The report also looks at the basic assumptions and sheds some light on the work to be done by the government before it can institute such a framework.
The CUTS Centre for Competition, Investment & Economic Regulation on August 19 released this report on ‘Navigating the Puzzle of Non-Personal Data Sharing: A Three-Pronged Analysis of Rationale and Assumptions’. Non-Personal Data Sharing is the idea that companies should share — either with each other or with public authorities, or a combination of both — macro-level data on their operations to boost competition and to assist in governance. This comes after two reports were released by the Ministry of Electronics & Information Technology’s Committee of Experts on Non-Personal Data Governance Framework, headed by Infosys co-founder Kris Gopalakrishnan.
While India awaits a Personal Data Protection Act to be passed, the government is already considering the opening up of non-personal data to competitors and authorities for various purposes. There are concerns about these plans from a privacy and competition perspective; CUTS-CCIER’s report examines these issues from the latter lens.
This summary examines the concerns CUTS identified with the government’s approach to the CoE report on NPD sharing. There are also sections on international precedents later in the report, but the main learnings from the report are shared below:
Many countries are looking into data sharing as a way to unlock latent economic potential. The World Bank in a report cited the importance of data reuse and sharing for economic development. Concerns remain, however, on user privacy and cybersecurity. The World Bank report also flags the importance of open data policies and having frameworks for classifying data categories.
This trend led to the first (and then revised second) report on the NPD Governance Framework in India in 2020. Those reports aim to regulate NPD sharing and enable its use for “public interest purposes and establish community rights in data.” The Economic Survey of India of 2019-20 also had a chapter on NPD sharing for innovation.
However, public enterprises’ own data sharing, such as through the data.gov.in portal, has fallen short, with organisations like ISRO who are data-rich not leveraging it. Organisations like the Bureau of Indian Standards that once initiated data sharing don’t do so anymore, and other organisations have error-ridden data.
Fintech sector-driven initiatives have also existed: there is the Data Empowerment and Protection Sharing (DEPA) framework, where data can be shared through a consent-based mechanism through APIs. RBI also has an Account Aggregator system, with consent dashboards letting customers choose how their financial data is managed.
Cloud computing infrastructure is just starting to develop and there is no integration of AI and machine learning systems here — the data quality is too poor to drive the development of these systems.
Telangana and Karnataka have developed open data initiatives and are pushing for AI and data sharing infrastructures. Other states have not done so.
“The aim of setting this context and overview is to highlight that India is on the path towards building a fostering data-sharing environment. However, this cannot be achieved without addressing the issues from the open data initiatives to the PDP Bill.” — CUTS-CCIER report
- There needs to be a clear problem statement and objectives that are backed by evidence in the government’s strategy. There needs to be a rationale, a market need, and a link to the policy landscape in India. The NPD sharing framework needs a Regulatory Impact Assessment.
- Data sharing models should be agile rather than stringent to avoid compliance burden. Flexibility for businesses at the initial stage should be provided. The industry should be consulted for building such a framework.
- With sectoral level data-sharing initiatives and regulations, it is important to identify pre-requisites for instituting a data-sharing framework. This could be informed by global developments, and serve as the starting point of data standardization, a process to be shepherded by the government.
- Policy sequencing should be done: first, public sector data for public interest purposes should be released. Then, the Personal Data Protection Bill should first be passed before this framework is considered.
- Market needs and incentives should be thought out. Data trustees should be encouraged to lean towards public interest, as opposed to private interests.
- A “one size fits all” approach should be avoided due to the diversity of data. Approaches should be tested on proportionality and necessity.
- There should be safeguards on the data and consumer welfare should be protected. Legal safeguards and accountability frameworks are important, as are avoiding exclusion risks.
- Existing legal regimes should be re-assessed, including through the three-pronged test of necessity, legality, and proportionality outlined in the 2017 Right to Privacy judgment of the Supreme Court of India.
Baseline scenario assessment (BSA)
A BSA is conducted by the CUTS report to recommend how data’s value can be realised and benefit citizens and communities in India. This is done in light of arguments about the lack of market and regulatory clarity, lack of evidence behind some of the assumptions on the maturity of India’s data market, and insufficient assessment of data protection, intellectual property, and competition aspects.
- Nature of data: The committee of experts report (CoE report) looks at data through an informational lens as well as an economic lens, which may create privacy harm that it addresses with a community rights framework. The report however does not identify a comprehensive problem statement to address the NPD sharing in the same way as other “material resources”.
