The Centre is trying to expedite work on the fresh draft of the national e-commerce policy, which proposes a regulator to deal with ‘unique’ aspects of e-commerce activities and seeks to impose strict rules on data flow in line with ones already being carved out for handling of personal data and non-personal data in the country.
“It is work in progress. Our consultations are still on. Once we are ready, we will put up the fresh draft of the e-commerce policy in the public domain for comments. The new draft retains many components of the old one,” a government official told BusinessLine .
The new draft being finalised by the Department for Promotion of Industry and Internal Trade (DPIIT) is being awaited by e-commerce companies, such as Amazon and Flipkart, which want more clarity about the future on the policy front, as well as brick-and-mortar retailers wanting the government to tighten regulatory framework for e-commerce players. The proposed draft suggests that treatment of personal data emanating from e-commerce should abide by relevant regulations (Personal Data Protection Bill, 2019) as and when such regulations are adopted. Non-personal data should be addressed by the regulatory framework that is being put in place by the Non-Personal Data Committee of the Ministry of Electronics and Information Technology.
Localisation of data
The draft under discussion also recognises that certain types of data may need mirroring or localisation in accordance with the provisions of the Information Technology Act, 2000 as well as any future legislation on personal and non-personal data governance.
Such categories of e-commerce that would require mirroring or localisation may be defined by the government, in consultation with relevant stakeholders. Localisation of data means that the data generated in the country stays within the country while mirroring means that data has to be copied from one location to a storage device in real time.
In case of suspected data breaches, e-commerce entities may need to ensure that all request for information made by law enforcement agencies are complied with within such time as indicated by the such agency but not later than 72 hours (as mentioned in Personal Data Protection Bill).
In order to deal with novel matters that may arise with the rapid evolution of online business, appropriate legislation is required to provide regulatory framework for governing unique aspects of e-commerce, the proposed draft suggests.
Specifically, such legislation will ensure fair competition, consumer protection (to the extent not covered by Consumer Protection Act) and handling of e-commerce related data issues.