In recent times, with increasing digitisation, the ecommerce sector has witnessed unprecedented growth, resulting in a paradigm shift in the manner of doing business. The Indian ecommerce market, although currently at a nascent stage, is expected to grow from $38.5 Bn in 2017 to $200 Bn by 2026.
With this background, while the Draft National Ecommerce Policy issued by the Department for Promotion of Industry and Internal Trade (DPIIT) on 23 February 2019 (Draft Policy) appears to be a step in the right direction, there are a number of concerns which have not been addressed.
The Draft Policy is India’s first step towards an exclusive ecommerce policy. The Draft Policy covers key aspects including (a) significance of data as a valuable ‘asset’; (b) concerns surrounding data privacy and data security; and (c) confidentiality and intellectual property.
In its current form, the Draft Policy is an ambitious document affecting various domestic and international stakeholders – startups, payment aggregators and payment systems, fintech companies, content providers, MSMEs, and logistics companies.
While the policy seeks to give a boost to several government initiatives reliant on e-commerce, including existing flagship programs such as ‘Make in India’, ‘Startup India’, and ‘Digital India’ and other internet-based enterprises such as Sugamya Bharat Abhiyan, BHIM and GeM which facilitate commercial activities through the use of internet abled devices, it does not, however, address several concerns including data privacy and consumer protection.
Given that this sector is predominantly driven by data and technology, it is imperative for a consumer-oriented economy like India to establish a comprehensive, unambiguous regulatory framework.
Data As An Asset And Data Privacy
The constant evolution of the digital economy has resulted in greater usage of the internet, which in turn, has led to huge volumes of data generation. While several corporations have adopted business models to monetise such data, issues surrounding the right to use and exploit such data (which is essentially owned by individuals/entities, being users of such platforms) continue to plague the sector – a significant part of the Draft Policy focuses on this aspect.
In terms of the Draft Policy, every ecommerce entity doing business in India is required to be a registered business in India. While the Draft Policy recognises the need to promote domestic alternatives to foreign-based clouds, it has identified the provision of budgetary support as the only means of providing an incentive to promote such startups.
Given that majority of the data generated digitally is owned by large MNCs, monetary incentives alone would not provide the desired result of promoting domestic enterprises which currently lack the requisite technical expertise.
Further, proponents of data sharing across jurisdictions argue that data should be made available to other companies either through compulsory licensing or on ‘fair reasonable and non-discriminatory’ (FRAND) terms.
However, this goes against the premise that data is owned by an individual, and not by corporations which (though the access is provided by the individual) process and propose to monetise such data. Effective means of monetising ‘sensitive personal data’ is a tricky situation which we continue to grapple with – legally and infrastructurally.
The Draft Policy suggests: (a) restriction on sharing of data with entities outside India / foreign third parties, even with customer consent; and (b) that processing of data without consent should be dealt with sternly.
However, it neither makes a reference to consent requirements for sharing of sensitive data or manner of accessing ‘national data’, nor does it prescribe the consequences for default. Moreover, restrictions on sharing data across borders will restrict the ease of doing business globally and may be viewed as anti-competitive.
At present, the legislation governing data, including the Information Technology Act 2000 (along with the rules on sensitive personal data) and the Personal Data Protection Bill 2019 – each has a differing definition of ‘data’. Given the various sources and types of data, it is imperative that data be classified and accordingly be defined as ‘national data’, ‘individual data’, ‘sensitive data’, etc.
In the current form, the Draft Policy lacks clarity on the meaning of ‘data’ and fails to draw a connection with sector-specific laws, akin to the conundrum faced with the meaning of ‘control’ across legislations.
The Draft Policy emphasises on protective measures, requiring ecommerce players to be vigilant and comply with various requirements such as making available seller details, undertaking regarding the genuineness of products, the requirement to obtain the trademark owner’s consent before listing high value or luxury products, e-grievance redressal mechanism, etc.
The Draft Policy, however, does not provide consequences for non-compliance or breach, either penal or monetary but instead relies on other authorities to prescribe penalties for non-compliance. The final policy should ensure that such penalties are commensurate with the consequences currently prescribed under other laws governing the use of data.
Impact Of The Draft Policy
With big-ticket investments such as Alibaba’s investment of $1.8 Bn in several Indian companies and Walmart’s acquisition of Flipkart for $16 Bn, one cannot ignore that India is and will increasingly be a key player in the global ecommerce space.
India has an additional two-fold advantage – a growing economy and population, both of which have the potential to generate tremendous data, placing the nation invaluable position, despite its absence from negotiations at the World Trade Organisation.
Following the outbreak of Covid-19 as a global pandemic, organisations across the world have implemented a ‘work from home’ policy, ensuring to the extent possible, that business runs as usual. This has resulted in various organisations collecting and processing various kinds of data including information relating to health, travel history, self-declaration forms, etc.
While not all of this may constitute sensitive personal data, from a data privacy perspective, this has serious implications given that collection of sensitive personal data requires prior consent. It will be interesting to see how the government addresses these concerns.
[This article is co-written by Ravi Kulkarni (Partner), Tanushree Bhuwalka (Principal Associate) and Srishti Mukherjee (Associate) at Khaitan & Co.]