The Department for Promotion of Industry and Internal Trade (DPIIT) issued a revised draft of the National E-commerce Policy (policy) on 23 February 2019 seeking feedback and comments from stakeholders. The policy seeks to enable the use of “India’s data for India’s development”.
The policy proposes restrictions on cross border flow of:
- data collected by Internet of Things (IoT) devices installed in public spaces;
- data generated by users in India through various sources, including e-commerce platforms, social networks and search engines.
The policy proposes that the first category of data be made available to domestic entities for use in research and development and for public policy purposes. It also proposes the establishment of a data authority.
The policy suggests that entities that collect or process any sensitive data (a term that is not clearly linked to the above categories of data) in India and store it abroad must ensure that such data will:
- not be made available to business entities outside India or other third parties, for any purposes, even with customer consent;
- not be made available to a foreign government, without the prior permission of Indian authorities;
- immediately be made available to Indian authorities upon request.
At first glance, this proposition appears to be less onerous and restrictive than the hard data localization requirements such as China’s Cybersecurity Law, Russia’s Federal Law No. 242-FZ or even the RBI’s Notification on Storage of Payment System Data, which requires (at least for the most part) that data be retained in specific locations. In practice, however, the restrictions may prove very difficult to comply with for private entities. For instance, under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in the US, US federal law enforcement agencies can require US technology companies (through warrants and subpoenas) to provide data in their “possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the US”.
The ability of any entity to guarantee that data stored in any location will not be made available to local law enforcement may be limited. The policy’s approach may also impact user autonomy. The Supreme Court, in the KS Puttaswamy v Union of India case (right to privacy judgment), recognized that, “Apart from safeguarding privacy, data protection regimes seek to protect the autonomy of the individual. This is evident from the emphasis in the European data protection regime on the centrality of consent.”
Relying on the framework laid down by the right to privacy judgment, a Committee of Experts under the chairmanship of Justice BN Srikrishna studied the issue in greater detail and noted that, “It is essential to ensure that the interests of effective enforcement of the law and economic benefits to Indians need to be at the core of any proposed framework for cross-border transfer. However, these must not unjustifiably impede the international flow of personal data, which itself is beneficial in many ways for Indians.”
The policy, however, aims to address the concern that permitting the unrestricted export of data outside India will deny access to Indian entities and prevent them from creating high-value digital products.
The policy proposes the same level of restrictions on highly sensitive information such as health records or surveillance information and for more innocuous data such as outdoor weather sensor readings or search queries. Balancing these considerations, enabling users to get products or services that require the export of data, while still allowing Indian firms to access and benefit from such data may require a more nuanced approach.
National governments are often better placed to negotiate and agree on limitations on state surveillance or interception of data than private entities, particularly smaller ones. For example, the CLOUD Act contemplates a framework of executive arrangements to supplement the existing framework of Mutual Legal Assistance Treaties between nations. The EU-US Privacy Shield Frameworks are designed to help companies comply with data protection requirements when transferring personal data from the EU to the US.
A similar framework would permit India to negotiate and impose more granular and nuanced provisions around interception and access to data directly with countries rather than requiring private entities to do so. The free flow of data could then be permitted to countries that have such bilateral or multilateral obligations with India.
Cyril Amarchand Mangaldas is India’s largest full-service law firm. Arun Prabhu is a partner and Samraat Basu is a consultant at the firm.
Cyril Amarchand Mangaldas
Peninsula Corporate Park
Lower Parel, Mumbai – 400 013 IndiaNew Delhi | Bengaluru | Hyderabad | Chennai | AhmedabadContact details
Tel: +91 22 2496 4455
Fax: +91 22 2496 3666