Non-Personal Data Governance Framework: Govt Is Creating Ways for Brown Sahibs To Have Your Data
Mishi Choudhary, a technology lawyer and online civil liberties activist, writes on how the Non-Personal Data Governance Framework report submitted by the Ministry of Electronics and Information Technology is problematic and allows corporate to exploit individual's data.
In July of 2020, an expert committee constituted by the Ministry of Electronics and Information Technology to study various issues relating to non-personal data and to make specific suggestions for consideration of the Central Government on the regulation of Non-Personal Data issued a report on Non-Personal Data Governance Framework (NPDGF). Non-Personal Data is defined as any data that is not personal data (data pertaining to characteristics, traits or attributes of identity, which can be used to identify an individual).
Through this document, we are being told how important a data-driven economy is and how regulatory protectionist measures are the only way to compete with large American platform companies.
The NPDGF combines the immensity of ambition with the scarcity of architectural clarity and legal coherence. It imagines a political economy for "non-personal" data in India, maximalist when it comes to government control and minimalist concerning the rule of law. Its definitions and categorizations are notably vague; its analysis of the relations between its proposals and existing legal rights is non-existent. Here we try to highlight a few problematic areas of this framework.
a) The report does not define rigorously the line between personal and non-personal data. Its examples and illustrations, which are chosen apparently at random throughout the report, suggest that any personal data can be reclassified as non-personal data by applying ineffective "anonymization" techniques that scholars in the field have repeatedly shown do not work. The report proposes to treat hospitals and other health care deliverers, for example, as "Data Businesses" who can be compelled to publish meta-data and satisfy third-party commercial requests (on terms to be fixed by government authorities). But the data involved is derived from individual health records, among the most sensitive and personal forms of personal data. These and other similar passages imply that "deriving" data from personal data extinguishes individual rights of privacy. Merely including a clause for consent to be given by the data principal for anonymization will not be sufficient to protect her interests.
b) The report also states that data "derived from public sources" is all public data, as though subject to a kind of "data copyleft" that exists nowhere else in the world's legal systems. The process of "deriving," "processing," or "aggregating" data is the central puzzle in the law of data-sharing. The report gives no analytic account of how the law should treat data derivation. It makes conclusory declarations instead.
c) The report imagines a public data authority empowered to enforce the sharing of "non-public data" by private parties who have collected or generated it, with the power to order unwilling parties to share if the requests are "justified." No substantive provisions of law, or process for judicial review are proposed to qualify this extra-constitutional discretion, which threatens to infringe on both the fundamental rights of privacy and free expression.
d) The report makes no effort to assess the interaction between its broad compulsory licensing system and existing legal rights protected by patent, copyright, and trade secret law. The report appears to establish a comprehensive trade secret legislation in India for the first time, by giving an administrative authority complete unreviewable discretion to order the disclosure and permit the commercial appropriation of commercial secrets.
e) The report imagines a new domain of community data. It anticipates granting government authority complete discretion to identify and set the boundaries of "communities," and to empower individuals to act as the "guardians" or "beneficial owners" of this community data, at government discretion. This "corporatism," in which government defines communities possessing new legal rights and arbitrarily determines the community's legal leadership, is explicitly anti-democratic, though dressed in "will of the people" populist garb.
f) The intended effect of this report's proposals is an immense social subsidy to Indian commercial powers pursuing large-scale data mining. All other parties in the economy collecting significant non-public data could be required to publish indexes of their collections (called "metadata" by the report) and to furnish those collections to requesting businesses, potentially on government order, on government-established terms. No analysis is offered as to the likely effect on competition, presumably to avoid emphasizing the enormous transfer of wealth to the largest Indian data miners that would result.
The report is an ingenious and ambitious plea for immense social and government subsidy for the creation of local data-mining consortiums. Everyone else in the economy who collects data would be put to gathering their ore, to be sold to them at government-set prices on government-decreed terms. In the process of adopting the narrow self-interested views of the aspiring oligarchs, the report raises important issues and presents starting points for discussion by the broader ecosystem of experts in policy and law whose views are not incorporated. As an initial contribution to that larger dialogue, the report is valuable. As a basis for policy-making, it is too grandiose, vague, and one-sided to be useful.
About the authors: Mishi Choudhary is a technology lawyer and online civil liberties activist working in the United States and India. She is the Legal Director at the Software Freedom Law Center and the Founder of SFLC.in. Prasanth Sugathan is the Legal Director at Software Freedom Law Center, India (sflc.in).