Author: Deepro Guha
Published: August 06, 2020 on Firstpost
“Today, data is the real wealth and it is being said that whoever acquires and controls the data will have hegemony in the future. The global flow of data is creating big opportunities as well as challenges.” These words were spoken by the Prime Minister of India during his speech at the World Economic Conference, 2018, perhaps an indication of the regulatory proposals in the offing. 50 crore Indians, over and above the current 45 crore, are expected to come online for the first time by 2022. Internet traffic in India is expected to rise to 78 exabytes (an exabyte equals a million terabytes) by 2021.
This exponential rise in the quantum of data generated in India would potentially create conditions for a thriving data market that can further be leveraged for the creation of new business opportunities, new forms of employment, evidence-based governance solutions, social welfare interventions etc.
In this context, the regulatory control of data is right up the list of policy priorities of the government. Regulation of data can be viewed from various prisms and policy objectives — privacy, national security, competition, ownership and innovation. Some of these objectives run counter to each other and there are several trade-offs that the government needs to make.
Current laws and policies
Currently, the laws in place for regulation of data is bare bones, with Section 43 of the Information Technology Act providing for basic norms of reasonable security practices during handling of data and punishments for contravention of the same. To further the scope of data regulation, the Government of India has been working on the Personal Data Protection Bill (PDP Bill) for regulation of personal data, formed a committee to advise on regulation of non-personal data and also touched upon data regulation in sector specific policies/laws such as the draft E-Commerce Policy, draft Digital Information Security in Healthcare Act (DISHA), RBI regulations for financial data etc.
While data regulation becoming a policy priority in India is very much in line with government action around the world, the Indian government’s approach can be described as haphazard and even overzealous.
Of the above-mentioned policy proposals, three proposed regulators are especially headed towards a collision course as they regulate the entire data economy. The first is the proposed Data Protection Authority (DPA) under the PDP Bill, which would be instituted with the objective of protecting personal data. Its jurisdiction would cover regulation of rights of data principals (those people who data pertains to), sharing of data, consent, cross-border transfer of data, roles and responsibilities of data fiduciaries (entity which collects the data) and data processors, mechanisms like data audits, classification of data fiduciaries etc. Thus the DPA is envisaged as a regulator looking at privacy as well as national security concerns.
Second, the report of the Expert Committee on Non-Personal Data (NPD report) has suggested the setting up of a Non-Personal Data Authority (NPDA), with the objective of facilitating sharing of non-personal data between entities who hold a large amount of data and Indian start-ups and other entities to build new products. Its jurisdiction would cover adjudication of data sharing requests, anonymisation of data among other things. Thus, the NPDA is envisaged as a regulator looking at unlocking economic benefits and ensuring smooth functioning of a ‘data market’.
Third, the leaked draft National E-Commerce Policy 2020 mentions setting up an institution of an e-commerce regulator which would ensure “fair competition, consumer protection (to the extent not covered by Consumer Protection Act) and handling of e-commerce related data issues”. However, the way this policy defines ‘e-commerce’ is in a manner that is used interchangeably with ‘digital economy’ which makes its reach as vast as the reach of the above-mentioned regulators covering the entire ambit of data-driven entities.
These three proposed regulators with powers to govern data across industries in addition to sectoral regulators risk forming a regulatory cobweb, stifling innovation in data led businesses and increasing their compliance costs. The significant overlap in their powers and jurisdiction is even more concerning when one delves deeper into each of these proposals and examines some key proposals.
The first major problem is the definition of ‘non-personal data’. Non-personal data according to the NPD report is currently defined as any data which is not personal. Both technical and legal experts are uncomfortable with this definition.
While many technical experts contend that any level of anonymisation isn’t a foolproof guarantee against reverse engineering of data, legal experts contend that as collection and processing of data is a complex process often with no clear dividing lines between types of data, such an expansive definition is bound to create jurisdictional confusion between DPA and NPDA.
Additionally, while anonymised data is considered to be non-personal and thus ideally regulated by the NPDA, the NPD report’s recommendation of adding explicit consent provisions for anonymisation under the PDP Bill as well as Clause 82 of the PDP Bill providing for penalties for re-identification of anonymised data, could bring anonymised data under the jurisdiction of DPA as well.
Another source of confusion may be the definition of ‘data businesses’ (in the NPD report), as this bears a striking resemblance to the definition of ‘significant data fiduciary’ (SDF) in the PDP Bill. Both these terms are based on quantum of data collection thresholds, but these standards may be different in each case as they are decided by different authorities.
Similarly, confusion may occur between the proposed e-commerce regulator and the DPA, both of which are envisaged to have powers to define rules for cross border sharing of data.
To add to this puzzle, powers of proposed non-regulatory bodies such as ‘data trustees’, as suggested by the NPD report, also seem to clash with powers of the regulators. A ‘data trustee’ is proposed to be responsible for protection and enforcement of data rights of a community. The NPD report mentions that data trustees may have powers to order mandatory sharing of data, which could encroach on the regulator’s power to adjudicate on such requests.
Thus, with all the above proposals, it is safe to say that we are headed into a regulatory quagmire which can be a huge impediment for data driven businesses. While, prima facie, some of these proposals do mention that the regulatory scope will be well defined to avoid confusion, clarity will continue to elude unless ambiguity over some of the key definitions is resolved.
In its attempt to extract the maximum value from the data economy, the government must resist the temptation to be overzealous in regulation. An overtly complex regulatory structure can impede innovation, eroding the benefits of the data ecosystem that the government sought to reap in the first place.