Data Protection Policy Analysis

India Draft National e-Commerce Policy (2019)

June 2019
/100 score
Clear Terms Specific Harms Helpful Processes Not Retroactive Not Harmful Free Speech Simple Consents International Commerce Fair Enforcement Small Enterprises 5/10 2/10 5/10 5/10 2/10 3/10 3/10 2/10 5/10 3/10


The India Draft National e-Commerce Policy (the “Policy”) is a high-level policy document proposed by India’s Department for Promotion of Industry and Internal Trade in February 2019. It sketches out a series of policy recommendations that range from useful consumer protections to non-constructive protectionist industry regimes that would likely backfire and hurt businesses, entrepreneurs and consumers alike. The best of these recommendations would institute stricter consumer protections against annoying, unsolicited phone calls and emails. But the worst of them would make data transfers difficult, impose onerous liability on third party platforms, and institute data localization that would reduce business and consumer choices.


The India Draft National e-Commerce Policy (the “Policy”) proposes a mixed bag of strict regulatory and protectionist policies related to data governance and privacy – largely premised on the rationale that “India’s data should be used for the country’s development. Indian citizens and companies should get the economic benefits from the monetization of data.”

These recommendations accompany others, regarding tax, infrastructure development, and customs and export policy – but we focus mainly on the recommendations concerning data privacy and governance. We also touch on other suggested policies (such as those regarding online liability) that are potentially intertwined.

The Policy paints in broad brush strokes. It is therefore difficult to gauge in a precise way its likely legal and economic impacts. But certain concerns do stand out, alongside some worthy recommendations.

First, the positive. The Policy, to its credit, recommends that India more vigorously regulate unsolicited email, SMS and telephone messages. This is a step forward. It would protect consumers and enforce integrity across these commercial platforms. If drafted thoughtfully, this legislation could align India’s email, text and telephone marketing laws with those of the U.S. or Canada. This is therefore a promising development.

On the other hand, the Policy proposes several steps that seem likely to curtail innovation or business development, particularly if they lead to overly aggressive or protectionist regulation. In particular,

  • It recommends data localization requirements that would make it difficult for Indian businesses to work with international data and services platforms;
  • It recommends that India restrict data transfers out of India from e-commerce platforms, social media, and search engines – thus limiting how Indian consumers and businesses can work with those platforms;
  • It even suggests price controls – which can limit choices and reduce competition and innovation;
  • It recommends that the Indian authorities be granted access to commercial source code and algorithms, which could inhibit intellectual property development and innovation; and
  • More broadly, it suggests that online platforms should be liable for user-generated content (and thus safe harbors for internet intermediaries be diluted) – a threat to free speech and open communication.

At the same time, the Policy proposes that Indian authorities have wide latitude to demand information held overseas – a potential concern for civil liberties, and an invitation for international disputes.

All that said, the Policy is an early-stage document, and will be subjected to scrutiny from the wide range of groups with something at stake. These include Indian entrepreneurs, investors, vendors with international clients, and businesses with international vendors. Consumers, too, may see their choices dwindle if the Policy is implemented aggressively. We hope that moderating voices will prevail to help draft a document that protects consumers without enforcing protectionist data regimes.


Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 5/10]
It is not surprising that a broad-spectrum policy proposal defers key definitions to future legislation, but it is very hard to grade data protection and privacy policy proposals that do not define the most critical term: “sensitive data.” The neutral score in this category will change when the future legislation is introduced.
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 2/10]
The Policy identifies specific (yet speculative) harms, including the potential ability of large platforms to “charge monopoly pricing” and the potential entrenchment of platforms based on their network effects. It also emphasizes the need for better and deeper infrastructure across India.

But the Policy often fails to convincingly connect its proposals to these harms and outcomes. For instance, it presumes that severe data localization proposals will play a role in development of physical IT infrastructure within India. But this conclusion seems speculative, as significant localization barriers might as likely lead to less cross-border engagement with Indian companies and, thus, less infrastructure inside India.

Likewise, the Policy presumes that protectionist restrictions on cross-border data flow will help India create “high-value digital products in the country” – but it may just as likely preclude Indian businesses from valuable business opportunities.