- The report envisions a “high value dataset” (HVD) as to be shared mandatorily as a public good. It justifies this by defining data as a ‘material resource,’ whose equitable distribution may be ensured under Article 39 of the Constitution. This assumes that data is comparable to physical natural resources.
- The CoE report additionally confuses “data as public good” and “data for the public good”. It also assumes that regulatory and technical capacities should be developed for the former goal.
- The CoE report assumes that data is “non-rivalrous,” and that multiple organisations can possess it without its value degrading.
- This assumes that NPD sharing under a material resource framework with a community rights model would benefit the framework, without any evidence for this.
Concerns: Studies have shown that data does not have the kind of value that material resources have because of how differently value is derived from it. Data in and of itself does not have value; it needs to be processed. As such, data sharing in and of itself won’t benefit society, while being forced to share it might harm businesses.
- Value of data: The CoE report assumes that regulation is a “silver bullet” to unlock the value of data. It does so without considering the value of private sector data. There is additionally no incentive mechanism for sharing of meta-data, something the CoE report says will spur innovation.
Concerns: It is important to analyse the pre-requisites for creating value from data before assuming that this will happen. Who are the actors in such value creation? Transferring value from businesses to the community without incentives can be problematic. There should be an assessment on whether data trustees and communities will have the capacity to identify the value of data for communities. Cost analysis of meta-data sharing should be done.
- Benefits of sharing data: The definition of “public interest purpose” in the CoE report is highly expansive. The report assumes that a fixed meaning can be applied to the term. It assumes that trust relationships can be established in India’s data economy without studying the dynamics among different players.
Concerns: “Public interest” is ill-defined in Indian jurisprudence. The Supreme Court has referred to a law dictionary definition that says it cannot have a precise definition. It is elastic and takes colour from specific statutes. No fixed definition can be applied to public interest, so there is risk that expropriation of resources can lead to adverse consequences for beneficiaries. Tensions between individual and public interests have to be studied, and it ahs to be assessed if there are any use cases to establish the benefits of NPD sharing in India. There may be a ‘chilling effect’ in the data economy following regulation for sharing. There is also a lack of consumer behaviour in understanding data sharing in the Indian context.
Assessment of Targetted Market and Regulatory Failures
The report does not provide evidence that there are market failures that regulation can fix to enable NPD sharing. Concerns around misinformation and censorship can be resolved through data protection guidelines. It assumes that uncertainty exists in the market and that startups have been left behind.
Concerns: The gap that the CoE report is solving isn’t clearly defined, nor is how this approach is suited to the Indian data economy. It also doesn’t assess if smaller players in the data economy are equipped to leverage data from bigger players. It doesn’t in addition assess if existing competition and intellectual property frameworks are sufficient to deal with the concerns it presents.
Assumption on policy maturity
The CoE report assumes that there is enough policy maturity in India to manage a data trustee model.
Concerns: There are risks with this. Big players tend to be distrustful of trustees, and act in ways that are commercially beneficial and leave intended beneficiaries of welfare behind. The government may also, in a potential trustee capacity, use NPD for governance purposes without privacy considerations.
- Setting up of NPD Authority: The recommendation to create an NPD Authority assumes that sector-level authorities’ capacities are not adequate to deal with these issues. This may lead to over-regulation and overlaps, further stifling innovation and investment in the sector.
- PDP Bill: The Personal Data Protection Bill, 2019 has been acknowledged by the CoE report, and even suggests removal of some clauses to enable its own framework. There is still uncertainty on whether these clauses will be removed, and concerns remain about obtaining consent for anonymization from customers in India, who generally don’t read privacy policies and related documents. It is important to also challenge the binary of personal data and NPD — can a clear line be drawn between the two?
Assumption on market mapping: The report assumes that quantity of data is a driver of growth. No assessment backs this. Mandatory data sharing approach is also questionable based on the current maturity of the market.
Problems with process: The details of who was consulted for the CoE report was not made public. No cost-benefit analysis was done.
- A Guide To Non Personal Data Regulation In India
- Revised report on Non-Personal Data Framework released by MEITY’s Committee of Experts [Read] [MediaNama’s summary]
- Ikigai Law’s summary of the Committee of Experts’ revised report [Read]
- OECD’s Enhancing Access to and Sharing of Data (cited in revised report) [Read]
- UK Data Services’ explanation on anonymisation of data (cited in revised report) [Read]
- On privacy risks after anonymisation of data (cited in revised report) (ScienceDaily) [Read]
- European Data Strategy (cited in revised report) [Read] [Our story]
Have something to add? Post your comment and gift someone a MediaNama subscription.