Mozilla’s submission to DPIIT, accessible here, outlines a position of reforming the policy to take into account greater consideration of security of the data of Indian users and a more strategic approach to enabling competition in e-commerce. The submission is summarised below. Medianama is compiling a list of submissions made to the DPIIT here.

Data as a National Asset

  • Objects to the framing of data of Indian as a collective resource held by the government in trust to which it may permit rights.
  • Conflates government’s interests with users’ interest: This framing is prone to undermining individual rights of users.
  • “Data as an asset” violates Supreme Court’s judgment in Puttaswamy v. Union of India as well as India’s commitments under the ICCPR treaty.
  • Replaces the notion of the fundamental right to individual privacy with the concept of ownership of data and thereby encroaches on individual autonomy.
  • Regulating data without Data Protection Law is risky: Regulating community-oriented datasets without a legal framework to secure individual rights over one’s data opens up user data to abuse by governments as well as companies.

On Storage, Sharing, and Cross-border Data Flow

  • The policy fails to outline an objective behind the mandate to restrict the storage of data within India and restrictions on sharing data outside India.
  • Objective of data protection would be better served by a data protection law, already in the works, and substantive surveillance reform. Without this, the policy makes user data susceptible to abuse by law enforcement authorities.
  • Fails the test of Proportionality: Any state interference with privacy is required to meet the standards of legality and strict proportionality, as laid down in Puttaswamy v. Union of India, not met by the policy
  • Increase in risk of data breach: Concentration of Indian user data in limited centres increases the risk of a breach and the impact of such a breach on citizens.
  • Increase in cost to startups: The cost of localisation measures will hit startups and small businesses disproportionately.

Disclosure of Source Code

  • Companies have legitimate interests in protecting their source code for security and commercial reasons. Allowing government authorities vague ambit to access source code has risks involved.
  • The policy is silent on which authorities would access the source code: This can facilitate unauthorised surveillance, and would also be prone to external security threats, especially if stored in a centralised database.
  • Erodes trust in the market: This provision will undermine trust in companies and create barriers to doing business in India.

Access to Data and Competition

The submission argues for a strategic incentive-based approach in encouraging data sharing, rather than coercive measures which may alienate international companies. They argue for a broader reform of competition law in order to achieve this.

  • Data protection law required to prevent re-identification: “A data protection law must be in place which would ensure that all personal data is excluded from any data sharing… any such policies would need to mitigate the risks of inadvertent reidentification of individuals through combining apparently anonymized data points.”
  • Government should identify useful anonymised datasets: “…the government should conduct an exercise to identify those aggregate and anonymised datasets that would be most valuable to new, nascent businesses. As noted in the UK Governments’ recent Digital Competition Expert Panel Report, there are already a number of positive examples of such voluntary data sharing. For instance, Uber has chosen to release anonymised and aggregated data under the ‘Uber Movement’ scheme to inform and improve infrastructure and planning decisions.”
  • Policy should encourage interoperability: “…Competition policy should encourage designing for interoperability and standards-centric design and implementation, coupling positive incentive “carrots”, including potential safe harbours, with corresponding “sticks” of heightened merger review standards and strengthened enforcement of rules and policies against anti-competitive behaviour by firms.”

The submission asks the DPIIT to scrap the current draft, and for further broad-based consultation on the subject.