After almost four years of the largest and most ambitious effort in history to transform a nation with technology, India is looking ahead to protecting the data that it is generating. Given that India is projected to have the largest population in the world by around 2024 and that the median age then will still be below 30 (see chart), capturing the prospective value of data from e-commerce and the Internet of Things is an understandable government priority. The way in which India is prepared to do it, though, may have implications for the efforts of other governments to capture the value of consumer data.
India’s Department for Promotion of Industry and International Trade (DPIIT) published a draft national e-Commerce Policy on February 23rd. The Policy’s goal is to keep data generated by Indian users within India to spur domestic digital entrepreneurship, while preserving data flows for other business uses. Therefore, the Policy’s restrictions would apply to 1) data collected by IoT devices that monitor public areas and 2) e-commerce (e.g. social media and search engines) data generated by users in India. To preserve other business data uses, the Policy would not restrict most data not generated by consumers, such as multinational corporations moving data across borders for largely internal purposes and software and cloud computing data that have “no personal or community implications.”
The proposed restrictions (which may better viewed as hopes and dreams of someone with a certain perspective on the value of data and the role of government) on data collected in India but stored abroad are that a business:
- may not share the data with other businesses or third parties even with user consent;
- may not make the data available to a foreign authority; and
- must immediately provide the data to the Indian government if requested.
The driver of these rules is the belief that Indian control over Indian consumer data will make India a hub of innovation rather than a spoke of outsourced data processing:
Without having access to the huge trove of data that would be generated within India, the possibility of Indian business entities creating high value digital products would be almost nil. Domestic technology companies would be merely processing outsourced data work.
Restrictions on the data are not justified on national security or “cyber-sovereignty” grounds as in China, and certainly not on data protection or privacy grounds as in Europe. Privacy interests and the parallel Personal Data Protection Bill now under consideration in India are cross-referenced frequently by the Policy, but the Policy notes that it addresses issues of “far wider reach.”
The Policy states that companies would have three years to “adjust to the data storage requirement.” All e-commerce sites and apps available for download in India must have a registered entity in the country, restricting foreign entities from offering digital services in India. The Policy calls for further domestic IoT regulation focused on “consumer protection, secured transactions, and ease-of-use interface.”
What becomes of this draft Policy may tell us a lot about the future not so much of data localization as the future of governmental control over the value of data. This assertion of governmental control is to be expected as data comes to be recognized as one of the fundamental issues of international trade.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.