The finance ministry has suggested that provisions on data protection be excluded from the national e-commerce policy, a government official said, on grounds that the issue is best handled by the IT ministry.

The e-commerce policy, being prepared by the department for promotion of industry and internal trade (DPIIT), was expected to contain guidelines on the use of personal data of customers and data generated by companies.

“The draft data protection bill, which is being dealt by the information technology (IT) ministry, is not restricted to e-commerce companies but is applicable for every industry and sector. It is best if the issue is not a part of the e-commerce policy," the official cited above said requesting anonymity.

The ministry of electronics and information technology (MeitY) is preparing a draft data protection bill, which will contain provisions to protect individual privacy.

The DPIIT issued the draft e-commerce policy in February and asked various ministries and stakeholders to send their comments by 29 March. According to the official cited above, the finance ministry has conveyed its reservations through its comments.

The policy is expected to be finalized once a new government takes office. The policy draft aims to develop a regulatory and legal framework to ensure consumer protection, data privacy and a level playing field for all. The policy should focus on fair competition and equal opportunities for all players, the official cited above said. “It should look at data from the point of view of ‘competition’ and should list provisions such that data is not used to influence prices and there is a level playing field for all sellers. One seller should not get an advantage over the other by misusing data," the official said.

The draft says, among others, that data collected within India belongs to the citizens and should be used for the nation’s development, and such data generated by e-commerce platforms, social media and search engines should reside within the country. It also says that if an entity collects or processes any sensitive data in India and stores it on an overseas server, then “all such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer consent". Besides, data should not be made available to a third party, including a foreign government, even with customer consent. However, if required, the Indian government may seek access to data stored abroad. There is no restriction on cross-border flow of data if it is not collected in India.

The policy has also proposed to develop a framework for “sharing community data that serves larger public interest with startups and firms", a move that is expected to break the monopoly of few technology giants that creates a barrier for new entrants. “While data is an invaluable resource, abuse of data is a major threat to the privacy of users, fair competition in the market, rights of marginalized sections of society, the sustainability of MSMEs and startups and regulatory space and security of countries. The national e-commerce policy establishes strategies, which protects misuse of data while maintaining the spirit of existing regulations," the draft policy says.

“The draft e-commerce policy and the data protection bill, both deal with similar issues pertaining to data privacy and protection and therefore, there should not be conflicting provisions under different rules under different legislations. If it is not taken care appropriately, then when both become a policy and a law, respectively, there could be a possibility of overlap and different interpretations," said Atul Pandey, partner at Khaitan & Co.

The industry has opposed rules pertaining to handling of data and wants the DPIIT to tweak the proposed norms as it believes aggregate data should belong to the companies and should not be accessed by the citizens or the government.

According to Sachin Taparia, founder of LocalCircles, a platform for startups and SMEs, the policy should be split into two parts and should be named trade and business data policy as the proposed policy will have an impact on social media platforms, technology firms and e-commerce companies.