Two-and-a-half years after the Supreme Court of India cemented privacy as a fundamental right, India still hasn’t framed rules to govern the flow of personal and non-personal data.
In 2019, the Personal Data Protection Bill was introduced during Parliament’s winter session. Instead of a discussion in the Lok Sabha, the bill found itself in the lap of a select committee. There were speculations it would be introduced during the ongoing Budget session but that hasn’t happened either.
Simultaneously, in 2019, the Ministry of Information and Technology (MeitY), constituted a committee to create a set of rules that will govern non-personal data. Kris Gopalakrishnan, co-founder of Infosys, is its chairman. Other members of the committee include Debjani Ghosh, president of the National Association of Software and Services Companies (Nasscomm), Gopalakrishnan S., joint secretary at MeitY and Parminder Jeet Singh, executive director at IT for Change. There’s no clarity yet on when the committee will submit a report to the government. In all likelihood, this session of Parliament too will end without putting in place a governance framework for personal and non-personal data, leaving the conversation around both these issues wide open.
Meanwhile, other countries picked the ball up and ran with it. As far back as 2016, the European Union adopted the General Data Protection Regulation (GDPR), a landmark framework to govern the flow of users’ personal information on the internet. In 2019, it created a set of rules to regulate the travel of non-personal data across the region’s digital universe.
The central challenge for India is to balance privacy concerns and intellectual property rights with its aim of making data available for innovation and evidence-based policymaking. Personal data and its protection have formed the basis of the discourse around privacy. What is less talked about is non-personal data — a large universe in itself.
What is non-personal data?
Examples include data on climate and weather conditions, aggregated e-commerce sales and data on commuting patterns. India, it seems, treats data as a fuel that will power new industries. Evidence of this lies in the Telecom Regulatory Authority of India (Trai) consultation paper on data privacy released in 2017. It said that “there is a global trend in the creation of new services based on data”. The executive’s attitude too seemed to suggest that data was a mere commodity. The draft e-commerce policy, released in 2019, said that the success of large firms depended on their access to data. It suggested restrictions on the free flow of data so that domestic startups could use it to develop innovative solutions, just like larger companies.
Why is non-personal data important?
Non-personal data is the key that will unlock the doors of economic value and innovation in the country. According to a February 2020 Trai note, there are 661.94 million broadband users in India, until December 2019. They shop, consume content, pay bills, interact on social media, use search engines, navigate maps and run businesses — all online. It results in a staggering diversity of datasets which organisations can use to foster innovation and growth.
Moreover, this data will be terrifyingly granular. For example, imagine a multi-functional platform that stores users’ location, preferences, contacts, communications habits. It can then integrate machine learning and artificial intelligence with these datasets, pre-empt and map consumer biases and ensure targeted delivery of services. However, only big technology companies possess the capital and infrastructure to create such large volumes of data. Micro, small and medium industries (MSMEs) will find it difficult to match the capabilities of these technology giants.
The government recognises that the scales are tipped heavily in favour of big tech companies. It knows that only those businesses that can process large volumes of data will succeed in the digital economy. Hence, it has mandated the committee to examine if such digital information can be shared to foster innovation and evidence-based policies.
But it won’t be wise to coerce large businesses to share non-personal data that indicates consumer behaviour – vehicular traffic information, for example. These datasets are the intellectual property rights of companies. They invest significant human, conceptual and financial capital to create and build entire businesses around them. Inherent in these datasets is a company’s ability to innovate which will get killed if it is forced to make them public. In this context, how does the government ensure that data is made accessible to startups but not at the cost of a company’s intellectual property?
France’s National Strategy on Artificial Intelligence policy can provide some cues. It encourages economic players to share and pool their data with the state acting as a trusted third party. France’s policy even empowers public authorities to impose openness on certain data because of its societal benefits.
But the mere temptation of public interest can’t guide India’s approach to non-personal data. The country must have a narrow definition of what can be made public and what should remain confidential. For instance, it would be useful to have public data on the impact of coronavirus disease on India. It will help assess the pandemic’s effects on the country’s economy and its public health infrastructure.
The Gopalakrishnan-led committee’s task to draw the contours of non-personal data governance won’t be easy. For starters, the Personal Data Protection Bill, 2019 empowers the government to ask companies for anonymised or non-personal data. But what incentives do companies in India have to share the proprietary data?
Another challenge to create a framework stems from previously signed accords. In 1995, India signed the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), a treaty signed by members of the World Trade Organization (WTO) that gave intellectual property status to databases and other compilations of data. As a signatory to TRIPS, India extended copyright protection to computer databases in 1999. In such a scenario, can there be a clear demarcation between non-personal data that cannot be shared, and non-copyright non-personal data that can be used as a public resource?
These are complicated questions to which there are no easy answers. However, the Gopalakrishnan-led committee can look towards the European Union’s Regulation on the Free Flow of Non-Personal Data to inform its deliberations. It puts non-personal data into two distinct buckets. It recognises the free flow of non-personal data as a prerequisite of a competitive economy. The regulation ensures the free movement of data across borders and prohibits data localisation.
Like many other countries, India too will have to define non-personal data in a manner that protects intellectual property rights, serves genuine public interest and promotes innovation. Else, the dream to harness the power of digital information for economic growth will remain just that.
The writers work at Koan Advisory Group, a technology policy consulting firm. This is the first article in ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector.