The Non-Personal Data Governance Framework‘s recommendation for a new law, new regulator and a compulsory data sharing architecture is “premature” and has “little global precedent for the regulation of NPD [non-personal data]”, BSA, the software alliance, wrote in its submission to the committee of experts. The key problem with the framework is that it is “overly broad” and undermines innovation. “Forced data sharing policies will undermine innovation and investment, and risk stifling Indian businesses and startups,” the submissions states.
BSA, whose members include Cicso, Amazon Web Services, Microsoft, and Salesforce, said that mandatory obligations are counterproductive for data processors, such as enterprise software and cloud service providers, as they handle data only on behalf of their clients, and “may be prohibited from accessing that data except to carry out their customers’ instructions”.
The group has also recommended doing away with local storage requirements and restrictions on cross-border transfers of non-personal data. It has also suggested incentivising data sharing, instead of mandating it.
Deters innovation, increases security risks: Problems with the report
- Mandatory data sharing obligations are counterproductive for data processors because they are not data businesses or data custodians and hold data on behalf of their clients. Thus, they may lack the technical ability or legal right to share such data. This may also create security and privacy risks, and it is difficult to apply consent requirements to data processors.
- Deterrent to creation of databases and innovation: The submission argues that creating and structuring datasets, including raw datasets, is a resource intensive activity and mandatory sharing will remove the incentive for businesses to invest in the collection, curation and maintenance of databases and to develop new technologies. It will also deter new entrants in the field. BSA acknowledged that innovation is not solely dependent on data access, but lack of return on investment on data improvement could hamper economic growth and discourage investment in data analytics as a field.
- Increases security and privacy risks: BSA argued that businesses may be forced to share data with companies that employ inadequate security, privacy, and data handling practices, thereby exacerbating security and privacy risks. The recipient of data could re-identify personal data if it starts compiling data from different sources.
- Data sharing purposes are too broad: The purposes for which data sharing can be mandated — sovereign, core public interest and economic purposes — are too broad, according to BSA. Such broad purposes mean that “essentially all data held by a company” comes “within the scope of mandatory sharing obligations”.
- Disincentivises businesses from improving data security to avoid higher regulatory compliances: BSA has argued that to avoid the higher regulatory compliances that the new category of “data business” imposes, businesses may refrain from adopting advanced and secure software-enabled solutions. Moreover, the category is so broad that it can include almost any business.
- Threat to intellectual property rights: Mandatory data sharing requirements, as per BSA, undermine intellectual property rights and their function in catalysing innovation. In addition to databases being protected by copyrights, the submission has argued that insights from such data is treated as “confidential information” or “trade secrets” and is granted legal protection against unauthorised disclosure.
- Difficult to create AI training datasets without incentives: Mandatory data sharing requirements and higher compliance burden would stem the flow of investments into data collection and processing. Thus, there wouldn’t be enough datasets to train AI systems, thereby increasing their costs for customers, and decreasing incentive to develop them further.
Don’t over regulate, do away with local storage requirements: Recommendations
- Privacy concerns should be addressed by the Personal Data Protection Bill, especially because non-personal data, by definition, is not related to an identifiable individual. If the NPD framework addresses them, it will create conflicting obligations. BSA goes a step ahead and recommends excluding “references to privacy, consent, and anonymization standards” from the scope of the NPD framework.
- Don’t create a new regulator because that would lead to regulatory overlap and create legal uncertainty. Privacy concerns should be addressed and enforced by the Data Protection Authority, and interests of consumers are already addressed by the Competition Commission of India.
- Don’t impose restrictions on cross-border data flows, eliminate local storage requirements: BSA has submitted that such restrictions are “unrelated” to the data sharing objectives of the NPD framework. These restrictions disrupt companies’ operations, make providing services in India costlier, decrease opportunities for data sharing-based collaboration, and increase barriers for competition. BSA also said that such restrictions are inconsistent with global norms and practices.
- Make data sharing voluntary instead of mandatory: The group has argued that mandatory sharing would “chill investments” and undermine innovation by enterprises, especially Indian start-ups and SMEs. It stressed that data has “very little inherent value” in raw form or in isolation; it is only curated data, or when it is used as an input for other value-added operations, such as AI, that it has financial and economic value. Problems with making data sharing mandatory include:
- Data sharing purposes should be narrowly defined and that the government should hold further consultations with the industry to define a threshold criterion or a purpose test.
- Use existing frameworks instead of creating “new bureaucratic categories”: BSA recommends that the committee should consider existing frameworks, such as data marketplaces, that “enable participants to benefit from mutually agreed sharing of data, while preserving data security”. Investments in research and development and creation of regulatory sandboxes have also been advised.
- Recommend incentive schemes, voluntary data sharing frameworks instead of policies that “stifle innovation and consumer benefits”. BSA has also advised that the framework should make it explicit that there can be no obligation to share trade secrets or confidential information.
- Don’t create legally binding rights or concepts relate to community data and community ownership, remove concepts of “beneficial ownership” and “duty of care”: For BSA, this “layering of rights” via data trustee, community rights, beneficial ownership, etc. creates uncertainty and undermines fundamental principles about nature of rights. This would then make it harder for businesses to use the data they collect and curate. Moreover, the data that is utilised today comes from multiple sources and thus could include NPD from different communities, resulting in competing “beneficial ownership/interests”.
- Private non-personal data should not include “global datasets” as that would effectively extend the scope of the report to any dataset collected by any entity in any jurisdiction. Imposing compulsory data sharing obligations on foreign business for data of non-Indians may violate international treaties such as WTO’s TRIPS Agreement and WIPO’s Copyright Treaty.
- Encourage release of high-value government data assets: It supports the framework’s proposal to share public non-personal data, that is, NPD collected or generated by the government. It name checked the government’s Open Government Data (OGD) platform that has been built atop the framework created by the National Data Sharing and Accessibility Policy (NDSAP). It also suggested improving the quality of the data that is made public and making it interoperable. Steps, as per BSA, could include:
- Identifying the most useful government data assets for industry, academia and public, and making them available via open access.
- Using simple APIs and interoperable formats so that such data can be accessed and used by private entities, including Indian start-ups and SMEs. APIs, or application programming interfaces, are codes that allow two software, apps or databases to interact with each other in a limited manner.
- Summary: Report on Non-Personal Data Framework released by MEITY’s Committee of Experts
- Don’t deal with non-personal data, ease up on data localisation: BSA on Data Protection Bill
- #NAMA: Data Protection Bill needs to clearly differentiate between data fiduciaries and processors
Read the other public submissions made to the committee here.