An important issue for the e-commerce sector in preparing for the new Indian law will be to recognize that data is not solely the concern of privacy regulators. Competition and consumer regulatory issues are also being raised in relation to processing personal and other data.
- By Anne Petterd
India is in the process of enacting the Personal Data Protection Bill 2019 to provide cross-sectoral regulation of personal data. E-commerce operators, like other businesses, will be reviewing their data management practices to comply with the new laws. They need not start from scratch. Good lessons can be drawn from experiences in implementing the General Data Protection Regulation in Europe, as well as other new regimes. It is also critical to look to the future, with all its uncertainties, to anticipate how personal data regulation will address tools used by e-commerce, such as data profiling and new obligations, such as data portability.
Today’s e-commerce operators seek a relationship with their users. They want users to set up accounts, receive tailored offers, earn loyalty points, post comments, and utilise ever-evolving features. Through these activities, e-commerce operators are processing significant personal data. They can apply data analytics to profile individuals and predict behaviour and preferences allowing for more targeted offerings. However, this extensive use of personal data is not risk-free.
Misuse of personal data, such as failing to keep it secure, exposes individuals to data theft and fraud. Questions also arise about whether businesses are being sufficiently transparent in how they use personal data, particularly for activities like profiling. Data protection regulations, like the new Indian law, guide businesses in the responsible use of personal data.
Navigating through the new law on data
In navigating the new Indian law, e-commerce businesses will need a strategy to deal with uncertainty on several fronts. No doubt, the new law will raise its fair share of interpretation questions. Businesses will be particularly concerned to clarify issues with an impact on cost, triggering a system change or requiring different practices in India compared to other jurisdictions.
Uncertainty will also exist when an e-commerce operator seeks to do something new in attempting to attract users. For example, the compliance measures needed for Europe’s General Data Protection Regulation, mean that many e-commerce businesses now have well-developed mechanisms to assess the personal data regulatory issues raised by new product features. Despite this, the regulatory assessment may still lack certainty for a novel new use, so a risk-based assessment could be required to decide whether to proceed.
Uncertainty will also exist because the world is only at the start of the data revolution. For instance, two of the most significant developing issues relevant to e-commerce, are data portability, and profiling (whether or not utilising artificial intelligence). The proposed Indian law contains a data portability concept, as does the European regulation. In an e-commerce setting, a customer might require a business to port the customer’s spending history including loyalty points’ details to a new business to take advantage of an offer from that new business.
Strategizing for developing regulatory issues
Based on experiences elsewhere, considerable assessment of how data portability will operate in practice may be required to effectively implement the Indian data portability regime. Singapore’s regulator has engaged in extensive consultation on issues such as defining the data to be ported, exclusions from the obligations, protection of commercially sensitive data, and workable technical requirements. Australia has taken a different industry-specific consumer data rights approach that is being progressively rolled out, with delays due to implementation difficulties. These experiences illustrate that developing a data portability regulatory regime can be challenging and must weigh the interests of several stakeholders.
E-commerce businesses that want to use profiling must also consider how they will be affected by regulatory intervention. Concerns raised about profiling include questions about reliability, bias, and non-transparent practices. Several regulators have issued frameworks for applying artificial intelligence or profiling to personal data. Some jurisdictions are restricting profiling activity. For example, the proposed Indian law restricts certain profiling, tracking, or targeting advertising at children through online services. E-commerce operators will want to keep an eye on the development of more extensive regulation of profiling.
An important issue for e-commerce in preparing for the new Indian law will be to recognize that data is not solely the concern of privacy regulators. Competition and consumer regulatory issues are also being raised in relation to processing personal and other data.
In India, the proposed development of non-personal data legislation will additionally raise considerations for e-commerce. The proposed framework to govern the use of such data would regulate issues such as data sharing. Previously a threshold question was — is it personal data and regulated, or not regulated at all? E-commerce businesses might for example anonymise personal data so that the resulting data set was still useable, but outside the personal data regulatory regime. A non-personal data regime could change the threshold question to: which regulatory regime applies — the regime for personal data or non-personal data?
Given the significant uncertainties for data regulation going forward, the e-commerce businesses that effectively navigate these uncertainties will likely come out ahead. The certainty is that utilising data will continue to be critical to e-commerce.
Anne Petterd is the Partner at Baker McKenzie Australia. Views expressed are the author’s own.