A Stitch Too Many

The Non-Personal Data Committee Report could’ve adopted a less-invasive approach to meet its lofty objectives

India is one of the most highly regulated major economies in the world. It is rated “mostly unfree” in the Index of Economic Freedom (worse than communist China and Vietnam) and ranks 129th in the Economic Freedom of the World Index. In a 2011 survey of business executives, India was ranked as the most over-regulated major economy in the world. Therefore, we should be careful about any new regulations that risk increasing regulatory burden and uncertainty for private enterprises. We need to look for ‘minimum needed regulation’ that achieves the desired outcomes. For this to happen, we need to follow a rigorous, structured and iterative process while framing regulations. This includes cost-benefit analysis of various options, public consultations, and transparency.

The Government of India set up a committee to suggest a regulatory framework for Non-Personal Data. This is the data that businesses and governments collect but are not linked to any particular individual. For example, weather data, aggregated traffic data for a city and your anonymised browsing history would all be classified as Non-Personal Data. The committee came out with its report recently, and the Government is inviting comments till 13 August. Among other things, the committee proposes that a ‘data business’ over a particular size should register with the Government, and also share all non-personal data with any individual or organisation that asks for it, either free of cost or at a reasonable remuneration (depending on the extent of processing). It proposes setting up of a new regulator, the Non-Personal Data Authority (NPDA), that will have the primary responsibility of enforcing the framework. For a more detailed summary of the bill, see the articles on Quint or Medianama.

This report has sparked fears of regulatory over-reach, increasing the compliance burden on data-based businesses, and throttling innovation in the country. Some commentators have gone as far as to call it ‘nationalisation of data’. While many of these concerns are valid, we need to revisit why the committee recommended what it did, and whether there is an alternate approach of ‘minimum needed regulation’ that achieves the same objectives more effectively and with lower cost to businesses.

1. Break Data Monopolies

The underlying narrative of the report is that foreign Big Tech companies have monopolised Indians’ data and, therefore, we need to break their stranglehold. The recent report by Tandem Research, titled “Balancing Act: The Promise and Peril of Big Tech in India” makes a similar point — while foreign Big Tech firms have brought tremendous benefit to India, they also result in many harms such as anti-competitive behavior, loss of individual agency, tax avoidance, and impediments to law enforcement.

However, the committee’s recommended action — to mandate sharing of non-personal data — is unlikely to make a dent on the dominance of Big Tech firms in the data economy. As I argued in an earlier article on Big Tech, data portability alone is unlikely to create competitive markets. For example, even if I take my data from Facebook, is there any other social media platform where I can take that data to avail the same service? Moreover, most of the power that Big Tech firms is from the personal data, since that allows them to create ads, experiences and products that are customised for us.

Admittedly, the committee’s mandate was limited to non-personal data and not to the full suite of regulatory tools to tackle Big Tech. However, the tool it proposes (mandatory sharing of non-personal data) will likely not achieve the aim of diluting the impact of foreign Big Tech firms, while creating regulatory uncertainty and risks for domestic firms.

Instead, if the government truly wants to reduce the power of data monopolies, it should consider the following ideas:

• Platform neutrality, so that firms like Amazon or Swiggy that own two-sided platforms cannot unduly benefit their own products at the expense of third-party sellers. This will help create a level playing field for small businesses and start-ups.
• Interoperability, such that a MySpace user can send a message to a Facebook user. Or an Ola user can book a cab on Uber. This will give consumers more choice about which platform they want to use, thus reducing the ‘lock-in’ with Big Tech firms.
• Data portability, such that users can take their data from one platform to another. This is already part of the draft Personal Data Protection Bill. If this feature is made easily accessible and friction-free, it can be far more powerful than the current data sharing proposal in the Non Personal Data Report.

2. Encourage Start-Ups

The Non Personal Data report hinges on the argument that its proposals are good for start-ups. It argues that a new company will be able to compete on an equal footing with Big Tech firms if it can access their non-personal data. Under the proposed architecture, all firms above a certain size will need to share ‘metadata’ on an open platform. Others can look at the metadata, and then ask the firm to share the underlying non-personal data. In case the firm refuses to share data, the requesting firm can approach the regulator.

