“Take Amartya Sen’s flute example: there is a little kid who makes a flute and then there is another little kid who plays the flute and then there is a little kid who doesn’t have any other toy. Should this flute be given to the person who has made it, to the person who actually knows to play the flute, or to the person who doesn’t have any other toy?” This parable, brought up at MediaNama’s two-day discussion on the Governance of Non-Personal Data, is a useful lens to look at the government requiring companies to sell non-personal data. Does the government have a legitimate public interest or sovereign claim over data it did not work to gather, and that it may not be in the best position to take advantage of?
The discussion was held with support from Centre for Communication Governance (NLU Delhi), Facebook and FTI Consulting. Remarks are anonymised because the discussion was held under Chatham House Rules. Quotes have been edited for length and clarity.
- Land acquisition and non-personal data: One attendee drew a parallel between the government requiring — but somewhat compensating — land they needed for state projects. “Just because land acquisition has existed as an eminent domain practice for hundreds of years, it’s not free from controversy.” The attendee pointed out that even though land acquisition has existed for a long time, there have been cases where entire communities have been displaced because of their strong cultural and professional ties with the land that was acquired from them, and that often, compensation was not very good. “Just because an example exists where the government is known to regulate a resource in the public interest does not mean that it can do so for any resource including data,” the attendee added.
- Purpose safeguard: Land acquisition laws limit the purpose to which acquired property can be put to use. Similar protections are needed for non-personal data, one attendee said: “One can argue that this is even worse than expropriation; you still don’t have these safeguards for change of purpose, usage of purpose, the limitation of purpose, safeguards are not there, so, therefore, that is still, I would argue is a regressive aspect, if at all you think there are rights akin to property rights in, when you have collected data with having expended your resources if you have, I mean if the regime thinks that there are rights akin to property rights, I think this change limitation of purpose the safeguard has to come in.”
- What does data ownership mean? What does data ownership mean when such information is usually provided to companies by users, who can assert rights to that information? An attendee pointed out that the report does not attempt to answer this meaningfully: “For intangible assets like knowledge and data, the term ‘Ownership’ is used by the report very loosely to mean a set of primary economic and other statutory rights. So they imply something known as a ‘Beneficial Ownership / Interest’, but there is absolutely no substantiation of what that interest looks like, or what are the rights are that will play out in regulating non-personal data.” One attendee pointed out, “We may have access, we may have a right of ownership over our personal data, but with NPD, we do not have access.”
- Does not making use of non-personal data lead to welfare losses? When non-personal data exists in private hands that could make it easier to, let’s say, deliver welfare benefits, does it make sense to require that data be put to use? One attendee disagreed: “I am not being deprived of my data because somebody has collected non-personal data about me; if somebody else wants this non-personal data, nobody stops that person from collecting the data themselves. If it is really necessary for welfare purposes, they can always regulate and pass a law to that effect, but as a general lien on private data, that we might require this data for welfare, I think it is a very dangerous way to look at things. I don’t think there are welfare gaps caused by this and I would say that the Government has a very very difficult case to prove if that’s what they are trying to allege.”
- Balancing private and public rights: “If you have a right to public transport it does not necessarily mean that you get a Mercedes,” an attendee said. “You can also use a Maruti; so if Google has so much more data than company X or company Y does, that’s because Google deserves that data. They have not collected it through any sovereign right over me, they have just gone with the old fashioned way of persuading me to give them this information,” they added.
- Surveillance concerns: Attendees were concerned about the privacy implications of requiring the sale of non-personal data. One said, “The report itself recognises, that data may get reconverted and de-anonymised, and if all that mischief can be done by the Government, where are the safeguards? We don’t have a surveillance law, we don’t even have the shape of the personal data protection bill yet, so if that is the case, once you have one other avenue for the Government to access this data, those harms become aggravated. Surveillance reform has to come first so that the Government has to set an example, the state must set an example as far as data practices are concerned, whether it is personal data or non-personal data.”
