On July 12, the Committee of Experts on Non-Personal Data Governance Framework submitted its report to the government. The Committee was constituted in September 2019, by the Ministry of Electronics and Information Technology and chaired by Kris Gopalakrishnan, the former executive vice-chairman of Infosys.
The report lays down recommendations to regulate Non-Personal Data (NPD), and highlights other issues related to such data. The Ministry of Electronics and Information Technology (Meity) has sought public comments on the draft recommendations by 13 August, 2020.
Aim of the report
A handful of companies dominate the global digital economy today. While these organisations were nimble enough to extract value from data, others realised its importance much later. Exclusive access to voluminous data and strong network effects give a significant advantage to established players, and act as entry barriers for newer organisations — something the government is acutely aware of.
In the next few years, India is projected to be one of the top consumer markets in the world, and can be expected to generate unprecedented volumes of data. The country’s total mobile data traffic would be about 264 exabytes per year by 2025, according to the latest Ericsson Mobility Report. Between 2019 and 2025, the compound annual growth rate of data traffic is expected to be 21 per cent. In this context, the entity that controls data will dominate the data economy. It is for this reason that the Indian government intends to regulate all aspects of data — personal or non-personal.
Categories of NPD
The Government of India had expressed the importance of data for India’s economic growth in the Draft National e-Commerce Policy in 2019 — an aspect cemented in the Committee’s report. The Report recommends a data sharing framework in order to create a level playing field and encourage competition. The Committee has laid the foundation to do so by introducing different categories of NPD.
It proposes different remunerative models for data sharing, based on the value of data in these categories. For example, Public NPD, such as anonymised land records collected by the government, will be available as open data. Under the category of Private NPD, the companies shall have the discretion to share high-value data like proprietary knowledge, inferred or derived data/ insights.
The third category, called Community NPD, is not well-defined. It is a broad classification which includes “anonymised personal data and non personal data about inanimate and animate things or phenomena”. It includes raw or factual data, or datasets, of anonymised user information collected by private players like e-commerce platforms, ride-hailing aggregators, telecom companies etc.
This is an umbrella definition, which includes almost all sectors of the digital economy. Its premise is that common interests bind the parties which contribute to such data. This common interest can be economic, social or even socio-economic interactions — there is no specificity to the term. Such an overarching classification ignores the nuances of diverse online businesses. For example, while multiple people contribute to the functioning of Google maps, e-commerce platforms only connect buyers and sellers for business-to-business, business-to-consumer or peer-to-peer commercial transactions. The report looks upon Community NPD as a shared asset, which gives the communities who contribute to it, key rights over it. However, the definitional boundary of a community is fluid, and almost anyone can lay claims on it. The report says that it is mandatory to share Community NPD so that it can be used to promote “beneficial ownership/ interest” of the community. However, there is no clarity on how it will translate into shared benefits. The jury is out on how this clause will be enforced, and operational difficulties are likely.
The report mandates private organisations to share Community NPD with Indian citizens, governments, start-ups, companies, universities, research labs and non-government organisations, among others. There will be no remuneration to share raw data. However, remuneration for data that attains moderate value after being processed can be shared on a Fair, Reasonable and Non-discriminatory (FRAND) basis. The only time an organisation can earn a market-determined price is if it offers data with high value additions i.e. algorithms/ proprietary knowledge.
Value of raw data and datasets
The report’s assumption is that raw data is the least valuable asset for an organisation. But this may not be true because companies assess the value of data on different parameters, like their degree of market power, size of the market and the existing information asymmetry companies face with their customers and competitors, among others. More importantly, datasets that involve a degree of creativity may be protected under copyright laws. Some jurisdictions are only beginning to explore the propriety value of organising digital data into datasets. For example, the Indian Copyright Act, 1957 grants protection to computer databases. The copyright in this is given if the database satisfies the requirement of originality. The judiciary in Eastern Book Company case, 2007 adopted the “modicum of creativity” rule to clarify the meaning of original work. According to this principle, copyright will be assigned to the work that exhibits a minimum level of intellectual creativity. However, the application of this law to digital datasets and machine generated data is yet to be tested. Moreover, there may also be cases where data or datasets could reveal proprietary processes that organisations use to gather or generate raw data. There could also be conflict with legal obligations that consider such processes a trade secret.
The scope to access data seems to be extensive, with few checks and balances. Even though the report purports to address entry barriers in the digital ecosystem, almost every organisation, from a start-up to a business conglomerate, can request access to raw data. The proposed Non-Personal Data Authority will determine data sharing requests based on their social, public and economic benefits. These parameters are vague and give wide discretionary powers to the regulator.
Overregulation: a looming spectre
India’s technology sector may soon witness overregulation due to the birth of at least four regulators – the proposed Non-Personal Data Authority (NPDA), Data Protection Authority (DPA), the E-Commerce Regulator, and the Central Consumer Protection Authority.
The rise of multiple regulators in the same sector are likely to result in jurisdictional overlaps and might adversely affect the quality of regulation due to costly, slow and, potentially, contradictory oversight. For example, in addition to the NPDA, the DPA is also expected to regulate non-personal data to ensure that it is compliant with the data-sharing provisions of the PDP Bill. A potential conflict between the NPDA and the Competition Commission of India (CCI) is another point of concern. One of the CCI’s roles is to address market failures — something the NPDA is also expected to deal with in the digital industry. The CCI, a fully functional body with technical and economic expertise to deal with competition issues, can be strengthened to address antitrust conduct in this sector.
The Committee’s report on NPD unveils a road map to unlock the true economic potential of data. However, conflicting regulatory roles, overarching definitions and the lack of nuance can act as hurdles in the way of digital economic prosperity. A policy that helps maintain a level playing field between players, articulates narrow definitions of data, defines boundaries of anti-competitive conduct in digital markets, and creates a balance between innovation and access to data, can help India reap the economic benefits of non-personal data.
The authors work at Koan Advisory Group, a technology policy consulting firm. Views are personal.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.