Any new framework for non-personal data must consider that data is not just an economic resource to be commodified, neither is it an instrument of sovereign leverage for the state against private players.
This article is part of the series — Tech in the New Decade.
In July 2020, an expert committee established by the Ministry of Electronics and Information Technology (MEITY) released a report on the Non-Personal Data (NPD) governance framework for India. The document is well-intentioned in that it recognises the public value of data, and the need to democratise its use. It also critically, albeit vaguely, highlights the need for collective rights to data that is essential for meaningful negotiation in the data economy. The report aims to build off the Personal Data Protection Bill (PDPB), but creates a false dichotomy with its proposition that personal data is to be protected, while non-personal data is to be shared and re-used. Some of the core ideas of the NPD report are the results of a growing global realisation that data is a valuable resource, which is currently concentrated in the hands of a few big global technology companies, and the “public” is unable to adequately harness its value. In the EU, the recent Data Governance Act (DGA) makes similar assumptions. However, the framework set out by the NPD report to achieve this is potentially harmful and needs to be re-examined.
There are many critiques of the NPD framing as outlined by the report, which effectively took a bulldozer to a problem that required a scalpel. It is so focused in unlocking the economic value of data for the Indian public and businesses, that it has ignored major concerns of individual privacy, the value of globalisation and state accountability. Even its framing of community data rights, though novel, does not adequately clarify the mechanisms through which communities can ensure that their data is used for public good and not just be commodified for private profit. It problematically embeds NPD frameworks in economic rights to natural resources, and gives the government undue power to coerce private entities to share their data. It incorrectly assumes that this regime of mandatory data sharing will help address questions of market power, when instead, it will likely impact investment in innovation, and more broadly in India’s digital landscape.
The framework needs to be reimagined from multiple perspectives. From the ground up, people — individuals and communities — must control their data and it should not be just considered a resource to fuel “innovation.” More specifically, data sharing of any sort needs to be anchored in individual data protection and privacy. The purpose for data sharing must be clear from the outset, and data should only be collected to answer clear, pre-defined questions. Further, individuals must be able to consent dynamically to the collection/use of their data, and to grant and withdraw consent as needed. At the moment, the role of the individual is limited to consenting to anonymise their personal data, which is seen as a sufficient condition for subsequent data sharing without consent.
Collectives have a significant role to play in negotiating better rights in the data economy. Bottom up instruments such as data cooperatives, unions, and trusts that allow individual users to pool their data rights must be actively encouraged. There is also a need to create provisions for collectives — employees, public transport users social media networks — to sign on to these instruments to enable collective bargaining on data rights. The government must incentivise these instruments to ensure that data is used in service of public benefit and in a manner that is decided by communities as opposed to a centralised state apparatus. For instance, it may be possible for the government to mandate data cooperatives for establishments with over 20 employees. At the moment, the government’s interests are conflated with society’s, and instruments of collective data rights will add necessary friction to these assumptions.
Further, there is a need to incentivise data sharing by inculcating faith in the process of sharing top-down. Beyond a robust data protection framework currently missing in India, collaborative spaces for data sharing within industries and between companies need to be created. Data exchanges, which allow the use and exchange of data in a secure and standardised manner, are useful points of reference. For instance, in Japan, IOT (Internet of things) data is shared amongst key players in the industry. Platforms like the IUDX in India can also serve to make data sharing a reliable and mutually beneficial exercise. There is also value in considering non-coercive strategies to share data in public interest such as tax breaks and public recognition through awards, which increases trust and confidence from users. In the EU’s DGA, primacy is given to data altruism, the voluntary sharing of data for public use, which has been critiqued for being too soft on technology companies but is likely to have greater impact than the mandatory sharing outlined in India as companies are likely to comply more willingly to voluntary mechanisms as opposed to coercive ones.
Finally, data sharing cannot be a centrally managed and controlled exercise. It has to happen at different levels for different purposes, with cities playing an increasingly important role in data use and management given their proximity to and understanding of community-driven uses of data. For instance, Barcelona — through the DECODE project — implemented citizen-led data sharing to make data more accessible to local communities and businesses. For example, in one effort, citizens in Barcelona shared anonymised environmental sensor data from their homes — encrypted through the DECODE technology — with community groups to better engage with their city government. This enabled citizens to control what data is shared and with whom. An idea like this could be implemented in local communities and neighbourhoods in cities like Delhi to help the the government address civic issues like pollution, especially since more and more households are tracking pollution levels through sensors.
Any new framework for non-personal data must consider that data is not just an economic resource to be commodified, neither is it an instrument of sovereign leverage for the state against private players. It is intrinsically tied to people — individuals and communities — and needs to be protected and used in pursuit of empowerment and public well-being. There is a need to create top down systems to incentivise private technology companies to share data for public use, and bottom up systems to involve people in decisions with regard to their data and hold governments and businesses accountable. Only through these complementary processes can we build a robust ecosystem system for sharing NPD.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.