Inika Serah Charles
As is reflected in recent regulatory and policy efforts, the Indian Government has made their intention to establish rights over data collected and processed within India crystal clear. The Government has not shied away from professing data as “unlike any other resource”, and as something that is “core to the future of the economy”. The Government is also contemplating the institution of a data sharing framework that would ‘unlock’ economic benefits from ‘non-personal’ data collected within India. While there is no denying the economic value in data, nor the merits of utilising data for the public good, a carte blanche claim to all forms of data by the State ignores the legitimate interests of stakeholders in the data ecosystem. Through this essay, I explore the myriad of rights that may be claimed in data, which is at odds with the concept of classifying data as an ‘asset’ or a ‘natural resource’ of the State. I then argue that the multiplicity of these rights in data may necessitate an approach to data regulation distinct from those governing traditional economic resources, in order to better provision for stakeholder interests.
The Trajectory of Data Governance in India
In 2017, the Supreme Court of India recognised that individuals in India have a fundamental right to privacy against the State, subject to reasonable restrictions in the case of Justice K S Puttaswamy (Retd.) v. Union Of India and Ors. Importantly, the Court also highlighted the need for a robust data protection law to be put in place for individuals to enforce such rights against non-state parties. On December 16, 2021, a report on the draft Data Protection Bill, 2021 (DPB) was presented in Parliament, taking us a step closer to the regulation that the Supreme Court mentioned close to half a decade ago. Unfortunately, the DPB remains in draft form and is yet to be tabled in Parliament as an official Bill to be enacted as law.
The current draft of the DPB departs significantly from its counterparts such as the EU’s General Data Protection Regulation by including within its scope not only personal data but also ‘non-personal data’ (NPD), which has been defined broadly as “any data that is not personal data”. In 2019, a committee constituted by the Central Government to study the governance of NPD released their report (NPD Report), which recommended the institution of a regulatory data sharing framework to “establish rights over NPD collected and created within India” (emphasis applied) which would ‘unlock’ “economic benefits from non-personal data for India and its people”. This framework contemplates the mandatory access and sharing of identified classes of NPD, which includes anonymised personal data, by ‘data businesses’ for certain ‘sovereign’ or ‘public good’ purposes. This framework is based on creating a new criterion of businesses called 'data business', which has been broadly defined to mean 'any Government or private organisation that collects, processes, stores, or otherwise manages data', which could be either personal data or NPD. Identified data businesses will need to list the meta-data of the NPD (names of data-fields) that they process on a directory, after which data requests may be made for specific purposes. While the current draft of the DPB does not include specifics on the NPD governance framework, it retains the policy space to introduce one in the future, which may draw inspiration from the NPD Report.
An aspect of the proposed law that has received much criticism is that the DPB tilts clearly in favour of the Central Government and against the fundamental right to privacy, by allowing the Central Government to exempt Government agencies from any or all provisions of the law in certain widely phrased circumstances, and without sufficient oversight mechanisms. There are number of existing laws under which Government agencies have the right to seek access to data collected within India for sovereign purposes, without consent from the individual to whom the data relates. These provisions of law are broad, allow for bulk requests to data to be made, and for the most parts, do not contain oversight mechanisms. In addition, a number of existing legal instruments such as in the banking, insurance, and telecommunications sectors prescribe for data localisation. Miscellaneous policy documents and draft laws also sing the same tune. The DPB mandates that ‘critical personal data’ and ‘sensitive personal data’ are to be stored only in India, with stringent exceptions. The Draft National E-Commerce Policy released in 2019 suggested rules for data storage, which was then reportedly removed from its ambit.
The Multiplicity of Rights in Data
The intent of the State to use data for purposes of public good is not unwarranted, as there is ample evidence of the value that insights from data analysis may bring. However, there are bound to be a number of claims that may be made in data that the State may requisition for its use. While individuals and communities may claim rights of privacy and autonomy in data that identifies them, those that apply a degree of skill, labour or capital in their processing of data may instead claim intellectual property or socio-economic rights. The existence of such claims challenge the notion of State ‘ownership’ over data as a form of traditional property, and schemes to extract data for public good must necessarily function within this framework of overlapping rights.
Akin to the concept of an ‘eminent domain’, the Indian Government has time and again stressed that the data collected within the country is a ‘natural resource’. While parallels may be drawn to the existing eminent domain practice of land acquisition, it is not free from controversy. Just as land acquisition has a history of displacing individuals and communities, the Government making absolute and proprietary claims over data as a ‘natural resource’ is troubling as these assertions do not consider the pre-existing and often overlapping rights that accrue to individuals, communities, and organisations in such data.
Data also has very little in common with traditional natural resources. Unlike most resources, data is not finite and can be shared, and duplicated in a way most traditional resources cannot. Jannice Kall argues that data did not become an object that could be captured as property alone, and is instead consistently dematerialised and produced in order to be captured in ways that make it seem like a coherent object for the economy and the law. What then, are the ownership or property rights that can be claimed in data? The Supreme Court of India has held in K.T. Plantation Pvt. Ltd. & Anr. v. State of Karnataka, that the term ‘property’ under Article 300A of the Indian Constitution includes intangibles like copyrights, and other intellectual property and embraces “every possible interest recognised by law”. Unlike a natural resource such as oil, to which data is very often compared, raw data does not often possess inherent value, and derives its value from how it is used, analysed and processed, to which there is unlimited potential.
