The draft national e-commerce policy argues that the personal data of Indians should be treated as a “national asset”. It pushes for government access to the source code and algorithms used by foreign companies.
Additionally, the data protection Bill includes a mandate to force all public and private entities that process Indians’ data — including foreign companies — to store a copy of all personal data in the country.
On a parallel track, the government has also sought to expand the state’s surveillance powers by issuing a notice at the end of last year empowering 10 government agencies to monitor, intercept, and collect data from any computer. It is argued that data is a personal asset and not a national asset.
Taking lessons from GDPR –
- The EU has taken the lead in ensuring consumer protection and consumer rights over data. The General Data Protection Regulation was formulated in 2016 and enforced in 2018.
- Under this law, the consumer is the sole owner of the data and the companies collecting data have the onus of informing the consumer about how the data is going to be used after suitable anonymisation and whether they share it with a third party.
- he consumer has the right to revoke any rights given to the company collecting the data and a right to data portability.
What should be done?
As we formulate our e-commerce policy and our norms around data, we must ensure that the core principles guiding regulation regarding data must be centred around the following:
- Notice: Data collectors should disclose their use and disclosure practices before they collect personal information from consumers.
- Choice: Consumers must be given options as to whether and how the personal information collected may be used for other than the original purpose for the data collection. Consumers should have data portability and should be allowed to take their personal data to another platform.
- Access: Consumers should be able to view and contest the accuracy and completeness of the data collected about them.
- Security: Data collectors should take reasonable steps to ensure information collected from consumers is accurate and secure from unauthorised use.
- Enforcement: There must be an efficient mechanism to enforce all the above.
Way forward –
- In a country like India where a large part of the population has minimal education but yet participates in the new digital economy, translating the above principles into practice is much harder. With that in mind, some more government involvement is called for.
- At the same time, the central theme of any new regulation must be to ensure that the ownership of the data rests with the individual.
The current draft regulation on the contrary seems to care most about restricting cross-border flow of data while paying lip-service to the idea of consumer rights over data.
Source – The Hindu Business Line