India’s production and consumption supply chain ecosystem to just monetary terms is reductive. The draft e-commerce policy prepared by the Department for Promotion of Industry and Internal Trade (DPIIT), Ministry of Commerce and Industry, does recognise this. Its overall objective is to “prepare and enable stakeholders to fully benefit from the opportunities that would arise from progressive digitalization of the domestic digital economy.” This is a laudable objective, but the policy fails to set a clear roadmap to enable India to exploit the benefits of the digital economy, while safeguarding the interests of all stakeholders.

It proposes changes in the areas of data governance, intermediary liability, intellectual property, competition, consumer protection, investments, and cloud infrastructure. Each of these issues needs to be tackled separately by different ministries and departments through consultations, rather than by being clubbed under one umbrella.

By far, the most contentious issue that the policy seeks to tackle is cross-border data flows. British mathematician Clive Humby, who was instrumental in establishing Tesco’s Clubcard loyalty programme, is credited with coining the term ‘data is the new oil’. This maxim is often used while making decisions about the Internet and digital economy. And since data is the new oil, the DPIIT’s policy seeks to treat all the data generated by Indians as a national resource that needs to be protected by stemming cross-border data flows. It bars sharing of sensitive data with third parties, even with the customer’s consent. That means data generated by users in India from sources like e-commerce platforms, social media and search engines, will not be allowed to leave India. Such protectionist approach is flawed.

Data is not the new oil, it’s much more

Data, unlike oil, which is found in limited quantities, has different properties. Data begets more data which can be used for numerous applications other than the ones originally intended. Limiting cross-border data flows would only stifle innovation and entrepreneurship for Indian startups, and in turn, that of the entire Indian economy. For startups, which rely on leveraging the economies of scale on distributed systems across the world, access to cross-border data flows is crucial. For example, credit bureaus use artificial intelligence (AI) and machine learning (ML) and need sensitive bank information for fraud detection. There needs to be seamless data flows to assess the creditworthiness of a potential loan applicant. Take the interconnectedness of Indian credit card payment where data is sent on MasterCard’s networks and processed in the European Union. This information is again shared with credit bureaus so that they may maintain their credit scores of consumers.

It can formulate policies which look at generating and collecting particular sets of data about citizens. The policy commendably expresses concern over matters of data privacy, but it does not lay down what happens if there is a data breach. It makes a mention of the report on data privacy prepared by the committee headed by Justice BN Srikrishna where it mentions that every individual whose data has been collected must be notified in case of a breach. Justice Srikrishna’s report lays down clear guidelines of response in case of a breach. It also recommended the creation of an empowered Data Protection Authority to inquire into any violations of the data protection regime, and take action against data fiduciaries responsible for the same. Currently, the Personal Data Protection Bill is being discussed in Parliament and deliberations must conclude before the proposals in the e-commerce policy are enacted.

Alternatives to data localisation

The draft policy says that technology companies are able to gather large amounts of unstructured data for identifying trends which have significant commercial value. It argues that access to data gives rise to market distortions as network effects make it virtually impossible for potential competitors to come up. Hence, the policy says that “government should “reserve its right to seek disclosure of source code and algorithms” so that it may strike a balance between commercial interests and consumer protection.

But mandatory disclosure of source codes and algorithms by companies that the policy stipulates is punitive. This would choke future innovation and be detrimental for business ecosystem. While there is a genuine need for holding algorithms developed by tech giants accountable for their decisions, forced disclosure may be counter-productive. There is a need strengthen mutual legal assistance treaties with other countries for data requests, particularly with the United States, which is a slow and cumbersome process. The government can also consider the European Union’s General Data Protection Rules (GDPR) where people have a “right to explanation” for the output of an algorithm.

The Centre for Internet and Society lists a number of alternatives against the hard data localisation that the DPIIT proposes. This includes positioning India better in the global mutual legal assistance treaties, levying taxes on large multinational technology companies, and enforcement of competition law. Mirroring of certain data sets, too, should be considered as an alternative.

The policy says that localising data will help stimulate economic growth. This is not true. Most data centres do not require many people to manage them. Reports suggest that data centres usually employ 35 people to run their operations. Meanwhile, storing large datasets will bring about its own set of problems. With increasing number of data breaches, servers in India will be vulnerable to hacking. American cryptographer and cyber security professional Bruce Schneier explains why storing such large amounts of data could potentially backfire and likens it to toxic asset, where the cost of protecting an asset outweigh the benefits. Moreover, it needs to be pointed out that certain geographies are considered high risk for storage of data. Real estate services company Cushman Wakefield ranks India at 10th position in the Asia Pacific region on its data center risk index.

The policy, from that perspective, does not give enough thought to who would be held accountable when a breach occurs. Afterall, companies will say that they were complying with the law. But are there enough safeguards to prevent breaches of such large datasets? Would localisation ensure enforcement of privacy and data protection? More importantly, is it really worth storing so much data?

Back to the drawing board

Though the draft e-commerce policy raises some important questions, it fails to accurately define what it wants to address and prescribes a number of complex solutions that go much beyond the limited mandate of the Ministry of Commerce. Take, for example, the proposal to create an industry body which will “identify rogue websites” which host pirated content without judicial oversight. The policy mandates search engines to remove these websites from their results, Internet Service Providers (ISPs) to block their access, payment gateways to deny them monetary transaction. The policy also bars advertisers and advertising agencies from hosting ads on such websites. The policy neither gives any detail if this is feasible nor even attempts to study how other countries have dealt with piracy.

It would be better if more time and thought is given to all the critical issues through discussion papers and that the diverse issues of the e-commerce ecosystem are dealt with by different parts of the government under a cohesive multi-agency and empowered framework. The DPIIT, as a department of the Ministry of Commerce, neither has the all-encompassing mandate nor the powers to deal with the multiple and cross-disciplinary aspects of the e-commerce industry, forget effective policy implementation and enforcement.