The Bill gives government agencies unrestricted power to acquire any piece of anonymised non-personal data without guidelines, checks or limitations. Without protection, companies and individuals may be arbitrarily forced to share data.
Editor’s Note: This article is published in partnership with Aapti Institute.
The government has introduced the Personal Data Protection Bill, 2019 (PDPB) for public consultation. The law is intended to provide a legal framework for how people’s data is handled, protected and shared with companies and government agencies. Currently, India’s data protection laws are outdated, comprising only the IT Act of 2000 and IT Rules of 2011. And the scale of regulation and legal protection in these laws is inadequate, given the current size and nature of India’s digital economy.
The PDPB seeks to address this gap. In pursuit of this objective, the Bill deals with the terms under which data can be shared, including with the government. But it does not sufficiently protect the rights of users, even though this is, in fact, one of its key objectives.
Government Power Over Non-Personal Data
Under the PDPB, any entity may only collect, store or process any personal data after taking explicit and informed consent from the individual(s) to whom that data pertains. Further, an entity processing this data (called the ‘data fiduciary’ under the law) owes certain duties to these individuals: The individual must be aware of what the data is used for and the data must not be processed in a manner that violates their consent or goes against their interests.
While the PDPB deals chiefly with the regulation of personal data, it also mentions non-personal data and ‘anonymised’ data – or data from which all identifiers of individuals have been removed – in the context of mandatory data sharing.
The PDPB defines non-personal data as “all data that is not personal data”. This catch-all negative definition of non-personal data is extremely wide in ambit and covers a lot of information that may be proprietary information of companies and other stakeholders.
While a broad definition may not be a problem in and of itself, the Bill also allows government agencies to direct any entity to provide them with anonymised personal data, or “other non-personal data”. This provision gives government agencies unrestricted power to acquire any piece of non-personal data without guidelines, checks or limitations.
Powers without checks leave the provisions open to abuse by authorities – and puts companies and individuals at risk of being targeted or harassed. The Bill needs to incorporate guidelines that ask for a specific set of conditions to be satisfied before government agencies are allowed to direct entities to provide anonymised or non-personal data. Without such protection, companies and individuals may be arbitrarily forced to share data. Companies may be legally forced to share their trade secrets, for example, and details on high-value transactions – all of which may not only affect participating entities but also consumers and the market in general.
Ensuring that any request for mandatory data sharing is only made under the specified circumstances is an important function – and the process may be made more transparent by the presence of an intermediating body such as the data steward. Data stewards play a more important role in the context of non-personal data since this kind of data does not have the same kind of privacy concerns as personal data – and also because of the higher financial value attached to aggregated datasets.
Market Competition Concerns
Managing data sharing is one of the principal functions of data stewards. An example of this is the X-Road system of data sharing used in Estonia, which has been replicated in a number of developed nations such as Japan, Iceland and Finland.
The X-Road employs a decentralised system for e-governance services, which users access through multiple access points. Services and users connected to the system retain data locally and only user identity is verified in order to carry out transactions. This enables users to plug-and-play using their data with various services, thereby enabling portability and empowering the consumer with alternatives on when to avail of which services. With a standard personal dataset to plug in, one may choose from various services with the same profile, or – in theory – even from competing vendors for the same service, such as by choosing from different ticket sellers, cab aggregators, etc.
Enabling data sharing amongst a wider set of stakeholders is crucial to utilizing the dormant value of data that is soiled and restricted to sharing solely on the terms of the initial point of collection – points which have resulted in existing oligopolies of aggregated datasets. The competitive advantage that a company gains through digital data market provides advantages in allied markets, and with the size of industry incumbents, leads to high barriers to entry and abuses of their dominance.
While the PDPB does not go into data management itself, it does prescribe a ‘consent management engine’ that claims to enable users to provide and revoke consent to third parties for accessing their data. The provision of consent managers is one of many possible approaches to data stewardship, but apart from the collection of consent and permission, it does not address many aspects.
In its current form, the Bill does not address questions on the level of granularity of consent that is allowed. Without allowing users to choose what data goes where, the system is reduced to a data exchange engine between different companies. While the interests of these businesses are served by enabling easier data exchange, user control and meaningful consent are compromised further.
In light of these drawbacks in the proposed legislation, the Joint Parliamentary Committee should strongly reconsider the framework to regulate data effectively, in order to balance the multiple interests of security, private companies and users.
The current framework of data sharing and usage does not lend itself to efficient usage of data – or maximise the value flowing from it. Users need a path towards maximising their agency, in order to be able to realize the rights granted to them under the PDPB. India’s data governance framework is in serious need of a structure that allows for the expression and protection of user interests, in the context of data value chains and the market forces that control them.
Siddharth Manohar is a lawyer by training and a Senior Research Associate at Aapti Institute. His work covers the legal and policy issues around the data economy and the regulation of digital platforms. Currently studying models of data sharing, he is interested in how technology and law can be used together for creative policy design.