Rajnish: Anindya welcome to the podcast and thanks for coming over.

Anindya: Thanks Rajnish and greetings to you and your listeners on world Energy Environment Week. I'm delighted to share my thoughts on the subject, but I would like to just place a key caveat that this should not be construed to be the views of Shell. Thank you.

Rajnish: My first question to you Anindya. How do you think a carbon price can help abate emissions?

Anindya: Yeah, that's a great question Rajneesh and there is a short answer and a slightly more evolved answer, so let me attempt both. The short answer is that greenhouse gas emissions carbon emissions have an externality, and the cost is borne by the society, and not necessarily by the emitter. Carbon pricing strives to place a cost on the emitter and thereby putting the sort of cost where the burden is. But if you sort of dig up a little deeper, the whole carbon pricing policy intervention is a clear nudge that Governments can give to various players across the economy on what they need to do. And there's various aspects that we should explore in this context, first is the competitive disadvantage of the first movers. There are companies right now who are contemplating climate action, but they find that such action involves costs which brings in a competitive disadvantage to them vis a vis with their competitors and therefore they do think twice before implementing major programs. A carbon pricing across a sector will ensure that all sector players are having the same level playing field and start taking the same steps and ideally this moves into an economy wide coverage, so I think that's very important to make sure that the early movers don't get disadvantaged. Secondly, there is a policy outlook signalling that this is very important. Companies right now are struggling to see what the pricing, carbon pricing or any compliance framework will look like in the coming years and decades. So, if the government can clearly indicate that this is going to be the carbon pricing methodology that the government will adopt and how it will progressively change over time, companies will be in a position to make the right technology choices back to green technology and make their investments that are well tested against such a carbon pricing regime. On the case on this case, also another aspect we need to talk about is resource mobilization. So carbon pricing of course also yields resources for the government whether it's a carbon tax or a market based mechanism like the ETS and the government, then can direct some of this to supporting new technologies. Green technologies that are not proven, for example, if it wants to support offshore wind or biofuels but also maybe use it to address the needs of just transition, so there are going to be sections of society which will be burdened by higher cost of the energy transition and some of this will be available for that. Another aspect I think we should also consider when talking about carbon pricing is globally various countries are adopting carbon pricing where there's tax or emissions traded systems and to make sure that there are no carbon leakages these countries are likely to impose a border adjustment mechanism as Europe is considering. So, if Indian companies have to operate or export into these markets then they'll have to demonstrate that they have carbon pricing domestically. So that's very important for Indian companies to achieve, I mean India has a huge trade with Europe for example of 36 or $37 billion and the part of that will get impacted by this. And the other advantage of integrating to global markets is that Indian players will have access to much deeper and wider markets for carbon offsets. For example, they are on the buy side or sell side.

Rajnish: So Anindya I agree with you, I think carbon prices are the talk of the day. Now the big question basically, which is there when you look in the case of India is should India go for a carbon tax or should it go for an emission based or a market based trading mechanism? What do you think are the pros and cons to the two and you refer to that while you're answering the earlier question?

Anindya: Yes, indeed, these are the two popular models which various countries have experimented with over the last several years. So, the advantage for India is that India can certainly benefit from the experiences of these countries and get sort of rich learnings out of it. Carbon tax in terms of implementation is perhaps much less complex, though politically less acceptable because it's it will be very transparently seen to be adding to the cost to the customers or taxpayers, as the case may be also, it needs to sit within the existing taxation framework and jurisdictional sensitivities, and I know Ernst & Young has already presented an analysis on how this can be done. As for emissions trading, there is a possibility that the existing market-based mechanisms for energy efficiency, which is the path scheme and the eCerts and the renewable energy, which is the RPO and RECs, could be brought under a carbon framework which could then be expanded to a functional emissions trading scheme. However, the complexities of the market design that address the needs of a progressive decarbonization without causing market failure needs to be carefully considered.

Rajnish: I agree with you Anindya, I think carbon taxes are easier and as you gave there are pros and cons to each of the approach. Now, given that we have a blank piece of paper in India as of this point of time, what would be your advice to our clients as to how they should think about this and go ahead?

Anindya: Indeed, that's a very important I think question to consider for countries so companies at this point in time as various regulatory changes are likely to happen in the coming future. Well, one can never be certain as to when a compliance framework for carbon will emerge in India, but we have seen a compliance framework in energy efficiency and renewable energy that was successfully implemented. We are also hearing of an RPO type framework for green hydrogen progressive Indian companies are already beginning their decarbonization journeys by implementing internal carbon pricing. CDP's annual report mentions 31 companies already having an internal common price or companies are signing up to the SBTI's or making commitments under RE 100 EP 100 EV 100 type commitments. But to ensure a sustainable future and a social license to operate, companies will need to transparently share their plans to adhere to carbon budgets available so as to achieve the climate action goals agreed by the international community such companies will withstand any shocks that could credibly arise from external carbon pricing, whether through taxes or market-based mechanism.

