Tag Archives: cross border data transfer

Draft E-commerce Policy: The dawn of a new beginning

Data is the basic building block of everything we are trying to do in this age of Industry 4.0. Data is a valuable resource for any individual, corporation or the Government. Data can be used for analytical, statistical, business, security purposes among various other things. Keeping ‘data’ central to the idea of governing the e-Commerce industry in India the Department for Promotion of Industry and Internal Trade on February 23, 2019, published the ‘Draft e-Commerce Policy’ (“Draft Policy”).

The overall objective of the Draft Policy is to prepare and enable stakeholders to fully benefit from the opportunities that would arise from progressive digitalization of the domestic digital economy. The Draft Policy focuses on data protection, the State’s paternalistic attitude towards the use of the citizen’s data and cross border transactions. The Draft Policy intends to regulate some things beyond e-commerce i.e. it proposes to regulate technologies like AI, IoT, Cloud computing and Cloud-as-a-Service etc. On a holistic level, it is understood that these technologies empower e-commerce industry currently and are integral to its growth and therefore the Government intends to bring these technologies under the purview of the Draft Policy. The Draft Policy is a mix of visionary thought process, advanced technological solutions, putting in place digital infrastructure to support India’s digital economy etc.

DATA

The Draft Policy resonates the idea and intent of the legislature that is formulated under the Data Protection Bill, 2018 as far as the rights over data of an individual is concerned. The collective idea of the Draft Policy is to streamline the protection of personal data and empowerment of the users/consumers with respect to the data they generate and own. Though the question to be assessed here is whether this is the real intent of the Draft Policy?

The Draft Policy recognises the rights of an individual over its data by stating that “An Individual owns the right to his data” and therefore the use of an individual’s personal data shall be made only upon seeking his/her express consent. It further states that the data of a group is a collective data and therefore a collective property of that particular group; it extends this rationale to state that “Thus, the data that is generated in India belongs to Indians, as do the derivatives there from”. But the Draft Policy ends up categorising data of Indians as a collective resource and therefore a “national resource”.

The abovementioned intent of the Draft Policy is fair and strives to achieve the greater good of the country, but at what stake? If personal data belongs to an individual then this objective appears that the State wants to interfere with the personal rights of a person. The Draft Policy clearly states that “All such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer’s consent”, what follows this point in the Draft Policy, restricts sharing of data with any third party in a foreign country even if the individual has consented to such sharing of the data.

The intent behind such restriction is that currently, India lacks stringent laws regarding cross-border flow of data. If there are no strict restrictions on cross-border flow of data Indian stakeholders will merely be engaged in back end processing of data for the EU / US based e-commerce entities without having the ability to create any high-value digital products. While the Government considers data as a national resource and compares it with coal, telecom spectrums etc. it ignores the fact that the inherent nature of personal data is that it belongs to an individual and not to the State, unlike coal.

The obvious reason as to why the State is taking such a stance is to eliminate issues related to consent asymmetry. But is this paternalistic attitude warranted?

If the Government is worried about foreign countries using our national resource i.e. data to their advantage it should put in place stringent data privacy and protection laws in India taking inferences from other countries.

DATA INFRASTRUCTURE

The Draft Policy takes forward the digital India initiative and intends put in place secure and digital infrastructure and encourage the development of data –storage facilities/ infrastructure including data centres, server farms, towers, tower stations, equipment, optical wires, signal transceivers, antenna etc.

The Government will add the above-mentioned infrastructure facilities in the  ‘Harmonized Master List’. This will enable regulation of the listed infrastructure in a more streamlined manner. Whereas the infrastructure will be put in place by various implementing agencies, while financing agencies may identify these as infrastructure that they may intend to support. This will facilitate achieving last mile connectivity across urban and rural India.

The Government by developing such data/digital infrastructure wishes to support India’s fast-growing digital economy and create employment.

EASE OF REGULATION

Given the interdisciplinary nature of e-commerce, it is important for the Government to tackle various regulatory challenges. The Draft Policy suggests formulating a Standing Group of Secretaries on e-Commerce (SGoS), which shall be an important body for tackling various legal issues emerging from various statutes such and Information Technology Act, 2000 and rules thereunder, the Competition Act, 2002 and the Consumer Protection Act, 1986.

Additionally, the Draft Policy states that “All e-Commerce websites and application available for downloading in India must have a registered business entity in India as the importer on record or the entity through which all sales in India are transacted”.

SIGNIFICANT HIGHLIGHTS OF THE DRAFT POLICY

  • The Government intends to continue charging custom tariffs on any digital goods being traded electronically (imposing custom duties on electronic transmissions). Whereas the Government is strict on its stance of not accepting the permanent moratorium on custom tariffs for goods (including digital goods) traded electronically as proposed by the WTO.
  • The Draft Policy states that there should technological standards put in place for emerging technologies like IoT, AI etc.
  • The Draft Policy introduces a term, namely ‘Infant Industry’ under which small scale entities facing entry barriers to enter the market will be integrated with market keeping data as a central to this integration. This will also help strengthen platforms like ‘e-lala’ and ‘Tribes India’.
  • The Government intends to establish technology wings in each Government department.
  • The Government intends to streamline the process of importing goods in India and harmonise the functions of various administrative bodies involved in the process of import of goods in India.
  • A body of industry stakeholders will be created that shall identify ‘rogue websites’. These rogue websites will be added to ‘Infringing Website List’ (IWL). IWL will enable the ISPs to remove or disable these websites. It will also enable payment gateways to curtail the flow of payments to or from such rogue websites. Search engines will be able to efficiently remove such rogue websites identified in the IWL.
  • There shall be no trade mark infringement and customers at large shall not be deceived by using deceptively similar trademarks. In case an e-Commerce entity receives a complaint about a counterfeit/fake product which is manufactured with intent to deceive the customers. The e-Commerce entity shall convey such misuse of the trademark within 12 hours from receiving the complaint to the trade mark owner. Whereas in case any prohibited goods/products have been sold on any e-commerce platform the entity operating such e-Commerce platform shall delist such products within 24 hours from receiving such complaint.
  • Any non-compliant e-Commerce entity will be not be given access to operate in India.
  • All e-Commerce sites/apps available to Indian consumers shall display prices in INR and must have MRPs on all packaged products, physical products and invoices generated.
  • In the view of misuse of ‘gifting’ route, as an interim measure, all such parcels shall be banned, with exception of life-saving drugs.
  • Details of sellers shall be available for all the products sold online.
  • Sellers shall provide undertaking regarding genuineness of any product sold online.
  • In case of a counterfeit product is sold to a consumer, the primary onus to resolve such an issue will be of the seller but the intermediaries shall return the money paid to them by the customer and the marketplace shall seize to host such products on their platforms.
  • The intermediaries shall curtail piracy on their platforms.
  • An integrated system that connects Customs, RBI and India Post to be developed to better track imports.
  • The Draft Policy also intends to simplify the processes involved in export of goods by doing away with redundant requirements such as the need to procure Bank Realisation Certification

Once the final e-Commerce policy is enacted what will be interesting to see is whether Government opts for ease of governance or ease of doing business.

Overall this Draft Policy is a positive step towards making India one of the most prominent digital economies in the world, especially considering the strict stance the Government has taken during the WTO negotiations by not accepting the permanent moratorium on waiving custom duties on digital goods sold through electronic transmission. The Government intends to boost the local and home grown e-Commerce business entities and to provide a level playing field for MSMEs by retaining the rights to impose tariffs on electronic transmission through e-Commerce. Certain issues regarding data/personal data of an individual still needs a deep intellectual thinking, integrated with a practical approach from the Government before implementing a sector-wide policy, especially keeping in mind that at the end of the day personal data belongs to an individual and the use of such personal data shall be the decision of the respective individuals and not of the State.

