India Tries to Capture the Value of Consumer Data for E-Commerce and the Internet of Things

After almost four years of the largest and most ambitious effort in history to transform a nation with technology, India is looking ahead to protecting the data that it is generating.  Given that India is projected to have the largest population in the world by around 2024[1] and that the median age then will still be below 30 (see chart), capturing the prospective value of data from e-commerce and the Internet of Things is an understandable government priority.  The way in which India is prepared to do it, though, may have implications for the efforts of other governments to capture the value of consumer data.

India’s Department for Promotion of Industry and International Trade (DPIIT) published a draft national e-Commerce Policy on February 23rd. The Policy’s goal is to keep data generated by Indian users within India to spur domestic digital entrepreneurship, while preserving data flows for other business uses. Therefore, the Policy’s restrictions would apply to 1) data collected by IoT devices that monitor public areas and 2) e-commerce (e.g. social media and search engines) data generated by users in India. To preserve other business data uses, the Policy would not restrict most data not generated by consumers, such as multinational corporations moving data across borders for largely internal purposes and software and cloud computing data that have “no personal or community implications.”

The proposed restrictions (which may better viewed as hopes and dreams of someone with a certain perspective on the value of data and the role of government) on data collected in India but stored abroad are that a business:

  1. may not share the data with other businesses or third parties even with user consent;
  2. may not make the data available to a foreign authority; and
  3. must immediately provide the data to the Indian government if requested.

The driver of these rules is the belief that Indian control over Indian consumer data will make India a hub of innovation rather than a spoke of outsourced data processing: 

Without having access to the huge trove of data that would be generated within India, the possibility of Indian business entities creating high value digital products would be almost nil. Domestic technology companies would be merely processing outsourced data work.

Restrictions on the data are not justified on national security or “cyber-sovereignty” grounds as in China, and certainly not on data protection or privacy grounds as in Europe.  Privacy interests and the parallel Personal Data Protection Bill now under consideration in India are cross-referenced frequently by the Policy, but the Policy notes that it addresses issues of “far wider reach.”

The Policy states that companies would have three years to “adjust to the data storage requirement.” All e-commerce sites and apps available for download in India must have a registered entity in the country, restricting foreign entities from offering digital services in India. The Policy calls for further domestic IoT regulation focused on “consumer protection, secured transactions, and ease-of-use interface.”

What becomes of this draft Policy may tell us a lot about the future not so much of data localization as the future of governmental control over the value of data.  This assertion of governmental control is to be expected as data comes to be recognized as one of the fundamental issues of international trade. 


Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their