With Walmart-Flipkart deal Indian ecommerce sector to witness increase in cross-border data transfer

With the acquisition, according to Flipkart’s policy, the ecommerce firm relinquishes all consumer data to Walmart, thus opening up the whole data privacy debate once again in recent times.

The Walmart-Flipkart deal, the biggest in India’s ecommerce sector so far, has thrown up a few pertinent questions on data and privacy of around 100 million Indian online shoppers. With the two large e-tailers Amazon and Flipkart (to be brought under Walmart as a subsidiary) controlling a whopping 75 percent of the market, the data of a significant number of shoppers will now be subject to cross-border flow.

Concerns of data security came to light recently when the Confederation of All India Traders (CAIT) recently said that it might approach regulatory bodies to seek redressal of issues like FDI policy, data security, competition, unfair practices etc., which the deal could throw up.

What do the companies say?

According to Amazon India’s privacy policy, any personal information provided to or gathered by Amazon Seller Services Private Limited is being stored and controlled by Amazon Media EU SARL (the data controller), at 5 Rue Plaetis, L-2338, Luxembourg.

As to what Flipkart would do post its acquisition by US-based Walmart, Flipkart’s privacy policy states – “We (Flipkart) and our affiliates will share / sell some or all of your personal information with another business entity should we (or our assets) plan to merge with, or be acquired by that business entity, or re-organization, amalgamation, restructuring of business. Should such a transaction occur that other business entity (or the new combined entity) will be required to follow this privacy policy with respect to your personal information.”

Similarly, a close look at Walmart India’s privacy policy would reveal that the retail giant stores and processes consumer data across the globe. The relevant paragraph of the privacy policy reads: “As a global company, Walmart’s companies have separate privacy policies for their international offices. Personal information about our customers may be processed and stored in India or the United States or any other country in which Walmart or our service providers maintain facilities. Globally, Walmart requires our family of companies to protect your personal information, regardless of where it is stored, in accordance with local laws and our policies.”

As cross-border trade increases more sellers across the border might need more data of Indian buyers. Both eBay India (hitherto with Flipkart) and Amazon indulge in cross-border trade. The spurt in cross-border trade might boost a two-way flow of data from in and out of the country.

But will consumers be happy with transfer and use of their data when companies change hands and ownership? “That is an important issue here. When people sign up to a service, they do it on the basis of understanding between that company and themselves. Now if that company is getting acquired by someone else, there is a possibility that the consumers might not be comfortable with the new owner of the said company. Then, as a consumer, can I object to my data being part of the acquisition, and opt out,” asks Pranesh Prakash, an Affiliated Fellow at Yale Law School's Information Society Project.

And what happens if a large number of consumers exercise their right to opt out? “Wouldn't the value of the acquisition diminish? Can the acquiring company then decide to re-value the deal, and opt to acquire at a lower price? Right now, apart from an ineffectual regulation under the Information Technology Act, we in India don't have a data protection law. So there is no law that covers personal data during mergers and acquisitions. In the absence of such a law, an acquiring company gains access not only to tangible property but also all the intangible property held by the acquired company, including personal data, and that too without the data subjects' (consumers) explicit consent,” Pranesh adds.

In today’s world, whoever controls data and digital intelligence gains an upper hand in retail business. And whoever gets control of these big marketplaces will also control and process these data to their advantage. This might pose greater ramifications for India’s retail trade and smaller retailers and sellers.

He further noted that the “Justice BN Srikrishna Committee has been tasked with bringing out a data protection framework for India. While cross-border transfer of data is an issue that will likely be covered by the committee, this issue regarding mergers and acquisitions and the potential obligation to seek renewed consent of the data subjects is sadly not covered in the whitepaper they brought out in November 2017."

As per the white paper, cross-border data transfer is a broad concept that involves international cooperation in data processing, storage, retrieval and transmission across borders.

Taking a dig at the current situation of ecommerce sector in India, Kunal Bahl, Co-founder of Snapdeal, recently wrote, “The US retailers who are here and the Chinese ones in waiting are all eyeing this same pot of gold (ecommerce sector). A similar rush was witnessed in the 17th, 18th and 19th centuries when various European powers, including the Portuguese, Dutch and the English, raced to forge local alliances, secure resources and carve out India amongst themselves. It took us a couple of centuries to gain back our country and gradually reclaim our rightful space amongst the leading powers of the world.”

On the topic of flouting of FDI norms, he wrote on his LinkedIn page, “It is commonly understood and widely reported that many such marketplaces are thinly disguised inventory operations, especially in the high demand, high value segments like mobiles, laptops, TVs, home appliances, kitchen appliances, branded fashion etc.

“The violations of the existing policy are creating disquiet amongst India’s small enterprises. Entry of new players will accelerate the erosion of space for such sellers. Grocery is slated to be the next price war frontier, bruising and decimating millions of small, neighbourhood retail operations,” noted Bahl.

But not everyone feels the need to panic yet and instead advocate increased awareness on the customer’s part. Nikhil Narendran, Partner, Telecom, Media & Technology (TMT) Practice of Trilegal, said, “There is no harm of data getting transferred outside of the country, per se. If other countries have problems of their data going to India, then India wouldn’t have IT business. These companies store and process the data for bettering their services. Data travelling outside of country is a scare being created absolutely for no reason. The issue one needs to worry about, rather, is for what purpose the company uses the data. The question is not about where it is stored and processed, but what it is used for. Another important point is also how to make sure that customers know what are they signing up for – something they should fully understand before signing up.”