The relationship between start-ups and Big Tech firms is, however, more complex. Big Tech firms provide critical sector infrastructure that enables small businesses to reach their audience more easily. Big Tech firms also invest heavily in R&D, some of which is accessible to their competitors. More importantly, the mandate to share data is equally applicable to all firms — and to the start-up itself, once it reaches a certain size. Therefore, if I know that one of my competitive advantages — my data — will be taken away once I reach a certain size, will I still have the incentive to innovate.

If the government wants to help the start-up ecosystem, it could consider the following actions:

• Run an open public consultation with start-ups to understand their difficulties. Publish the comments, counter-comments and recommended actions in public, so that all start-ups, large or small, can participate equally.
• Strictly enforce the data portability requirement under the draft personal data protection bill. Under that bill’s provision, the decision to move the data or not is (rightly) with the individual, and not as part of a broad-brush government mandate.
• In case of community data, which is not ‘owned’ by a single individual, suggest a mechanism to define which group of individuals can exercise control over that data. Then, let the holder of those rights — and not just any institution — access the data under the data portability requirements discussed above.

3. Social, public and economic value creation from data

The report correctly argues that a lot of public value that we can extract from data remains under-utilised because data is held with private companies that have no such public interest obligations. Data held by large tech firms can be used for innovative purposes in public health, disaster management, and planning. The architecture that the report suggests will allow governments, among others, to access all non-personal data and then use it for public good.

The route that the panel proposes, however, is disproportionately expansive compared to the problem it seeks to solve, and therefore not ‘minimum needed regulation’. The government already has the right to seek non-personal data from companies under the draft personal data protection bill. If that bill passes in its current form, then adding a duplicative requirement under the non-personal data bill only increases regulatory burden.

Instead, the government could explore ways to reduce the regulatory burden on businesses, while protecting its right to use data for public good. Some suggestions it could consider are-

• Suggest amendments to the personal data protection bill, so that there are enough checks-and-balanced when the government asks a business to share non-personal data. The onus should be on the government to justify why it needs the data and what it intends to do with it. This justification should be put in public domain and could be subject to further checks such as judicial oversight and an appeal process for companies.
• Narrow down the scope of the Non-Personal Data Authority to facilitate such requests from government, and potentially non-profit organisations. The authority should ensure that these requests are justified, fair and that the data request is proportionate to the expected public good. It should also provide a way for the company to dispute the request.

4. Address privacy concerns, collective harms and collective privacy

The report rightly points out that the personal data protection bill does not address all kinds of data-based harms that individuals might be subject to. For example, if aggregated (therefore non-personal) data about a community is used to discriminate against it. An individual’s anonymised data — which is outside the purview of the privacy bill — can still harm her, not directly but by harming ‘people like her’. My colleague, Martin Tisne, makes the point quite emphatically in his recent paper titled ‘the data delusion’.

However, the report itself acknowledges that the idea of ‘collective privacy’ needs further exploration, and places this mandate on the regulator. However, it seems premature to create a new regulator for an area that is currently largely unexplored and poorly-understood. Moreover, regulatory governance best practices suggest that regulatory bodies should have clarity of purpose. Exploration of a new area is not a clear purpose.

Instead, the government could consider an approach that acknowledges the risks that the report highlights, without creating a large bureaucracy around it. It could do so in the following ways-

• Amend personal data protection bill, to make the Data Protection Authority the sole arbitrator of all digital harms that an individual may be exposed to, either directly (individual privacy) or indirectly (collective privacy). This will reduce excessive regulation for businesses, and avoid confusion for individuals about which regulator to approach.
• Create a separate Data Protection Ombudsman, which individuals and communities can approach in case they are being harmed using their personal or non-personal data. Unless such an ombudsman is created, it is likely that the regulator will get over-whelmed by individual or community complaints, as Smriti Parsheera argued in her recent op-ed.

In conclusion, the report has its heart in the right place and identifies many challenges with the data economy — data monopolies, collective privacy — that the personal data protection bill leaves untouched. However, it risks taking a paternalistic approach wherein the government steps in to protect communities and start-ups. Through the non-personal data authority, the the executive could be the final arbitrator of who gets to access data and who doesn’t. Such an architecture could also confuse competition as protecting competitors, rather than protecting consumers and healthy markets. It risks penalising success, rather than market dominance.

All of these risk hurting the business environment in India. Instead, the government should consider policy alternatives that achieve the same goals, but with ‘minimum needed regulation’. More importantly, the government should consider whether it can achieve these objectives by doing existing things well, rather than creates new regulations and new structures.