By Future of Finance Initiative, Dvara Research
In this blog post, we present our comments to the Report by the Committee of Experts on Non-Personal Data Governance Framework (the Report) in response to the call for comments from all stakeholders by the Ministry of Electronics and Information Technology (MeitY), Government of India. Our response is accessible here.
We are concerned that a sweeping regime with detailed regulatory supporting apparatus has been envisioned in this Report without a clear articulation of the objectives or motivations of such a regime, or why these objectives cannot be dealt with under existing frameworks. Further, it is unclear that the market-wide or consumer-level risks from such a framework have been thoroughly and rigorously considered or fleshed out using well recognised policy analysis framework.
Our response organises our overarching concerns into the following 3 sections:
The Report fails to identify the basis for a separate regulatory regime for regulating non-personal data (NPD).We find that the major objectives stated in the Report, i.e. regarding competition, and addressing privacy concerns are insufficient to form the basis for a separate regulatory framework for the regulation of NPD.
With respect to competition, the Report has failed to provide evidence to establish an abuse of dominance in the market that justifies the need to regulate NPD. Further, entrusting the Non-Personal Data Authority (NPDA) to address issues of market competition impinges on the jurisdiction of the Competition Commission of India (CCI).
Next, the Report requires the NPDA to address privacy concerns that may emerge from the re-identification of non-personal data. This creates the potential for regulatory overlap and clash with the proposed Data Protection Authority (DPA) under the Personal Data Protection (PDP) Bill.
Lack of clarity in concepts and definitions that are foundational to the Report’s vision further weaken the basis for it to exist.
The Report attempts to conceptually distinguish between personal and non-personal data. However, in practice, these concepts are not watertight and often flow into each other. Therefore, regulating them under two separate legal frameworks can create considerable legal uncertainties.
Further, the Report assumes that the sub-categories of Public NPD, Private NPD, and Community NPD are mutually exclusive. Our analysis suggests that data could belong to more than one of these categories simultaneously. This can create confusion in their regulatory treatment as the Report proposes different data sharing arrangements for different categories.
Also, the understanding of groups, group privacy, and collective harm in the Report is narrow. The Report assumes that members of communities or groups share some socially constructed, physical and/or behavioural characteristics and individuals are aware of their membership to a community or group. The Report fails to account for the privacy risks or harms that arise through profiling within databases, where ad-hoc groups are created without the knowledge of the individuals who constitute the group themselves. This limits the robustness of the Report’s conceptualisation of group privacy.
The model of data trustees suggested by the Report does not appear to be representative of the communities it is supposed to represent. The suggestions made for the bodies that will act as trustees indicate that they are not genuine representatives of the community but could merely entrench government control or other power structures. Moreover, there is ambiguity in how the data trustees interact with the data trust, which calls into question the actual authority that data trustees might possess.
The Report proposes seeking individuals’ consent for anonymisation of their personal data. Consent is not adequate for protecting users’ data, as has been well established by the experience of other jurisdictions and rich literature on the subject. While consent is a good first step, similar problems of consent taking that exist for the collection and processing of personal data will persist in the case of NPD as well.
The Report does not provide suitable evidence for the assumptions that underlie the market-based framework for data.
The assumption that data can be “priced” is not tested. The value of data is context-specific, and currently, it is widely recognised that data may not be accurately “priceable”. Research indicates that there are several factors that can help determine the value of data but based on the context of its use. This makes it difficult to estimate an ex-ante price of data.
The assumption that data can be “owned” or be treated like “property” is not tested. Various frameworks support broader control-based approaches to data rather than defaulting to ideas of “ownership”. Any regulatory approach to personal or non-personal data governance must move away from notions of “ownership” which are not well-suited to the reality of how data flows or to the claims of control that various parties have on the information that represents them.
Our full response is available here.