“The big question is do we even need aa non-personal data authority? Can the objectives not be achieved by sectoral data portability rights and open banking type solutions?” a person asked at MediaNama’s discussion on the Governance of Non-Personal Data held on August 6 and 7. “A lot of things mentioned in the report don’t have adequate definition. If you don’t know what they mean, then it becomes extremely difficult to design things for an NPD authority, and what powers will it have, along with the necessary checks and balances,” another person said.
People also spoke about whether access to such kind of data can actually help ‘Indian’ business to grow, and more importantly, whether it is right on the expert committee’s part to treat such data as a “common resource”.
The discussion was held with support from Centre for Communication Governance (NLU Delhi), Facebook and FTI Consulting. The discussion was held under the Chatham House Rule. All quotes have been edited for clarity, brevity and anonymity.
Is there a need for a non-personal data regulator?
Several components in the report are vaguely defined which makes a regulator’s job difficult: The report begins by talking about case for regulating data. This is really important because what the [non-personal data] authority will do depends on this. There are some words that it uses that I quite am not sure about. For example, it uses the word ‘unlocking value’ a lot of times. I think there is no clear articulation of what unlocking value means.
“One of the cases for regulating data is examining collective privacy. The report also admits that we don’t know particularly what it means. Then my question will be, why are we wielding state power when we ourselves don’t know what collective privacy means. From designing of an authority point of view, first we want to get some of these terms right, before we start giving the state so much power to do something,” the person added.
“Similarly, the report says that the NPD authority needs to have an enabling role and ensure that the data is shared for sovereign, social welfare, economic welfare, regulatory and competition purposes. But if you start unpacking each of these words, what is social welfare, what is economic welfare, what is regulatory and competition purpose, which competition law is already not solving,” they asked. “It makes me really wonder about what is it that the NPD authority is trying to do and what the goals of this authority are”.
What exactly is the objective of the NPD authority? If the objectives are to prevent abuse of dominance on account of network effect, or to reduce barriers to entry, shouldn’t it come from making changes to the Competition Act, the person asked. “When we overstep existing regulators, we tend to introduce a lot more discontinuities and a lot more glitch in the system,” they added.
“If the current competition authority cannot penalise vertical implication, cannot successfully remedy network effects, how are we expecting this regulator [NPDA] to go ahead with it. The logic is just not consistent with the law of the land, and then unless there is some extremely new toolkit other than regulations that they are thinking of, we will land up in the same problem. If that case wouldn’t stand in the competition commission, how is this regulator actually entertaining those things.”
Another person remarked that in the Indian banking space, there is a lot of infrastructure being created to facilitate or enable the flow of data. “If we have great access controls there and great privacy by design controls there, then those could solve problems better at the sectoral level,” this person said. Even for sectors that don’t have a sectoral regulator, ministries and other government departments can do the job, they added.
Clear regulatory capture: “Even when none of the mechanisms are set out, I see a regulatory capture already. The reason that I say that is, at a couple of instances in the report, it says that data trustees will actually suggest the NPD Authority what enforcement should happen, soft law regulation can be suggested by data trustees. The regulator will make its decisions regarding legitimate data sharing request in consultation with data trustees. And it’s no fluke that the kind of examples that we have seen in data trustees in the report are Ministry of Health, and department of transport. It’s like all principles of admin law flying in your face right. The whole point of regulation is to have distance from the government and have like an objective entity,” a person said.
Issues of jurisdiction: “I do find that there are jurisdictional issues,” a person said. “Some of these questions, they belong to the competition commission, they belong to the privacy, data protection authority. There are also jurisdictions in terms of territory. Somewhere in the report I read that non-personal data belonging to Indians and Indian communities, so, basically, it also means NASA doing quarter level testing for India and giving us those pictures, satellite imagery of water levels in rivers, that’s also non-personal data of India. Where is the jurisdiction ending and who all are they imagining to be regulated by. It’s really a super regulator, it’s the god of all,” they added.
There are also issues around domestic jurisdiction, this person said. “Banks can be a data business, hospitals can be a data business, all of these entities can be a data business. So, I think the big question then is what is the kind of capacity and what is the kind of role that we are investing in this particular regulator,” they remarked.
NPDA vs DPA: When asked whether the proposed data protection authority (DPA) in the data protection bill will be enough to regulate the use of non-personal data, a speaker said that “human derived NPD belongs to the DPA because we do understand that re-identification is basically a ticking bomb.
Can non-personal data actually help ‘Indian’ businesses?
Unclear how the framework will foster ‘innovation’: The report also talks a lot about the regulator trying to create certainty and incentives for innovation. And I want to push back here and say that certainty comes from policy and regulation, it does not come only from data alone. And the kind of certainty questions that we have been dealing in India are, suddenly something gets banned, then there is sudden retrospective taxation, suddenly a government monopoly is established, suddenly the taxman is knocking at your door for something that seems like a very obvious income slash revenue to you, but you have to now start explaining everything to the taxman.
Data as ‘property’: The classification of “data as infrastructure”, in the report is a little “hasty”, they added, as it “does not unpack what infrastructure actually means and what kind of infrastructure this is and therefore amenable to which kind of model of operation. I think that, that’s not just about data, but in the overall space when we are talking about digital infrastructure, somehow the word infrastructure seems to have a mythic quality to it where suddenly you say ‘infrastructure’ and then you think that it has to be owned, operated by government,” they remarked.
“The regulatory texture that they are proposing here is how you would regulate something that has clearly established property rights. Like the entire posture, the entire toolkit that we are referring to in terms of thresholds for classifying data, businesses or audit requirements or disclosure requirements, all of those things work in a world of capital, in a world of banking, in a world of companies, but not something as contextual as data and not something with as many overlapping rights with data right,” another person remarked.
Data is not a ‘natural resource’: There is a lot of analogy between natural resources and data which gets used in this space, the first speaker said, adding that India’s policies on natural resources are “messed up”. “So, whether it is the state expropriation of natural resources or whether it is the way private sector can be given a free hand on natural resources, both have been detrimental to how we have dealt with natural resources in this country,” they noted.
“If we are classifying data as a natural resource and if we want to go into that direction, then I would say certainly, the lessons that we have to draw from our own experience is what not to do instead of what to do. And I would really caution again in terms of thinking of data as a natural resource or a common resource because to my mind, the analogy doesn’t fit that well,” they added.
Talking about “data as commons”, another person said that “even for commons to exist, we need to have either rights over data or see data as property. It needs to be something that can be commonly held. And so, that can get us in a little bit of problems as well because if we go the property direction or an ownership direction, we may inadvertently lead to into more of an ‘data as oil space’”, they said.
Indian startups have bigger problems than just data: Indian startups have problems in terms of a level playing field that go beyond how much data they have, this speaker said. Startups face issues like licensing, entry barriers, tax law, and tax administration. These hurdles are the reasons startups are incorporating in London or Singapore, the person said. “The reason that they are not here is not because they lack data or data is somehow a big concern. We have deeper problems which matter for the start-up ecosystem, and I am not sure that data is one of them,” they said.
Also in this series:
- #NAMA: What are data trusts? How do they work?
- #NAMA: Anja Kovacs on the problems with India’s report on non-personal data governance framework
- #NAMA: Sameer Nigam on the perils of requiring companies to sell Non-Personal Data