The non-rivalrous nature of data allows for multiple parties to ‘possess’ and exploit the same data in their own way, after collecting it independently from the same source. Those collecting and processing data may claim intellectual property or socio-economic rights in the data, such as under copyright or trade secret laws. Interestingly, while countries such as the EU recognise a sui generis right in the content and structure of a database, Indian Copyright law requires a database to exhibit a modicum of originality in order to qualify for copyright protection. Data is also not just an economic resource but is intrinsically linked to individuals and communities, whose interests need to be protected. Data that contains personal identifiers is subject to individual privacy rights in India, which do not explicitly recognise ‘ownership’ rights, but allow the individual the autonomy to control how their data is used and shared via mandates for explicit consent and data protection rights such as the right to request the erasure, and portability of their personal data. The NPD Report also recognises the rights of a ‘community’ in deriving socio-economic value from datasets that are aggregated across a number of individuals.
The mere fact that it is possible for multiple parties to possess overlapping and co-existing rights in the same dataset may necessitate an approach to data governance distinct from those governing traditional property. As Salomé Viljoen notes, regardless of what data is, the democratic shortcomings of the laws governing labour and capital should leave one sceptical about slotting data neatly into these regulatory regimes. Perhaps it is time to shift the dialogue away from categorising data as an economic resource to be commodified, and to instead acknowledge the plethora of rights that may exist in data while it is used within strictly defined limits for public good.
The Consideration of Alternatives
In its focus on harnessing economic value from data, the proposed NPD sharing regime in India does not fully account either for the often-overlapping socio-economic rights of stakeholders, or for individual privacy rights, should the data be capable of identification. It is essential for data sharing mechanisms to foster an ecosystem of trust by respecting these rights, and by prescribing accountability for those who request the data. As Aastha Kapoor suggests, data sharing mechanisms need to create top-down systems to incentivise companies to share data for public use, and bottom-up systems to involve individuals in decisions with regard to their data, and hold governments and businesses accountable. While the NPD Report does well to exempt information comprising trade secrets or proprietary information from the data sharing mandate, there is a need for further granularity in accounting for stakeholder rights, as well as to empower the individual whom the data could identify. The wide Government exemptions in the DPB also do not inspire confidence in the Government processing of data. The two primary interests at stake - protecting the privacy of the citizens, and using citizens’ data for economic gain - sit uneasily with each other, and need to be meaningfully harmonised.
It is therefore essential to provide for the pre-existing rights of individuals, communities, and businesses instead of merely seeing data as a good to re-possess. This may be achieved in a number of ways.
First, data requests should be allowed only for specific and granular public good purposes, with the data requester being legally obligated to maintain confidentiality and comply with any applicable data protection legislation.
Second, the central management and control of a data sharing framework should be re-thought, given that cities and localities would have a better understanding of the problems that could be solved with more efficient utilisation of data. The DECODE project, for example, deployed city-wide pilots in Amsterdam and Barcelona that allowed individuals to control how their personal data was shared and utilised via a decentralised platform, envisioning cities as custodians of the digital rights of citizens.
Third, data sharing mechanisms should be voluntary, and incentivise the sharing of data through measures such as pricing as per identified data valuation frameworks, and forging public-private partnerships akin to the Social Science One Project, and collaborative data sharing frameworks such as the Creative Commons. Recognising the vast amount of data available with the Government, data sharing should be a two-way street, with private entities being able to access Government owned datasets for specified purposes. The existing Open Government Data platform in India run by the National Informatics Centre could be utilised more efficiently for this purpose.
Fourth, individuals and communities should play a key part in deciding how their data is used. While the DECODE project is one such use-case, closer to home, the Data Empowerment and Protection Architecture (DEPA) deployed for the FinTech sector in India is a good example of an attempt to restore user autonomy for the use of financial information via informed consent. It would do well to incorporate DEPA principles into broader data sharing frameworks that may be introduced in the future.
Fifth, alternatives to a central data sharing framework such as ‘data trusts’ could be explored. Especially relevant for the protection of ‘community data’, data trusts should involve the collective stewardship of the data pipeline in public trusts that are subjected to scientific oversight and democratic accountability. Sixth, and perhaps most importantly, the Government must be held accountable for the lawful processing of data, and to this end, the wide exemptions for Government agencies in the DPB and similar laws must be revisited and narrowed, leaving room only for absolutely necessary exemptions coupled with oversight mechanisms.
As Salomé Viljoen suggests, data governance presents an opportunity to leapfrog struggles of democratic governance of data altogether to develop true alternatives, which is perhaps the best foot forward.
Inika is a lawyer currently working with the TMT Practice Group at Nishith Desai Associates. Her views expressed in this piece are personal.