India Draft National e-Commerce Policy (2019)June 2019
The India Draft National e-Commerce Policy (the “Policy”) is a high-level policy document proposed by India’s Department for Promotion of Industry and Internal Trade in February 2019. It sketches out a series of policy recommendations that range from useful consumer protections to non-constructive protectionist industry regimes that would likely backfire and hurt businesses, entrepreneurs and consumers alike. The best of these recommendations would institute stricter consumer protections against annoying, unsolicited phone calls and emails. But the worst of them would make data transfers difficult, impose onerous liability on third party platforms, and institute data localization that would reduce business and consumer choices.
The India Draft National e-Commerce Policy (the “Policy”) proposes a mixed bag of strict regulatory and protectionist policies related to data governance and privacy – largely premised on the rationale that “India’s data should be used for the country’s development. Indian citizens and companies should get the economic benefits from the monetization of data.”
These recommendations accompany others, regarding tax, infrastructure development, and customs and export policy – but we focus mainly on the recommendations concerning data privacy and governance. We also touch on other suggested policies (such as those regarding online liability) that are potentially intertwined.
The Policy paints in broad brush strokes. It is therefore difficult to gauge in a precise way its likely legal and economic impacts. But certain concerns do stand out, alongside some worthy recommendations.
First, the positive. The Policy, to its credit, recommends that India more vigorously regulate unsolicited email, SMS and telephone messages. This is a step forward. It would protect consumers and enforce integrity across these commercial platforms. If drafted thoughtfully, this legislation could align India’s email, text and telephone marketing laws with those of the U.S. or Canada. This is therefore a promising development.
On the other hand, the Policy proposes several steps that seem likely to curtail innovation or business development, particularly if they lead to overly aggressive or protectionist regulation. In particular,
- It recommends data localization requirements that would make it difficult for Indian businesses to work with international data and services platforms;
- It recommends that India restrict data transfers out of India from e-commerce platforms, social media, and search engines – thus limiting how Indian consumers and businesses can work with those platforms;
- It even suggests price controls – which can limit choices and reduce competition and innovation;
- It recommends that the Indian authorities be granted access to commercial source code and algorithms, which could inhibit intellectual property development and innovation; and
- More broadly, it suggests that online platforms should be liable for user-generated content (and thus safe harbors for internet intermediaries be diluted) – a threat to free speech and open communication.
At the same time, the Policy proposes that Indian authorities have wide latitude to demand information held overseas – a potential concern for civil liberties, and an invitation for international disputes.
All that said, the Policy is an early-stage document, and will be subjected to scrutiny from the wide range of groups with something at stake. These include Indian entrepreneurs, investors, vendors with international clients, and businesses with international vendors. Consumers, too, may see their choices dwindle if the Policy is implemented aggressively. We hope that moderating voices will prevail to help draft a document that protects consumers without enforcing protectionist data regimes.
Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 5/10]
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 2/10]
But the Policy often fails to convincingly connect its proposals to these harms and outcomes. For instance, it presumes that severe data localization proposals will play a role in development of physical IT infrastructure within India. But this conclusion seems speculative, as significant localization barriers might as likely lead to less cross-border engagement with Indian companies and, thus, less infrastructure inside India.
Likewise, the Policy presumes that protectionist restrictions on cross-border data flow will help India create “high-value digital products in the country” – but it may just as likely preclude Indian businesses from valuable business opportunities.
In contrast, certain Policy proposals do address important goals. The more vigorous regulation and enforcement against unsolicited commercial messages and calls has a clearly defined positive outcome, and could be valuable if it follows workable templates like those of the U.S. and Canada.
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 5/10]
It is promising that the Policy recommends that e-commerce entities “make a full disclosure to the consumer regarding the purpose and use of data collection upfront, in a simplified and an easily understandable form on their websites/ application interfaces.” Hopefully this will lead to streamlined and effective legislation, but at this time this factor receives a “neutral” grade.
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 5/10]
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 2/10]
Second, the Policy proposes unspecified “restrictions” on “data generated by users in India by various sources, including e-commerce platforms, social media, search engines, etc.” This may promote local and closed platforms but will undoubtedly reduce the benefits of Indian residents’ engagement on international social media platforms and reduce the value of those platforms to Indian businesses and cultural organizations.
The Policy’s support for giving Indian government authority to demand disclosure of companies’ source code and algorithms is particularly likely to limit global companies’ engagement in India. It would jeopardize trade secrets and other intellectual property, and this will also broadly reduce local companies’ incentive to innovate in India.
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 3/10]
By proposing that online platforms must “ensure genuineness” of all information posted, the Policy would almost certainly chill political speech and satire and raise the cost of operations – potentially leading user-generated platforms to shut down or permit only innocuous postings.
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 3/10]
Perplexingly, the Policy would prohibit companies from sharing “sensitive” Indian data stored abroad with other businesses even when individuals consent. This could effectively preclude Indian consumers and businesses from working with countless businesses, platforms and vendors that generally share data (e.g., for security, communication, customer or tech support purposes). It also limits consumer choice and opportunity, and harms competition and innovation.
International Commerce: International commerce and cooperation should not be inhibited. [Score: 2/10]
Even more provocative are the Policy’s proposals that would prohibit companies from sharing sensitive Indian data stored abroad with foreign governments absent permission from Indian authorities. This would invite jurisdictional and law enforcement disputes between governments.
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 5/10]
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 3/10]
- Localization requirements on vendors and business partners will likely raise local businesses’ costs;
- Restrictions on data transfers from e-commerce platforms, social media, and search engines will make it difficult for Indian entrepreneurs to connect and integrate with large international platforms that are meaningful sources of valuable business;
- Price controls (“Advertising charges in e-commerce must be regulated”) will undoubtedly reduce competition and innovation; and
- Requiring all “digital economy” participants to appoint a local representative will burden small businesses more than large ones.
“9-10” means the legislation thoughtfully accounts for the concern.
“7-8” means that, with adjustments, it can likely account for the concern.
“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.