In contrast, certain Policy proposals do address important goals. The more vigorous regulation and enforcement against unsolicited commercial messages and calls has a clearly defined positive outcome, and could be valuable if it follows workable templates like those of the U.S. and Canada.
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 5/10]
High-level Policies are not expected to clearly define proposed processes or notices – and this one does not.

It is promising that the Policy recommends that e-commerce entities “make a full disclosure to the consumer regarding the purpose and use of data collection upfront, in a simplified and an easily understandable form on their websites/ application interfaces.” Hopefully this will lead to streamlined and effective legislation, but at this time this factor receives a “neutral” grade.
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 5/10]
The Policy receives a “neutral” grade as it does not take a position on whether legislation should be retroactive.
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 2/10]
Several beneficial data use cases are at risk if the Policy is implemented as drafted. First, the Policy’s strict data localization requirements for “sensitive” data may substantially reduce Indian residents’ access to health and financial industry platforms, and potentially even basic content and storage platforms.

Second, the Policy proposes unspecified “restrictions” on “data generated by users in India by various sources, including e-commerce platforms, social media, search engines, etc.” This may promote local and closed platforms but will undoubtedly reduce the benefits of Indian residents’ engagement on international social media platforms and reduce the value of those platforms to Indian businesses and cultural organizations.

The Policy’s support for giving Indian government authority to demand disclosure of companies’ source code and algorithms is particularly likely to limit global companies’ engagement in India. It would jeopardize trade secrets and other intellectual property, and this will also broadly reduce local companies’ incentive to innovate in India.
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 3/10]
The Policy would require companies storing sensitive Indian data abroad to “immediately” provide access to Indian authorities upon “request.” This raises a concern for basic freedoms of communication, expression and association. Read literally – and assuming a relatively broad definition of what is “sensitive” – it would expand globally Indian authorities’ abilities to surveil and demand personal information and communications.

By proposing that online platforms must “ensure genuineness” of all information posted, the Policy would almost certainly chill political speech and satire and raise the cost of operations – potentially leading user-generated platforms to shut down or permit only innocuous postings.
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 3/10]
The Policy suggests a GDPR-style “consent” framework – requiring “express” consent “regarding the uses to which [data] shall be put.” This approach has led to consumer annoyance, business friction and confusion so its potential adoption by India is concerning.

Perplexingly, the Policy would prohibit companies from sharing “sensitive” Indian data stored abroad with other businesses even when individuals consent. This could effectively preclude Indian consumers and businesses from working with countless businesses, platforms and vendors that generally share data (e.g., for security, communication, customer or tech support purposes). It also limits consumer choice and opportunity, and harms competition and innovation.
International Commerce: International commerce and cooperation should not be inhibited. [Score: 2/10]
The Policy needlessly sets up international disputes and erects international barriers. First, the Policy’s data localization restrictions will almost certainly hinder international commerce and raise barriers for foreign vendors, partners and even customers to work with Indian businesses. Similarly, the Policy’s goal of restricting the outflow of data to “e-commerce platforms, social media, search engines, etc.” will burden international commerce – and limit benefits that would otherwise flow from international commerce to Indian companies and citizens.

Even more provocative are the Policy’s proposals that would prohibit companies from sharing sensitive Indian data stored abroad with foreign governments absent permission from Indian authorities. This would invite jurisdictional and law enforcement disputes between governments.
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 5/10]
As the Policy does not address specific enforcement options it receives a “neutral” score on this factor.
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 3/10]
The Policy seems to rely quite substantially on the theory that barriers (i.e., digital walls) against international platforms will benefit smaller Indian platforms. But several requirements will particularly hurt small businesses.
  • Localization requirements on vendors and business partners will likely raise local businesses’ costs;
  • Restrictions on data transfers from e-commerce platforms, social media, and search engines will make it difficult for Indian entrepreneurs to connect and integrate with large international platforms that are meaningful sources of valuable business;
  • Price controls (“Advertising charges in e-commerce must be regulated”) will undoubtedly reduce competition and innovation; and
  • Requiring all “digital economy” participants to appoint a local representative will burden small businesses more than large ones.

“9-10” means the legislation thoughtfully accounts for the concern.

“7-8” means that, with adjustments, it can likely account for the concern.

“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.

“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.

“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.