Author: Manas Ingle, Associate, NovoJuris Legal

Advertisements

Data Localisation: India’s policy framework

The Personal Data Protection Bill, 2018 (“Bill”) and the Data Protection Committee’s (“Committee”) Report (released on 27 July 2018) contains the framework and the policymakers’ insight on protection of personal data in India. The recent Draft e-commerce policy indicates Government’s thought process on storing data in India. The Reserve Bank of India (RBI) in April this year mandates that all data generated by the payment systems in India, is to be stored in India. The Ministry of Health and Welfare has published the draft legislation called Digital Information Security in Healthcare Act, to safeguard e-health records and patients’ privacy.  Thus, all these new rules/policies/regulations (collectively referred as “the Data Protection Framework”) indicate a very strong direction that the Government wishes to undertake on data localisation, which helps in enforcing data protection, secure nation’s security and protect its citizen’s data, better control on transmission of data outside the country and more.

We believe initial steps were taken when under the Companies Act, 2013, the maintenance of books of account in electronic form, required copies to be kept in servers physically located in India.

Many questions abound that the Government take fast paced measures in enabling the infrastructure to build data-centres, which in-turn requires land clearance, electricity etc., ability to keep the operational costs for SMEs low, jump-starting initiatives on artificial intelligence, delicate balance to be maintained on surveillance and protection.  On a positive note, this provides entrepreneurial opportunities in building data centres, alternative energy/ solar grids etc.

Data Localisation under the Data Protection Committee’s Report and the Bill

Chapter 6 of Committee’s Report provides compelling arguments on ‘Transfer of Personal Data Outside India’, where the Committee notes Laissez Faire economy of data, i.e. where free flow of data is the norm and to restrict as an exception. It also recognizes that an embargo on data crossing borders as curbing personal liberty of people. The Committee recommended that even if the intended destination is across borders, all data to which Indian laws would apply would need to be stored locally as well. The Central Government may decide that certain data may not be permitted to be taken out of the country and requiring its processing to be done locally. To highlight sections 40 and 41:

  • The Central Government shall determine categories of sensitive personal data which are ‘critical’ in nature having regard to strategic interests and enforcement, this personal data can only be processed in India.
  • Transfer of other non-critical personal data will be allowed subject to one serving copy of it being stored in India.
  • Cross border transfers of personal data, other than critical personal data will be through model contract clauses with the data transferor being directly liable to the data principal.

Mandatory Data Localisation being prescribed under different aspects

Localisation of Payment Systems Data mandated by RBI: Even before the release of the Committee’s Report and the Bill, data localisation was touched upon by RBI in its Notification of 9 April 2018, where it directed all payment system providers to ensure that all data relating to the payment systems are to be stored in systems situated only in India. Under the said notification, the RBI includes ‘full end-to-end transaction details’, ‘payment instructions’ and other information collected, processed, carried, etc. to be within the ambit of data which is required to be stored. The maintained are to be annually audited and reported to RBI.

Localisation of Data under the National E-Commerce PolicyThe Draft National Policy Framework (the “National e-commerce Policy”) concerning the ‘Digital Economy’ seeking to regulate the ‘e-commerce’ sector in India, proposes localisation of several categories of data involved in e-commerce. The intent stated is to create a ‘facilitative eco-system’ to promote India’s digital economy through measures such as, data generated by users in India from sources such as e-commerce platforms, social media, search engines, etc., and all community data collected by Internet of Things (IoT) devices in public spaces are to be stored exclusively in India and sharing of such data within the country is proposed to be regulated.

The localisation of data is not absolute and cross-border flow is allowed for a handful of cases, such as for software and cloud-computing services involving technology related data-flow (which are free of any personal or community implications) and other standard exceptions consistent with the views expressed in the Committee’s report.