Back to podcast

Podcast transcript: How DPDP Act will impact the e-commerce businesses

16 min | 21 August 2023

In conversation with:

Mini Gupta
EY India Cybersecurity Consulting Partner

Pallavi: Welcome to an exciting new episode of ‘Gateway to data privacy and protection’ special series, presented by EY India Insights Podcast. I am your host Pallavi and today we have a captivating topic in store for you – the impact of the data privacy Act on e-commerce. Joining us is our esteemed guest, Mini Gupta. As a Cybersecurity Consulting Partner at EY India, with an impressive two decade-long career in risk management across diverse sectors, Mini brings valuable insights to the table. Over the past 10 years, she has worked on data privacy in India and globally. Mini, we are thrilled to have you back in our podcast.

Mini: Thank you, Pallavi.

Pallavi: In e-commerce, we have platforms and retailers in various permutations and combinations. Who will be the data fiduciary in this case – the platform or the seller? After all, both would be collecting data from the data principal.

Mini: Data fiduciary is the one who decides the means and purpose of the personal data that is being collected. In the case of an e-commerce environment, the platform provider in e-commerce will definitely be one of the data controllers, because they collect personal data at the time of registration and process it for purposes such as marketing, analytics, or targeting. The e-commerce platform will be considered as a data fiduciary unless it is a pure technology play where the platform is only providing a technology layer and everything else on top of that is being decided by the retailers or the entity that has engaged with the e-commerce platform provider. But if you look at the regular e-commerce platforms, they typically act in the capacity of a data fiduciary.

Similarly, if you look at the retailers or the sellers on the platform, there are larger retailers and sellers who decide what is the kind of data that they collect – for processing or fulfilling orders. They may also be considered as data fiduciaries unless these are retailers that the platform or the e-commerce organization is engaging purely to collect goods and then deliver to customers without revealing who the end-customer is or providing any personal data. If the platform providers are not passing on personal information to the retailer, and the retailer is just there to provide goods and services, they (retailer) would be the processors.

However, if these are retailers who are deciding what could be the various parameters or details required for an end consumer to fulfill the orders, then they would also be considered as data fiduciaries.

While there are various permutations and combinations when it comes to platforms and retailers, their role as a data fiduciary may be similar. Both could be data fiduciaries or there could be combinations where each one of them is a processor more than a fiduciary, depending on the role that they play. But the principle to follow is that any entity which is determining the means and purpose of collecting and processing the customer's personal data would act as a data fiduciary.

Pallavi: In online businesses, often the person or the organization fulfilling the order of the data principal is a small business or an individual. For example, an Uber or Ola driver has a platform. Uber or Ola is accessing the data of the person as well as the driver partner. Similarly, for businesses like Urban Company (earlier Urban Clap), how can the data principal’s data be safeguarded?

Mini: In such scenarios, an Uber or an Ola are the data fiduciary themselves and they have to ensure that adequate data protection measures are put in place prior to sharing personal data with the small businesses or individuals. In some cases, there is obfuscation of personal data such that while they can reach out to an individual, personal details such as mobile numbers are not available. However, some necessary data such as name and address will be provided. While controls such as data masking and data obfuscation can be used, there will still be some limited data that may need to be shared. Hence, it is the duty of the data fiduciary to ensure that smaller businesses, set-ups or individuals are sensitized about the matter, the confidentiality of such data being shared, and the need to keep this data protected as well.

Right now, there are measures such as non-disclosure agreements or confidentiality agreements, along with consequence management, that could be signed with smaller businesses or individuals to act as a deterrent and to ensure that they protect the data principal’s personal data and avoid any misuse.

In all cases, it is the responsibility of the data fiduciary, and more so when they are dealing with smaller setups, to sensitize and also put data protection measures in place.

Pallavi: Thank you for those insights, Mini. If a data principal chooses to stop using a platform and withdraws consent, the platform may have the capability to extinguish the data. But will it not still remain with intermediaries?

Mini: There is a chance that personal data may be available with the intermediaries and individuals who may come to service the data principal. However, limiting the exposure of personal data to these individuals is one measure. It could be (through) data masking or data obfuscation, which limits what gets exposed to them and is purely what they need for providing the services. That's one measure that can prevent the misuse of such personal data.

Additionally, once the customer withdraws consent, it is the data fiduciary’s responsibility to inform these individuals of the same and to ensure that such personal data is not referred to at all.

