It’s a curious situation, but even as 2019 winds down to its eventual close, India is missing a few critical elements whose absence is inexplicable.

For a country that boasts a $16 billion-plus e-commerce unicorn like Flipkart, there still isn’t an e-commerce policy.

While there has already been talk of a potential 5G spectrum auction and potentially barring companies from spectrum trials, there’s still uncertainty about which spectrum band will be used.

And, perhaps most disconcertingly, Indians still have little protection against the non-consensual collection of personal data or even the misuse of consensually provided data.

All of these policies are in the works. Some further along than others. Their outcomes will have far-reaching impacts on India’s tech and business ecosystem, determining the winners and losers of tomorrow from the many challengers standing today.

Of course, with such stakes at play, there’s a considerable amount of lobbying. Departments pitted against each other. Foreign players versus domestic ones. Incumbents versus upstarts.

We take a look at some pending legislation to get a sense of where the policy chips will fall.

Personal Data Protection Bill 2018

Even today, if a business or an entity violated the informational privacy—illegally collected, stored, or shared personal data—of Indians, there is scant hope for any recourse. 

That, however, is set to change. Following the Indian apex court’s ruling on privacy—calling it a fundamental right—MeitY (Ministry of Electronics and Information Technology) woke up to this blindspot and formed a committee to create a legal framework on data protection. 

One white paper and some public consultations later, we got the draft Personal Data Protection Bill 2018. 

What is the policy?

In a nutshell, the draft legislation mandates that businesses seek user consent for any data collection or sharing. Crucially, it also mandates that any data processing be done in a fair and reasonable manner. This essentially means that business use data only for the purpose for which it was shared. Companies found to be in contravention of the law could be hit with a fine of up to Rs 15 crore or 4% of their worldwide turnover.

Of course, none of this would matter without enforcement. So, the draft legislation proposes that a data protection authority (DPA) be set up to do just that.

While a proper data collection law is something both businesses and the general public can get behind, one critical aspect of the law has some businesses up in arms.

The draft bill mandates that any entity collecting and processing data—including Big Tech like Google and Facebook and other such businesses—must store at least one copy of personal data within the country.