- No compelling case for NPDA: The revised report does not make enough of a compelling case that the state needs to be involved in Non Personal Data sharing, or that a Non Personal Data Authority needs to be created.
- Local governments in better place to address data needs: Local or subnational governments may be in a better position to take advantage of private companies’ Non Personal Data, for instance by entering into MOUs or paying a mutually acceptable fee.
- Conflicts with other bodies: An NPD authority may conflict with other institutions, such as the forthcoming Data Protection Authority (DPA) of India or the Competition Commission of India (CCI), and will need to be in constant deliberations with such organisations to succeed in its goals.
- May hurt foreign companies: The framework may disadvantage foreign players who have a significant India presence, while also not having a clearly defined regulatory perimeter that unambiguously lays out what the authority can and cannot do.
- Clarity needed on stakeholders: Not enough consideration has been given to the variety of datasets that exist among different stakeholders, and the concerns that minority stakeholders can have about data sharing, let alone how many communities might actually organize themselves to represent their interests under the framework.
“While there is value in non-personal data, I’m not entirely convinced that the state has to have a role in it, or should necessarily be involved as a regulator in it, yet,” said Alok Prasanna Kumar, co-founder and lead, Vidhi Centre for Legal Policy Karnataka. “There may be a time when it needs to happen. I don’t see the need yet because in my reading of the report that case has not fully been made up.”
Kumar was speaking at MediaNama’s January 15 discussion on the revised Report by the Committee of Experts on a Non-Personal Data Governance Framework. The discussion was hosted with support from Facebook and Microsoft.
Goals can be achieved through smaller changes
- Need for regulation not established: “The concerns raised are valid, it’s just that they don’t necessarily lead to the conclusion that we need a non-personal data authority, or rather, that we need a regulation, which will necessarily help us for sovereignty,” Kumar said. “I feel that the existing legal framework may at best be tweaked in a few ways to achieve exactly these outcomes without necessarily asking for one overarching authority.” Kumar said that the reason the authority was being set up for in the first place was not very clear.
- Conflict with other bodies: Kumar said that the proposed Non-Personal Data authority could be in conflict with other institutions.
“One is the proposed Data Protection Authority under PDP bill. Another is the Competition Commission of India, and the third is the Central Information Commission. A lot of the data that we’re talking about might be sitting with government agencies and it might be possible to get some of this data by filing an RTI application,” Kumar said.
Data as property?
- Data isn’t property: Kumar warned against using “a property rights framework for data,” because “data does not fit the requirement of what in law we understand as property.”
“In property, if I give my property to you, it ceases to be my property. I cannot use it anymore. But with data, I can still retain data and give you copies.” — Alok Prasanna Kumar, co-founder and lead, Vidhi Centre for Legal Policy Karnataka
- Local solutions better: “Some things may require very minute intervention,” Kumar said. “To give you an example, if the Karnataka state government wants to improve traffic in Bangalore, and says that Uber is sitting on data that would let it do that, I don’t see why we need a nationwide single regulation to address this. Karnataka government can approach Uber and say we are willing to pay you, or we are happy to get into an MOU with you to track anonymized traffic data, so that we can plan our city better. Let the solutions be found at a local, subnational level.”
- Variety in dataset need: “Each person may need a different set of data,” Kumar said. “You can’t apply a health data framework to traffic data framework to education data framework to everything else, I don’t see that these different kinds of data need to fit the same framework.” Prescribing a single framework when such variety of datasets exist is not desirable, Kumar said.
Kumar said that concerns around shutting out competition due to data ownership could be looked at through the Competition Commission of India, and that concerns around privacy could be examined by the DPAI, with unclear justification for an NPD authority.
Clarity on framework’s goals
There has been a lack of clarity on why exactly this framework has been evolved — is it to give Indian startups an edge, or is it to unlock the potential of privately collected data sets? Are these objectives mutually inclusive?
- Privileging Indian startups? If “the objective is that we are regulating because we want to privilege Indian startups over any other kind of entity, then we need to say that upright, and stop guising it in the word ‘community’, because then that gives a very different kind of perception,” argued Beni Chugh, Research Manager with the Future of Finance Initiative at Dvara Research. “I do not know how this institutional setup will help them achieve that objective fairly.” Foreign startups may be disadvantaged if they try to obtain data, Chugh pointed out. “Sure, we’d want to give our startup sector some sort of a benefit and a boost. But at some level, it can’t just be that you completely hand over data sets to your competitor just because we say you should,” Kumar added.
- Scope clarity: “I am afraid of this regulator taking shape because I feel that basic regulatory hygiene would call for a fixed regulatory perimeter — no matter how wide or how big it is — that’s a question of state capacity —I should know who I can regulate and who I cannot,” Chugh argued. “Here because identifiability is the basis of regulation, and identifiability is almost like a moving target, and kinds of data that are within my remit are bound to keep changing over time. I don’t know how a regulator would contend with that,” she added.
