Instead of the extreme steps proposed by a new policy, the government should consider a pragmatic and flexible arrangement to address the concerns on protection of sensitive data
With increasing penetration of internet, surging middle-class and focus on customer convenience and affordable pricing, online retail commerce in India has grown at a phenomenal 70 per cent during the last five years reaching about US $40 billion during 2017. This is projected to increase five-fold to US $200 billion by 2026.
Much of the growth has been driven by foreign majors such as Amazon,Walmart/Flipkart and so on under a policy notified in 2016-17 which allowed 100 per cent foreign direct investment (FDI) in the marketplace model of e-commerce.
The marketplace is an electronic platform on which vendors sell their products to consumers. The platform owner can only provide support services viz. warehousing, logistics, order fulfillment and so on to the vendor but not undertake direct selling. Vide a circular dated December 26, 2018, it was further clarified that the owner [or its group company] can neither hold equity nor control the inventory of the vendor.
In the process of conducting their businesses, these companies generate data of millions of customers. Advanced techniques such as Artificial Intelligence (AI), data analytics, cloud computing and more can be used to track consumer behavior/history and target potential consumers with customised marketing content. The data may also be susceptible to misuse and raises privacy concerns.
In this backdrop, a draft policy on e-commerce — put up by the Department for Promotion of Industry and Internal Trade (DPIIT) for public comments focusses on protection of such data, restrictions on its cross-border movement and sharing of ‘sensitive’ data with third parties (including foreign governments) even when the consumer consents to such storage. The policy requires foreign companies to set up domestic data storage; mandatorily register business locally and have a representative; give the government access to source code and algorithms of AI systems.
The draft proposes continuation of the extant policy on FDI in market-place and stresses the need for giving access of these platforms to small traders and retailers and ensures their running in a ‘transparent’ and ‘non-discriminatory’ manner. It moots setting up of e-consumer courts to consider and redress grievances. It suggests taxation of electronic transactions.
It does not recommend setting up of a regulator for the e-commerce sector; instead, a standing group of secretaries is mandated to address the regulatory issues.The policy needs to be evaluated on three main planks viz. (i) promoting businesses to catapult Indian economy to a high growth trajectory; (ii) protect the fundamental rights of citizens to privacy; (iii) safeguard national security.
Even as the policy is expected to strike a fine balance between the three objectives, looking at the proposals, one gets a sense that there is disproportionate emphasis on protection of the data. Indeed, this is being pushed to a point whereby this might even stifle innovation, discourage foreign investment and affect growth.
The requirement for foreign players to mandatorily register the entity locally and have a representative in India will dissuade them from investing here as the cost and hassles of running businesses and meeting regulatory requirements increase. The insistence on having their physical presence locally is out of sync with the underlying philosophy of digital transactions germane to e-commerce.
Similarly, the cost and hassles associated with asking foreign companies to set up server/data collection centre has to be weighed against the objective of preventing misuse and minimising security risk. The insistence on access to source code and algorithms of AI systems appears to be too stringent a requirement which is bound to be resisted by the foreign majors.
Instead of going for such extreme steps, the government may consider a ‘pragmatic’ and ‘flexible’ arrangement to address the concerns on protection of ‘sensitive’ data. Its approach should be one of risk assessment, identification of misuse and timely pre-emptive action taken in collaboration with the foreign companies. The latter should extend full cooperation to the former.
Let this be understood in no ambiguous terms that merely by taking possession of the ‘data key’ (read: source code and algorithms of AI systems), the state agencies won't get anywhere. So, it can let the key remain with the company which should ensure that all necessary measures are in place to protect the data and address security concerns. If need be, penalty may be imposed for non-compliance. There is an urgent need to set up a regulator.
This approach guided by the philosophy of mutual trust and accommodation will also help in capturing all the digital transactions needed for garnering tax revenue — indirect and direct — from the vendors as well as the market-place owner.
There are loopholes in the extant policy on FDI in e-commerce market-place which are being exploited by foreign majors to get into direct selling. The December 26, 2018 circular has not helped much. In a scenario of their being completely barred from B2C on ground zero (unlikely as we don’t even have a regulator), they would simply pack up. So, the way forward is to allow 100 per cent FDI in retail in both ‘online’ and ‘offline’ — without any riders. This will create level playing field and benefit all stakeholders including small traders and retailers. government needs to rehash the policy draft shunning its overly rigid and protectionist stance and instead build on ‘flexibility’ and ‘trust’ to maximise the deliverables.
(Gupta is a policy analyst)