In fact, irrespective of whether the consent is withdrawn or not, ideally, the data fiduciary should ensure that these individuals or smaller businesses purge or delete the data when it is no longer required. Once the service has been provided, there is no need to retain the data. Irrespective of whether the consent has been withdrawn or not, the data fiduciary should take measures to ensure that the smaller businesses or individuals, once they no longer need the data, delete it or that they understand that it should not be used anymore. But in case it (data) is being used, then once the withdrawal of consent takes place, the data fiduciary has to ensure that all such entities are immediately informed about deleting this data or are not using the data going further.

A measure of strong consequence management is also required here to act as a deterrent in case the individual still chooses to misuse the data even after withdrawal of consent.

Pallavi: We often see that in digital businesses there is constant churning of product or service providers who fulfill orders through the platform. If these providers leave for another platform, how will the data fiduciary ensure that they do not retain any sensitive data?

Mini: The exposure to personal data should be limited. That is really the crux of these matters – how do I minimize data; how can I adopt data minimization as a principle that is implemented across digital businesses, such that only the required sensitive personal data which is necessary for processing is collected and shared further?

Wherever possible, data should be masked, encrypted prior to sharing so that it remains protected. Rather than sharing personal data, we have enough and more maturity in technology products such that the data can be made available on a real-time basis on the digital business provider platform and not really shared. The data is not really moving environments, it is only made available within the window that the business provider needs it for and then it is not available. In some cases, data is completely masked, and it is tech to tech that takes care of provisioning without really divulging any personal data.

These are various measures that can be put in place to ensure that the service provider does not really come in contact with personal data. And even if they do, it is limited to what they really need and the time window for which they need it and not beyond. Technology plays a key role here to ensure that you are not just leaving it on an individual to delete, but you are actually narrowing the window and narrowing the possibility of misuse by obfuscating it and using the right protection measures.

Pallavi: Although there are provisions for fines for data fiduciaries if they misuse data, how does that help the data principal or those whose data has been misused?

Mini: While there is no provision in the Act that mentions how to help someone whose data is being misused in case of a compromise or misuse, it does mention that the data fiduciary has to pay the penalty. There is no measure or means provided for compensation to a data principal, but this still acts as a deterrent. The penalties and fines imposed on a data fiduciary or the provision for fines act as a means of ensuring that the data fiduciary is putting the right controls in place, is taking privacy seriously, has the right intent and framework such that the data at the first hand itself does not get compromised or misused.

However, if it does get misused, it is left to the data protection authorities to decide on a case-by-case basis if they shall impose any penalty on the data fiduciary for them to compensate the data principals. But there is no monetary compensation that has been defined and the objective is not to make money, but to see how the data can be protected in the first place.

Pallavi: What institutional capacity is being built to ensure careful monitoring of these laws? In case of a data breach that harms a data principal, will there be a separate agency to handle it?

Mini: According to the Act, a data protection authority or a body will be formulated to take care of matters related to data breach or harm that may be caused to data principals. As is in other global privacy regulations, India shall also follow the same approach of setting up an authority that would act as a central body to monitor the non-compliances.

In fact, this is the body that would also come into play in case any data principal’s grievance to the data fiduciary is not being fulfilled or addressed adequately. In addition to that, there is also a mention of having periodic independent audits based on the type of data fiduciary, which will again help monitor the framework and the practices in place that organizations have put in to ensure compliance with the law. All of these put together act as both preventive and detective measures and ways of monitoring compliance with data privacy.

We will have an authority that will look at such specific cases.

Pallavi: Thank you for joining us and sharing your valuable insights on the impact of the Digital Personal Data Protection Act, 2023 on the e-commerce sector.

Mini: Thank you for having me here.

Pallavi: On that note, we come to the end of this episode. If you would like us to explore other such topics on data security and privacy, please do leave us some suggestions that you would like us to deep dive into. Thanks for listening in. Until next time, this is Pallavi, signing off.

The podcast was recorded before the Bill became an Act of Parliament on 11 August 2023.

Back to podcast

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

EY | Assurance | Consulting | Strategy and Transactions | Tax

About EY

EY is a global leader in assurance, consulting, strategy and transactions, and tax services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EYG/OC/FEA no.

ED MMYY

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

Topics

General

People

Back to podcast

Podcast transcript: How DPDP Act will impact the e-commerce businesses

16 min | 21 August 2023

Back to podcast

Welcome to EY.com

Topics

General

People

Trending

Back to podcast

Podcast transcript: How DPDP Act will impact the e-commerce businesses

16 min | 21 August 2023

Back to podcast