Concerns about the capacity of the government for data sharing, definitions of non-personal data under the Draft National Data Governance Framework policy, timeline for its implementation were among the matters of discussion at a public consultation meeting on the policy held on 14th June, MediaNama has learnt.
Stakeholders at the meeting were executives of government departments, industry associations, start-ups as well as academic institutions in attendance, a source present at the meeting told MediaNama. While the Ministry of Electronics and Information Technology (MeitY) was represented by Rajeev Chandrasekhar, Minister of State for MeitY; Alkesh Kumar Sharma, Secretary MeitY; and Dr. Rajendra Kumar, Additional Secretary at MeitY.
Apart from the aforementioned issues, there were also discussions on how the data will be shared with different entities, intent of the bill, other policies the government has in the works and so on. While some of these questions were answered, there were some others that the government will subsequently need to clarify on – all of which we have elaborated on below.
Why it matters? The policy is significant as it largely attempts to regulate non-personal data use and sharing in the country. Released for public consultation on May 26th, the policy proposes inter-departmental sharing of data within the government, encourage similar sharing by private sector entities, instituting a “Indian Data Management Office” (IDMO) to set standards for the same and so on. Provisions on non-personal data governance have also been a part of various other regulations the government has in the works, such as the report of a Committee of Experts constituted by MeitY and the Data Protection Bill.
A previous version of the framework, called the ‘India Data Accessibility and Use Policy’, had been floated in February and was harshly criticised by digital rights advocacy Internet Freedom Foundation for its proposal to monetise government data. This gains greater relevance relevant as IFF has now claimed that its criticism of the policy led it to pay a price as it was not invited to the consultation meeting on the data governance framework policy.
The proceedings reveal the issues that have persisted for stakeholders, even in the revised policy.
Questions on government capacity, definition raised during meeting
1. MEA official raises issue of government capacity A Ministry of External Affairs (MEA) official present at the meeting asked if the government understand the kind of capabilities which will required for this kind of data reporting or this kind of data gathering, a source present at the meeting said.
“We in government are already stretched in terms of resources- one official is double-handing, triple-handing (multi-tasking) for various kinds of things…this is a very specialised kind of a role which will require specialised people to come in. How do we solve that?” he said, according to the source.
To this, the MoS said that the government had recognised the problem and would conduct workshops and trainings.
2. The timeline and definitions under the policy: An attendee asked about the timeline for enforcement of the policy, which the MoS refused to answer it is learnt. Further, Representatives from an industry association asked for clarity on how non-personal data would be defined under the policy
In response to these questions, the MoS also said that a timeline could not be defined as the ministry was working on certain other policies which would together be released in a matter of weeks or months. These would also lay down the standards for non-personal data, its sharing, and so on, he said.
However, the minister did not further elaborate on what those policies will pertain to, a source said.
3. How start-ups can share data obtained from the government: A representative of a start-up asked if, in a scenario where the start-up was working with certain government data obtained through the policy, could they share that data with another private sector entity it had entered into a contract with. To this, they were told that the government had no interest in knowing about the contracts private sector entities had entered into and how they wanted to share data with a partner would be up to them, it is learnt.
It is worth noting here that the policy specifically mentions that it is particularly intended to boost the ‘Start-up ecosystem’ in India by providing them with government data sets.
Other concerns raised internally by industry on the policy
1. Continuity with existing regulations: “There still needs to be clarity on whether this is sort of an iteration of or in suppression of the expert committee report that had come out towards the end of 2020.” an industry source said.
However, industry is also wondering as to why the government did not wait to include such a policy in the larger framework of the data protection bill they added. “There’s concerns about policy stability considering that industry still in the lurch about what the data protection bill will say and how that might impact non-personal data,” he said.
“People have confusions about how there are no standards that have been developed in parliament in terms of what is personal and non-personal and how anonymised and deanonymised data are dealt with from a regulatory perspective, how can we have a non-personal data sharing method,” – the source said.
In 2019, MeitY had constituted an expert committee to give suggestions on a non-personal data governance framework which is currently working on a final report but had submitted an initial report in late 2020. Further the report of the Joint Parliamentary Committee on the Data Protection Bill, tabled in December 2021, has said that policies related to non-personal data governance will be created by the Data Protection Authority or the government, under the bill.
2. Participation by foreign companies- “Given that the policy mostly focuses on Indian companies and start-ups a question that foreign companies operating in India have is about extent of participation required from them on the policy considering they stand to gain nothing from it,” the source said.
3. How will the Right to be Forgotten be incorporated-
“Under the landmark judgment on the Puttaswamy case, the Supreme Court had upheld the right to be forgotten as in that a user should be able to have some level of control over their data even after it has been shared. There is no clarity on if a user would be able to exercise the right to be forgotten by reaching out to a platform, say, if it has harvested their data and voluntarily shared it. The user would request the platform to delete their data, the platform would be obliged to comply but will this be extended to the government?,” the source said.
Thus, industry stakeholders also require clarification on how the Right to be Forgotten would play into the new policy, according to another source in the know. In the 2017 K.S. Puttaswamy judgement, the Supreme Court had recognised the Right to be Forgotten which essentially allows an individual to seek the deletion of their data from the internet.
4. How will the government incentivise data sharing?
“When you set up an avenue for encouragement, they (industry) don’t know what that will mean. It just leaves enough room for discussion that data sharing may happen and the private sector might not be entirely happy about it,” the source said.
As aforementioned, the policy says that it would ‘encourage’ data sharing from private entities. However, industry stakeholders are concerned about the ambiguity surrounding the proposed ‘encouragement’ for data sharing.
- What has changed in the government’s New Data Governance Framework
- Summary: Draft India Data Accessibility And Use Policy, 2022
- Data For Revenue: Revisiting The Draft India Data Accessibility And Use Policy
- Summary: IFF Says Draft Data Access Policy Will Enable State-Sponsored Mass Surveillance, Should Be Withdrawn And Reconsidered