Localisation under the draft amendment to Drugs and Cosmetics Rules, 1945

The recent draft amendment proposed to the Drugs and Cosmetics Rules, 1945, for regulating e-pharmacies, makes it clear that e-pharmacies web-portals have to be established in India for conducting its business in India and data generated to be stored locally. The draft rules states that under no means the data generated or mirrored through e-pharmacy portal shall be sent or stored by any means outside India.  

Data Centres in India

For the data to be stored locally, data centres need to be established, regulated and function under the law. The demand for companies to host their data in India stemmed from  security perspective. The major issues with data localisation is not only of cyber security but also jurisdiction. Cloud computing softwares have taken advantage of the economies of scale and an infrastructural architecture across the world. Thus when there is a threat presumed in one part of the world, the algorithm would move the data to another location or even in multiple locations. In addition to this the Cyber Security Report, 2017 released by Telstra have reported that businesses in India were most at risk to cyber security attacks. Further the organisation in India have experienced the highest number of weekly security incidents of all Asian countries surveyed.

The Privacy Bill provides that the Central Government to notify categories of personal data for which the data centres have to be established in India and the Authority to be established under the legislation to be responsible for the compliances.  Further for achieving its goal of facilitating India’s ‘Digital Economy’, the National e-Commerce Policy purports to grant “infrastructure status” to data centres and server farms in India. An infrastructure status by getting listed under the Harmonized Master List of Infrastructure Sub-sectors by the Department of Industrial Policy and Promotion (DIPP) entails that it’ll be easier to get credit to enter into these operations. This would be accompanied by tax-benefits, custom duties rebates and also 2-year sunset period before localisation becomes mandatory. However, these incentives are only being considered and not promised as of yet.

Cost-Benefit Analysis on Data Localisation

In Chapter 6 of its report, the Committee takes up a detailed analysis of the benefits and repercussions of adopting mandatory data localisation in India. Benefits as stated in the report include:

  • Reduction in the costs of enforcement of India’s own laws because of easier availability of data within its jurisdiction, the cost and time spent on co-ordinating with foreign agencies for access to requisite data being reduced.
  • Overseas transactions of data involve reliance on fibre optic cable networks spread around the world, which are vulnerable to attacks and perhaps localisation of data may reduce this security risk.
  • Having copies of all data collected in India will be a huge boost to the digital infrastructure as the domestic industry will now be able to harness a lot of data. For instance, the report points out that developments in Artificial Intelligence will see a great boost from this.
  • As a matter of national security, the complete localisation of critical data prevents any foreign surveillance of India’s internal affairs.

The report also states that the localisation of data can have its costs too, however it severely downplays them. The report recognizes that to make storing of data mandatory in India, will result in a burden on the domestic enterprises which use foreign infrastructure like cloud computing for running their businesses. The implications include the increased costs of doing business for small and medium businesses, also there may be the danger of monopolization in the digital infrastructure because only a few firms would have the expertise and capital to invest in creating huge data centres in India. However, the Committee states that they are not persuaded by this argument and are confident that the potential of the Indian market will adequately trump the additional cost of setting up the infrastructure.

 Our observations

Digital India and building a thriving Digital Economy in India, building strong competencies in artificial intelligence, protecting nation’s security and data of its citizens are very critical and is now becoming mandatory for India. Establishing a strong domestic infrastructure is a big commitment for the Government, which includes making available vast tracts of land, uninterrupted power supply to the data centres and such other pre-requisites. It is to be seen how India can harvest the long term benefits.

Important reading material:

https://economictimes.indiatimes.com/news/economy/policy/draft-ecommerce-policy-champions-india-first/articleshow/65206404.cms

https://economictimes.indiatimes.com/news/economy/policy/as-ministries-argue-draft-ecommerce-policy-lands-with-pmo/articleshow/65495585.cms

https://inc42.com/features/draft-indian-ecommerce-bill-favouring-domestic-players-at-the-cost-of-the-ecosystem/