Non-personal data norms: Too much, too soon?

Author: Mayank Mishra
Published: February 01, 2021 in the Financial Express
The rationale for government intervention seems unclear and needs further debate. Even if there are positive externalities to some data, there seem to be significant potential costs for the whole digital economy under the NPD framework.

With the exponential rise in the use of data by businesses, several regulatory challenges have emerged. Issues pertaining to data sharing pose some of the biggest challenges. In July 2020, the MeitY released a report on non-personal data (NPD) governance framework with an aim to promote data sharing by businesses for public welfare. It intends to regulate data sharing so that the benefits accrue to India, its communities and businesses. While the purpose of data sharing for public welfare is commendable, the suggestions made to govern NPD were met with widespread disapproval from many stakeholders. It was noted that the framework was wide-ranging in its recommendations which could be misused against larger data businesses.

Taking into account the feedback from the first report, the government released a second version in December 2020. While it brings more clarity, there are still issues that need serious attention.

Analysing the government’s decision to intervene: Economic theory states that a government should only intervene in economy when there is market failure, i.e. when the forces of demand and supply do not lead to an efficient outcome. The market failure that the government envisages in the case of NPD is positive externalities associated with sharing of data. According to this rationale, the data collected by a firm can benefit firms and communities beyond the one that collected it. The committee has given many examples, such as road data collected by cab aggregators, which can be used by municipal bodies to improve road design, or cancer hospitals sharing their data for medical research. However, while there are benefits of sharing data with the community, there are also potential costs and risks.

Potential impact of the NPD framework on firms: Firms that invest in collecting data incur a significant cost in doing so. The cost is incurred in order to reap future revenue by providing innovative products and services, enhanced user experience or efficient operations of firms. The data collected, in effect, gives competitive advantage to a market player compared to its competitors. However, if the proposed NPD framework is implemented, a business can potentially lose its competitive advantage if its data could be accessed by its competitors through data trustees. This could disincentivise businesses to collect data in the future, thereby hampering the data economy. Unlike the popular adage ‘data is the new oil’, data doesn’t exist naturally. Datasets are built over time through conscious efforts of companies collecting data. Therefore, by destroying the incentive to collect data, we risk defeating the whole purpose of this framework.

The rationale for government intervention seems unclear and needs further debate. Even if there are positive externalities to some data, there seem to be significant potential costs for the whole digital economy under the NPD framework. The government, therefore, needs to do a thorough cost-benefit analysis of the framework and implement it only where it establishes that benefits outweigh the costs.

Finally, apart from distorting the market, the NPD framework could lead to negative externalities by compromising the privacy of the individuals. While the framework specifies that only anonymised, non-personal data can be shared through data trustees, there still remains a possibility that data is de-anonymised by an entity, thus revealing personal information. Further, under this framework, once the datasets are amalgamated in HVDs with different data trustees, it will be extremely difficult to track and control downstream usage of these datasets. Experts suggest that by triangulating different datasets, there is a high risk of identification of individuals and groups of individuals. Once a dataset is shared outside of the purpose for which it was originally collected, it is almost impossible for any regulator to control its end-usage. It can be argued that while Indian policymakers, on one side, are proposing purpose limitation and progressive rights for individuals under the PDP Bill, we are, in fact, risking diluting those protections through forced non-personal data sharing.

Owing to the myriads of issues with the NPD framework, the government should tread cautiously in regulating such a fast-moving and dynamic field. We risk stifling the digital economy by fighting too many battles together. Privacy and innovation should continue to be core goals for regulation of the digital economy, compulsory sharing of NPD is a potential affront to both.