The draft national e-commerce policy argues that the personal data of Indians should be treated as a “national asset”. It pushes for government access to the source code and algorithms used by foreign companies.

Additionally, the data protection Bill includes a mandate to force all public and private entities that process Indians’ data — including foreign companies — to store a copy of all personal data in the country.

On a parallel track, the government has also sought to expand the state’s surveillance powers by issuing a notice at the end of last year empowering 10 government agencies to monitor, intercept, and collect data from any computer.

We first argue that data is a personal asset and not a national asset. The EU has taken the lead in ensuring consumer protection and consumer rights over data. The General Data Protection Regulation was formulated in 2016 and enforced in 2018.

This is arguably the most comprehensive law on data protection existing in the world today. Under this law, the consumer is the sole owner of the data and the companies collecting data have the onus of informing the consumer about how the data is going to be used after suitable pseudonymization/anonymization and whether they share it with a third party. The consumer has the right to revoke any rights given to the company collecting the data and a right to data portability.

As we formulate our e-commerce policy and our norms around data, we must ensure that the core principles guiding regulation regarding data must be centred around the following:

Notice : Data collectors should disclose their use and disclosure practices before they collect personal information from consumers.

Choice: Consumers must be given options as to whether and how the personal information collected may be used for other than the original purpose for the data collection. Consumers should have data portability and should be allowed to take their personal data to another platform.

Access: Consumers should be able to view and contest the accuracy and completeness of the data collected about them.

Security: Data collectors should take reasonable steps to ensure information collected from consumers is accurate and secure from unauthorised use.

Enforcement: There must be an efficient mechanism to enforce all the above.

In a country like India where a large part of the population has minimal education but yet participates in the new digital economy, translating the above principles into practice is much harder. With that in mind, some more government involvement is called for.

At the same time, the central theme of any new regulation must be to ensure that the ownership of the data rests with the individual. The current draft regulation on the contrary seems to care most about restricting cross-border flow of data while paying lip-service to the idea of consumer rights over data.

Data that has been appropriately ‘pseudonymized/anonymized’ after individual owners have allowed for itsgreater use, can be made available as a public good for common use on fair and non-discriminatory terms.

Data generated by users on e-commerce platforms is currently managed by the platform under its own rules of whom to share with. There is clear need to democratise the process of data sharing and allow all stakeholders to access relevant data.

While it may be better for data to be stored within the country than with a foreign government controlling its use, data housing should not transform into data ownership by the governments. Data is indeed a common resource which needs a regulatory authority to ensure fair access for all market participants but this should not devolve into the regulator becoming the owner of the data.

For free and fair markets, everyone must have equal access to data. The government’s role must be in ensuring the free and fair access to data and at the same time protecting the rights of the individual.

Data generated by consumers which is being used for commercial purposes by e-commerce entities must be available to vendors on the platform and also to potential entrants. The consumer must first give an informed consent for the use of such data.

An e-commerce platform is in the best position to monitor market demand and trends. If the platform is also a supplier on its own platform, then as a supplier it can pick the best products to focus on. This makes the other vendors’ situation very precarious because if they have a product that sells very well, the in-house production is likely to replicate that same product and become a competitor.

This not only harms competition but is also detrimental to consumer surplus in the long run. The control of data collected on the platform by the e-commerce entity additionally gives the platform a knowledge advantage a newcomer cannot easily surmount.

At the same time, data makes it more likely that users of the platform prefer to stay with the platform rather than switch to another platform. At any different platform the experience will not be as good as in the current one due to the other platform’s lack of individual level data. Again this not only harms competition today but is also detrimental to consumer surplus in the long run.

D’Souza is Director and Professor of Economics and Dev is Professor of Economics at IIM-Ahmedabad. The views are personal

comment COMMENT NOW