- Opacity of existing data systems: One other attendee pointed out how broad laws and practices have led to surveillance systems existing that the public has little information about. “With the exception of Aadhaar there is very little known about how these systems are working and how they are working against us and what is the use to the extent to which the Government is using relying on them,” the attendee said. With few protections in place, “the government will be combining non-personal data with other data that they already have, and that combination has huge implications for several liberties and fundamental rights. What is likely to happen is that the centre of power is likely to shift from opaque corporations to an opaque state”
- National security exemptions: Attendees were concerned about the exemptions that law enforcement and national security may be granted. “We are seeing it in the Personal Data Protection bill where clauses 35 and 36 give the government literally a complete exemption from all obligations under the bill. So, I have absolutely no doubt in my mind that even the NPD regime, you know, will have similar exemptions, and what we were looking at is less accountability and less information about how this information is going to be used.”
- Constitutional rights and NPD: One attendee was concerned about the implications this could have for the constitutional right against self-incrimination. “The fact is that, you know, if you have access to this information, you should not be sharing it without due cause or without due process, let there be a warrant, and let there be a reasons given why this information needs to be shared. Otherwise, a free flow of data information between government departments is the end of all liberty.” Predictive policing and profiling was also a concern, with one attendee pointing out, “There is no statutory mechanism that will currently protect me from such profiling.”
- Proving data need: One attendee pointed out that having requirements that the government explain its need for certain data could be important, as litigation usually leads to the government getting the benefit of the doubt. “So if the government tells the court on an affidavit that they really need this data, chances are that they are going to accept it out of deference to the government. So maybe this is the reason why the deference should be more limited. They should expect a higher degree of proof before accepting that what they want is in the public interest.”
- Are data trustees reliable? One solution proposed has been to appoint community trustees that are authorised to consent to non-personal data requests on behalf of the populations the data is based on. An attendee pointed out that this could lead to a conflict of interest, especially if the trustee is heavily influenced by the government. “there is definitely a conflict of interest between a data trustee acting in the public interest and say, applying to a Non-Personal Data Authority, which might also be significantly under executive control.” An attendee added, “I do not think I have enough faith that under this model, that the trustee will adequately represent the interests of the community, and that the public interest for the trustees is actually the interests of the community that it claims to represent.”
- Abuse of trusteeship: Another attendee argued, “The problem in the conception of a trusteeship or a fiduciary relationship is that the person entrusted actually has powers over the person who is entrustee. I mean, for example, even without there are certain things that the trustee can do even without the consent of the truster, because that is I mean, the powers that a trustee exercises are fairly expensive. So, whether the state will abuse this, if there is a bill, that regime will have to recognize that if this kind of trusteeship powers are given to the state, it will be abuse then there has to be safeguards.”
- Consent issues: On the issue of individuals refusing to consent to their data being sent to other entities even in an anonymised and aggregated form, one attendee pointed out this could be close to impossible. “Consent is unfortunately rendered meaningless because companies will just refuse to provide services, saying that this is my obligation under law and I have to pass this data on, so if you do not consent to me passing on your anonymised data onwards, I cannot provide you my service.”
- Different standards for different ministries: “If you are a typical tech company, arguably the only government agency that will walk up to you and ask you for data would be something like the Ministry of Home Affairs or the police department. But I think that we are also now seeing an evolution where the group of agencies that can demand compulsory data sharing are expanding. Within the framework that this report envisages, I could see the Ministry of Commerce, the Ministry of Information Technology and the DPIIT as being different government agencies that come up to you and demand certain kinds of data and certain kinds of information. What are the rules of interaction here? What are the criteria for commercial interactions that will now start taking place? There would be a very different set of considerations that would govern what a Ministry of Commerce can ask from you and what a Ministry of Home Affairs can ask from you in any given scenario,” one attendee pointed out.
- How non-personal is non-personal data? One attendee argued that even aggregated data could have bad outcomes at the individual and community level. “[Delhi Police] have a mapping software and what they are doing right now is making a lot of layers. They don’t have a lot of data and they want to do a lot of survey in Delhi, especially of migrant colonies, especially where people know the slums and places. So, they will put in every data possible in those layers to recognize the so-called criminals. So I’m just wondering whether even if it’s non-personal data, so-called non-personal data, which is not identifiable, it can identify a lot of things. Maybe not people, but regions, which is where our predictive policing is right now, we are not policing people, we are policing regions. They can easily say that it’s non-personal data, is non identifiable. But when it’s pushed through this lens, then when we all know what is the output going to be.”
- Pollution data: Even something as supposedly impersonal as pollution data, the attendee claimed, could be turned against a populace. “When pollution data comes out, that data can also be used in putting those areas down in terms of property prices, or new schools will never come up in those areas or property prices will go down,” the attendee said.