The draft e‑commerce policy starts off with the subtitle ​“India’s data for India’s development.” This line while summarising the approach of the policy, is also a good starting point to identify some of the high-level problems with the policy.

The policy lays out a broad agenda for the treatment of data as a resource to be extracted in the service of an unspecified manner of development of the country, instead of an agenda to regulate entities that are traditionally understood as ​“e‑commerce” companies. In the name of enabling the country to benefit from rapid digitalization of the economy, the policy enables large scale extraction of data, while imagining frameworks like that of data protection to be models that legitimise such extraction instead of protecting against them.

What the policy ignores is that the new service sectors and subsectors that have developed as a result of new business models, which the policy favours, are also responsible for extreme asymmetries in power between users of these services and the companies collecting them. These business models thrive on an ecosystem where the extraction of data from people is done without there being a baseline understanding of what happens to their data, and the kind of value created with that data. The policy makes a naïve or disingenuous assumption that value accumulation to Indian e‑commerce and other companies translates to value for all Indian users. What it in fact does is provide companies with ways of monetising the data of individuals, entrenching practices of precision marketing, targeted advertisements and credit worthiness assessments.

More detailed comments are as follows:

• The policy claims to streamline the protection of data for users, while actually it streamlines extraction of data by introducing standardisation in data collection. Streamlining access to data, which the policy explicitly encourages, might allow a slightly better level of competition for domestic firms to compete amongst each other and with some of the dominant American firms, but it vastly disempowers people who are nowhere in the conversation about sharing in the value of the products created with their data, by legitimising and encouraging the extraction of their personal data.

• The policy draws into its sweep a broad number of actors as e‑commerce players, going beyond what might traditionally be considered the mandate of such a policy, in the process making the rights of India’s citizens wholly subservient to the economic interests of large businesses and the State.

• The very factors that the policy problematises — capital dumping by enterprises with deep pockets to finance sustained selling at losses — is not very different from the framework proposed by the policy, with the difference that in the proposed scenario, it would be large domestic firms who will be the benefactors of data accumulation, instead of the status quo of large foreign firms.

• The policy confuses and conflates the idea of data owned by the State or by Indian corporations with a broader understanding of ownership that might reside with individuals. For example,

Data about a group of individuals and derivatives from it is thus the collective property of the group. Thus, the data that is generated in India belongs to Indians as do the derivatives there from.

It is noteworthy that the policy considers not just the data about a group of individuals but also the derivatives from it. However, very quickly, this idea of collective property is posited to accrue to ​“Indians,” while meaning Indian firms or the State institutions. The implications of such derivatives accruing to such entities is vastly different from the property accruing to communities — whether pre-existing or emergent from the act of contributing to the datasets.

• The framework also envisages the sharing of ​“community data that serves larger public interest”, here understood to be either anonymised data of Indian users or non-personal data collected in India, with private firms. This is different from the kind of decision-making abilities that community-owned data might facilitate, which the policy does not dwell on. A good parallel to draw is the stewardship of land by forest dwelling communities as opposed to state controlled and private company-acquired lands that might be put to uses that don’t necessarily align with community needs.

The examples presented in Appendix III do not locate such sovereignty with the nation state, but with communities (of indigenuous peoples, in the case of the Maori Data Sovereignty Network and the case of the first peoples of Canada.)

• The idea of sovereignty that emerges from this policy is one that prioritises State interests over the interest of the people. It is evident from the discontent around how other resources like land and minerals are treated in the country that it is not unproblematic that data is treated as a national resource to be ​“exploited.” The idea of a commons is different from the idea of state control.

• Aadhaar, e‑KYC, Goods and Services Tax Network and Bharat Interface for Money are all examples where the citizen is disempowered while allowing for private corporations and the State to gain large amount of power. For example, the transaction data from UPI is set to facilitate credit scoring mechanisms but not really offer an alternative model for data ownership by communities.1 It is unclear how any of the above examples empower the citizen. In fact, the same are striking examples of facilitating large scale bad faith consent violations (see Airtel Payments Bank incident) with problems of institutional accountability when it comes to UIDAI or NCPI.

• We agree with the policy that the issue is not merely one of privacy. We have argued in the past also, along with others, that privacy and data protection frameworks are not sufficient to capture the different issues that come from this scale of digitisation.

• That data generated by users in India, including in social media platforms and search engines, is systematically chanelled for vague public policy purposes is alarming. Even in the past, initiatives like the Social Media Surveillance Hubs have been opposed. While that was opposed on the grounds of its violation of civil and political rights, the economic value of data generated by IoT devices and internet activity cannot be considered? counted in isolation of the severe compromise to civil and political rights.

• Using ​“AI tools” and ​“predictive approach to policy making” does not have any guarantees against unjust or unfair kinds of policies. In fact, in the absence of public access and transparency around the algorithms and the datasets used for these purposes, this proposition is rather dangerous.