The draft national e-commerce policy, to be released soon, has called for creating a legal and technological framework for imposing restrictions on cross-border data flow from specified sources such as data generated by users in India by various sources including e-retail platforms and social media tools.
It has also suggested steps including fixing a three year time period to for industry to adjust to the data storage requirement of the country with a view to develop infrastructure for promoting digital economy.
The draft, accessed by
The legal and technological framework would also provide a basis for sharing the data collected by IoT devices with domestic entities for use in research and development for public policy purposes. “A legal and technological framework to be created that can provide the basis for imposing restrictions on cross-border data flow from...specified sources — data collected by IoT devices installed in public space, and data generated by users in India by various sources, including e-commerce platforms, social media, search engines etc,” according to the draft policy.
Time frame
A business entity that collects or processes any sensitive data in India and stores it abroad shall be required to adhere to certain conditions like all data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer consent, it said.
All such data stored abroad shall not be made available to a third party, for any purpose, even if the customer gives his consent, and also it shall not be made available to a foreign government, without the prior permission of Indian authorities.
A request from Indian authorities to have access to all such data stored abroad, shall be complied with immediately and any violation of the conditions shall face consequences to be formulated by the government, the draft policy mentioned.
“It is almost a cliché today that data is the new oil. Unlike in the case of oil, data flows freely across borders. It can be stored or processed abroad and the processor can appropriate all the value. Therefore, India’s data should be used for the country’s development, Indian citizens and companies should get the economic benefits from the monetisation of data,” it said.
“Creation of infrastructure for storage would take some time. A time frame would be put in place for the transition to data storage within the country. A period of three years would be given to allow industry to adjust to the data storage requirement. Certainty about the intent and direction of government policy is important to maximize private investment in this sector,” it said.
Restricting data flow
The draft also said that restrictions on cross-border flows of data shall not apply to data that is not collected in India, B2B data sent to India as part of a commercial contract between a business entity located outside India and an Indian business entity, software and cloud computing services involving technology-related data flows.
It added that suitable framework will be developed for sharing of community data that serves larger public interest (subject to addressing privacy-related issues) with start-ups and firms. “The larger public interest or public good is an evolving concept. The implementation of this shall be undertaken by a ‘data authority’ to be established for this purpose,” it said.
Further it added that the the policy acknowledges the importance of data as an asset and identifies the means to protect data generated in India, enhance data security, prevent violation of privacy and create domestic standards for devices which are used to store, process and access data.