Home Blogs India’s national policy on e-commerce and personal data protection bill – Implications...

India’s national policy on e-commerce and personal data protection bill – Implications for geospatial and location technologies

e-commerce and Personal Data Protection Bill – Implications on geospatial and location technologiesThere is a small wildfire that is yet to spread wider. After the unsuccessful attempts of government with respect to geospatial information regulation that happened during 2016-2017, they seem to be a re-attempt again from some officials in the government.

Hindustan Times published a news “Geospatial data too may be regulated by data protection bill: Officials”. An anonymous official can be seen making a new argument that geospatial information regulation has an overlap with the Justice BN Srikrishna-led committee report on – Digital Economy and Protecting Privacy which now can be seen as the Personal Data Protection bill, 2018. Added to this the National Policy on e-commerce in India also points towards bringing in geospatial and location information within their policy ambits.

This might seem to be too inconsequential, but it is important that the mapping and geospatial community stakeholders spend the time to understand what each of these separate policies is talking about location and geospatial technologies.

The Personal Data Protection bill is similar to the lines of GDPR, but there is no specific mention of geospatial and location data here.

However, the first version of the draft e-commerce policy has some very open interpretations with respect to spatial data.

Here is how National Policy on e-commerce brings geospatial under its umbrella

As per the policy, “All community data collected by Internet of Things (IoT) devices in public spaces are to be stored exclusively in India and sharing of such data within the country is proposed to be regulated.”

Let us break down this into the collection, storage and sharing aspects, which is generally done as part of geospatial information creation and management.

Collection of geospatial data:

  • If we consider geospatial data, it can be seen as community data, because no one solely owns it and no one person or company creates it in entirety.
  • With changing times, GNSS technologies and other sensing technologies are becoming part of the larger IoT community. In that sense, any sensing technology that can be used to create geospatial data can be loosely brought or used under this term of IoT.
  • Especially geospatial data is collected in public spaces like roads etc. during surveying and mapping of infrastructure etc. This again can mean that geospatial data collection can or may fall under this policy, depending on interpretation or argument.

Storage of geospatial data:

  • If such data collected in public spaces with the so-called IoT sensors falls under this policy, storage of the data will also fall under this.
  • If we look at the changing technology landscape, previously we used to collect, store, process and re-store geospatial data on physical computers. With the advent in server technologies, we started storing data back-ups on servers located remotely. Further with the onset of Cloud, the data is stored or even processed on the Cloud. And the service providers don’t always have Cloud platforms hosted in India.

Sharing of geospatial data:

  • Under this policy framework, any geospatial data collected in public spaces can be stored on servers or Cloud hosted out of India now may start to fall
  • Especially on the delivery side with the advent of Content Delivery Networks (CDNs), the data is replicated across multiple servers and this becomes a key challenge as data fluidly moves across countries, depending on the end-user location.

What is the impact on (personal) location data collected by numerous services?

Similarly, location technologies are now predominant in our mobiles. Android and iOS devices are continuously collecting and storing, processing and developing value-added analytics on top of this data. Hundreds of popular apps for maps, travel, fitness etc. track user movements and behaviors. Such data is continuously collected, transferred cross-borders and is stored outside India. Such location sensitive data falls under the privacy policy and cross-border data transfer aspects.

What could be the implications of these policies together?

The data localization aspect being pushed by the government as part of Data Protection Bill and RBI as part of the e-commerce bill could have implications for online mapping and location services also. This is because these services collect and transfer data out of India.

Some examples of the very popular services used in India are:

  1. Uber, that continuously collects location information in India, while this data is stored and processed cross-border.
  2. Google collects users’ location information and combines it with various other Google services and doing business. All this data again is stored and processed out of India.
  3. Similarly, hundreds of such services like logistics (Amazon), health tracking apps (Fitbit) etc. collect data that has a location component.

Looking at these aspects, it is can be left to any one’s interpretation that both data protection and e-commerce policies will try to regulate geospatial and location data companies. This can become critical if left to open interpretations, whims, and fancies of policy and decision makers as it often happens in India, leading to possible economic, business and legal implications.

A further assessment needs to be made by the geospatial community and industry organizations to ensure that the use of geospatial and location data and technologies doesn’t get hindered.

Suggested Read

Why India needs a geospatial strategy?