However, the 42-page document we’ve been given leaves a lot to be desired. It has used such broad brushstrokes that the unintended consequences will be significant. More importantly perhaps, many of the principles upon which its recommendations have been made are based on shaky foundations.
Take for example, the manner in which the draft e-commerce policy addresses the question of ownership of personal data. It starts out by stating that every individual has a right to their data—a position that no one can have a quarrel with. However, it goes on to say that just as individuals have rights to their data, the data of a group is also of value and, hence, should be treated as its collective property. This, it concludes, means that all data generated in India and all derivatives of that data should belong to Indians because data is a collective resource and a national asset that the government holds in trust for its citizens.
This approach to personal data is unprecedented and, even by the standards of Indian policymakers, unusually parochial. It implies that the Indian government does not trust its citizens to make the right choices about their personal data and that the state must therefore step in and manage it on their behalf. As a position, this is directly at odds with the recommendations of the Justice Srikrishna committee and the decision of the Supreme Court in its right to privacy judgement. Speaking for myself, I would much rather suffer the consequences of my own ineptitude than allow the state to take decisions about my personal data for me.
The policy uses many strange arguments to buttress its position. It calls data a societal commons and a national resource that must be made available for equitable access by all Indians. It claims that any access by non-Indians to this data needs to be negotiated in national interest—negotiations which the government will carry out on our behalf. It appropriates the cliché that data is the new oil but, rather than using it as it was intended to signify—that data, like oil, powers the economy—inexplicably twists the argument to state that data is a scarce national resource and, just like spectrum and oil, needs to be used in the country’s benefit.
Extending this line of thinking, the policy stipulates that data collected in India and stored abroad cannot be made available to anyone outside India, even with the consent of the data principal to whom it pertains. And that the Indian government must have access to this data at all times. This is a dangerous line of thinking in that it allows, in the guise of safeguarding the privacy of Indian citizens, the state to nationalize personal data.
There are serious shortcomings to this sort of approach. Personal data is not some subterranean mineral ore over which the state has eminent domain. Unlike coal, which the state has the right to mine regardless of the fact that the real estate under which the vein runs is owned by a private person, the state has no right to mine our personal data just because we are citizens of this country—however well-intentioned its reasons for doing so might be.
The policy also seems to proceed on a slightly misplaced understanding of how the various key technologies it refers to actually work. It assumes that it can give a fillip to Artificial Intelligence by simply requiring computational facilities like data centres and server farms to be located in India—not appreciating that what is needed is not raw data but annotated data-sets that machine learning algorithms can process in order to improve their prediction capabilities. It is perhaps because of this ill-informed appreciation of how AI works that it wistfully calls on the government to use AI tools in governance so that it can achieve predictive policymaking—whatever that means.
The policy proceeds under the assumption that all network effects are inherently bad because they offer first-mover advantages over all other aspiring competitors, not recognizing that while this might be true, this fact must be balanced against the unparalleled benefits that network effects offer to consumers. It requires all algorithms to be explicable, not appreciating that in many circumstances, there is a benefit to trading explainability for accuracy.
In general, the entire document seems unclear as to what it intends to address. It has a well-articulated chapter on its scope and objectives in which it establishes a frame of reference limited to e-commerce but then proceeds elsewhere to cover various other matters, including social media and intellectual property violation. It wanders into the tax domain by seeking to upturn the global moratorium on taxing the transfer of electronic goods across borders, clearly unaware of the consequences of opening that Pandora’s box of problems.
To call this policy a disappointment would be an understatement. Not only does it apply ham-fisted solutions to problems for which far more elegant solutions are available, it displays a fundamental lack of appreciation of the sector it is supposed to regulate. For a country widely recognized as a global leader in technology, this is nothing short of embarrassing.
Rahul Matthan is a partner at Trilegal and author of ‘Privacy 3.0: Unlocking Our Data Driven Future’.