ISAS Briefs

Summary

As the Indian government continues to debate the Personal Data Protection Bill in Parliament, the report by a recent committee on non-personal data raises fresh questions on whether the government will altogether sacrifice privacy at the altar of controlling data.

Is data the new oil? True or not, Asian countries are looking to control data to harness its potential to boost economic development. There is a clear recognition in India that data creates economic value, including enormous social and public value. India has been at the forefront of debates around data localisation or the domestic retention of personal data collected in India. Data localisation featured in India’s first Personal Data Protection (PDP) Bill unveiled in July 2018 by the Justice Srikrishna committee but the emphasis on localisation softened in the second iteration of the bill released in December 2019, which is now being discussed in Parliament. As deliberations on the PDP Bill continue, another committee that was discussing non-personal data (NPD) recently released its report on what the Indian government should do with NPD, the implications of which could matter more than the bill regulating personal data.

In September 2019, the Indian Ministry of Electronics and Information Technology (MEITY) formed a committee of experts to discuss whether a NPD governance framework was required to deal with the anonymised data being generated. The committee was also tasked to make specific suggestions to the government on how to regulate NPD. The committee consulted representatives from various sectors, including business, think tanks and civil society to solicit their views and ideas. NPD, the committee’s focus, refers to anonymised data or data that does not contain any personally identifiable information; in essence, this means that no individual or living person can be identified by accessing this data. NPD includes climate trends collected by weather services and apps or traffic patterns gathered by a public transit operator or private cab service. The committee had to, in effect, recommend a framework and a policy that the government can adopt to leverage the data being collected from 1.2 billion Indian citizens that different entities, government and nongovernmental actors like small businesses and other organisations, can use to improve their capabilities, operations and services.

The need to regulate NPD ostensibly emanates from two motivations. First, like personal data, NPD has tremendous economic value that requires regulation to ensure it is used for public benefit and not misused or appropriated. And second, anonymised data being collected could be used to better governance. These objectives have guided the government’s approach on data the last few years. In August 2017, India’s telecommunication regulator released a consultation paper that extolled the economic value of data and for sufficient protections to ensure personal data receives adequate safeguards. Soon thereafter, NITI Aayog released India’s National Strategy for Artificial Intelligence that stated that the concentration of data amongst few tech firms prevented the access of data for an entire technology ecosystem. The AI strategy suggested that data must be openly shared for good governance. This impulse was reinforced by the Srikrishna committee which drafted India’s first PDP Bill that also called for protecting community data notwithstanding provisions covering personal data.

These developments predated the NPD committee’s formation, headed by former Infosys co-founder Kris Gopalakrishnan. The committee’s report calls for NPD generated in India to be harnessed by domestic agencies and companies to generate economic gains. It recommends a separate regulation covering NPD that enables different actors like the government, businesses and other organisations to request anonymised data for particular purposes. The report, in effect, proposes a regulatory structure that would obligate data sharing by entities collecting data while requiring registration with a new data regulator to leverage it for private use. To ensure a level playing field that does not favour big companies or the government, the committee also proposed establishing a new regulator or the NonPersonal Data Authority that would arbiter how NPD is used and deployed. The committee’s hope is that data sharing, given the record amounts of public and private data being collected, will ‘spur innovation at an unprecedented scale.’

Whether mass innovation occurs or not, the committee’s report has heightened fears that the government plans to create a digital state propelled by data. One message that the committee is sending to entrepreneurs and startups is that the government or another data steward or trustee has more right to your data than yourself. So as firms collect data through their applications, they will not have proprietary access to it once it falls under the category of ‘community NPD’ that is collected within a particular industry.

This approach does signal to United States and Indian tech firms who organise their businesses and operations around data collected on their platforms that data cannot be withheld and that the time has come to dismantle data silos for public interest. The key question going ahead is whether tech firms will comply with this policy approach, should an NPD legislation be enacted, which could compel them to rollback investments and operations in India. Moreover, anonymised data becoming more accessible could also create security risks, particularly related to identification. Stakes are high and the tradeoffs appear difficult. New Delhi has to balance privacy concerns, security risks and investment opportunities as it decides how it will regulate both personal and NPD.

. . . . .

Dr Karthik Nachiappan is Research Fellow at the Institute of South Asian Studies (ISAS), an autonomous research institute at the National University of Singapore (NUS). He can be contacted at isaskn@nus.edu.sg. The authors bear full responsibility for the facts cited and opinions expressed in this paper.

Photo credit: Wikimedia Commons