National e-commerce policy to lay down terms for treatment of non-personal, commercial data

Department for Promotion of Industry and Internal Trade (DPIIT) holding stakeholder consultations on the issue, says the official

The new e-commerce policy being drafted by the government is likely to lay down how non-personal data such as commercial data held by e-commerce companies, anonymised data and community data are to be treated in terms of their location and processing.

“We have started stakeholder consultations on how to treat non-personal data. It is a highly sensitive matter as different stakeholders have different views on it. For instance, Nasscom has its set of opinions, while industry body CII has its own views. There are also various studies done on the subject. All these will be examined one by one," Guruprasad Mohapatra, Secretary, Department of Policy for Industry and Internal Trade told BusinessLine.

The Ministry of Electronics and Information Technology (MeitY), while working on the Personal Data Bill, had made a separate committee comprising IT experts and officials from key Ministries to look at whether there should be a free flow of non-personal and anonymised data across borders or it should be localised.

While the Personal Data Bill 2018 was recently cleared by the Union Cabinet and will soon be placed before Parliament, a number of loose ends still need to be tied for non-personal data.

“We will try to see that the e-commerce policy is finalised soon. This (treatment of non-personal data) is the only sensitivity which has to be worked out,” Mohapatra said.

Multinational corporations such as Amazon, Uber and Google hold a lot of anonymised data in India that are commercial in nature and most want to store the data outside the country and also process it there. The US government, too, has been lobbying hard with India for a free flow of data.

Many in the domestic industry, however, argue that localising data will not only ensure absolute security of data but also create jobs within the country as domestic servers have to be used for storing it.

As per the draft Personal Data Protection Bill approved by the Cabinet, personal data classified as sensitive such as information on financial matters, sexual orientation, health, biometrics, genetics, transgender status and religious or political beliefs and affiliation cannot be stored by public and private entities outside the country but can be processed outside with the consent of the data person.

Critical personal data, to be defined from time to time by the government but mostly related to security and defence matters, will have to be mandatorily processed and stored in the country. However, general data, which will fall outside the purview of sensitive and critical, can be both processed and stored outside the country.

In June this year, Commerce Minister Piyush Goyal had said that an institutional framework would be put in place to bring out a national e-commerce policy within twelve months. He also said that India wanted to engage with the world on data and e-commerce issues, but there has to be reciprocity.