Chugh argued that due to the sheer inter-sectoral nature of the datasets and stakeholders, all decisions would rely on continuous communication and consultation between regulators, an unusual requirement for an organization like this.
What the NPD authority cannot handle
Chugh asked, “If there are competing demands for a high value data set, how is the NPD going to resolve that?”
- Who gets to represent a community? “Even deciding who gets to be a data custodian, and who actually represents the community” is a challenge, Chugh said.
“I don’t know if there is kind of a mechanism, if there are competing stakes to be a data custodian; then, how does the NPDA choose which is the one that should actually get to represent the community?” — Beni Chugh, Research Manager with the Future of Finance Initiative at Dvara Research
- Dispute resolution: “Similarly, if an entity which wants data actually finds that the data custodian has not met their demand and approaches the NPDA, then I don’t know how does the NPDA balance out competing claims,” Chugh argued. “Because on the one hand, it might not be in the best interest of the community, and that’s why the belief is, that’s why the data custodian would not have given them the right; and on the other hand, there is this organization that is adamant on having access.”
Criteria for data sharing
- Principles to guide sharing decisions: Data sharing decisions should, above all, be based on some principles, Chugh said. “What are the parameters that you would take into account when you would share data? For instance, in Australia when authorities do share non-personal data, they have only one condition or one criterion through which they judge, which is the magnitude of the public good that is being created. So, there has to be some criteria that, even when you want to apply to get access to non-personal data, these are some mandatory check boxes,” she said.
“You should actually have a principle way of saying which demands are valid and which are not. And I think that even before we went into the institutional design, that kind of a principle thinking would have been nice.” — Beni Chugh, Research Manager with the Future of Finance Initiative at Dvara Research
- Redefining communities: “I would sort of resolve [issues with the report’s definition of community] by first starting with a more limited definition of a community. And community should not just be what they do, but what their data does,” Kumar argued. Common attributes to precisely define a community have to be laid down, Kumar argued.
Can all communities represent themselves? “Even as a sociological or computer science concept, it’s pretty much meaningless or even a bit of a nonsense, I think, to say that such a community can have the level of self-awareness where they will then setup a Section 8 company to claim rights” to their data under the proposed framework, Malavika Raghavan, a lawyer and researcher working on data protection issues, said.
Jurisdiction and friction for data sharing
- Who regulates what? “We are currently seeing a massive fight between the Telecom Regulatory Authority of India and the Competition Commission of India over the regulation of your mobile service providers,” Kumar pointed out. “And I think it’s not simple to say, quote unquote, harmonize. I think there need to be clear lines drawn. And to me, anything which relates to competition or abuse of dominance, should fall within the ambit of the Competition Commission of India.”
- Building antitrust enforcement capacity: Kumar said that the CCI already had powers to address competition issues arising out of non-personal data being used to have an unfair market position, and that the creation of an NPD authority would lead to jurisdiction disputes. Capacity-building is all that would be required for the CCI to act in this area, Kumar said.
- Data sharing needs friction: The first order harms of citizens don’t get as much salience as benefits to the economy, Chugh pointed out. “And therefore, I think that we need more friction,” she said. Friction in terms of data sharing refers to adding more procedural features to the process so that it doesn’t happen too easily or too automatically. We need decision making points where we say that no, this is not the type of situation where you get access, or certain data types are exempt not just from government, but all entities.” The perspective of minority communities was not given enough importance, Chugh said. She pointed out recent research where publicly available datasets were able to predict Americans’ political leanings with 99.8% accuracy, and argued that some datasets should never be made available.
On the subject of preventing misuse, Chugh argued that there are no end-user restrictions. “So, what I can do is, I can get access to this data, and then do use it in whichever way I like. So, that’s potentially a scope for market arbitrage as well where I have been granted access under the government regime, but I could sell it to someone who not necessarily qualify for that access.”
- Enforcing protections: “So, definitely, end-user rights are important. Where my imagination completely breaks down is enforcement of this entire regime. And I don’t know how you can enforce end-user rights. We do know there are some very expensive technologies out there through which you can make sure purpose limitation happens. If not applied with, there is at least traceability to it that how you used your data is kind of visible,” said Chugh.
- Sensitive datasets: Forget about between communities, even within a community there may be issues with data sharing, Kumar argued. “For instance, if for instance, you want to take transport data of all truckers, maybe those who are transporting cows don’t want to hand over the data just like that. Maybe as a transporter community, you may think okay, if we hand over data of how coal, oil et cetera are moving, no one will have a problem. But those who are transporting cows may think twice,” so as to not get stopped by anti-beef mobs. Kumar argued that there is no way for a community to represent itself in a way that is translatable into law under this framework.