“Half of what I say is meaningless, but I say it so that the other half may reach you”, quips Kahlil Gibran, the mystic poet, in his celebrated work Sand and Foam. It appears that the Committee of experts on non-personal data governance framework headed by Kris Gopalakrishnan took this age-old adage to heart while writing its report.
While some may argue that the Committee’s heart is in the right place, the exposition of approach is filled with ambiguities, overlaps and lack conceptual clarity. Consequently, unlike Gibran, not even half of what it suggests is clear.
Composition and approach of the committee
Perhaps the fault lies with composition of the Committee. Dominated by government and industry leaders, and absence of cross-functional experts resulted in inability to consider diverse perspectives. It also appears that the Committee did not consider adequate representations from different stakeholder and interest groups.
The brief of the Committee was also vague. It was expected to study various issues relating to non-personal data and make specific suggestions for its regulation. No specific problems were identified which were sought to be resolved through a regulatory framework, neither answers to specific questions were pursued. In fact, the definition and understanding of non-personal data itself, in the report, alludes to the entire universe of data which is not personal data. When at the outset itself the Committee abdicated its responsibility of delving into the nuances of what non-personal data may be, and instead took the path of a negative definition, the remaining substance of the report could be nothing but mindboggling.
Absence of clear directions from the government has resulted in a complete lack of conceptual clarity in the report. For instance, no bright line test has been indicated to distinguish inferences drawn from personal data for the purpose of profiling categorised as personal data, from data inferred through private non-personal data, categorised as such.
Similarly, given citizens have intersectional identities, across communities, location, and gender lines, it is not clear how will it be possible to categorise them into specific communities. Additionally, the scope of meta data and raw/ factual is not clear. Where does raw data end and value-added data begin? These ambiguities strike at the core of Committee’s report and make its foundations shaky.
Where’s the market failure?
The presumption that regulation of non-personal data is necessary at present is not supported by evidence. The Committee believes that regulation is needed to manage data so that India can develop a modern framework for creation of economic value from use of data.
Is this a sufficient justification for regulating non-personal data? If the objective is to leverage economic value of data, should data markets not be allowed to be developed sufficiently before we begin thinking about regulatory frameworks? And once such markets are adequately developed, is competition law not adequate to manage them?
What is the prevailing market failure which the regulation of non-personal data aims to address? Is it clear that prevailing regulatory mechanisms, such as those related to competition, and those under deliberation, such as the personal data regulation, are not sufficient to address any problems which might arise?
For instance, the Committee believes, albeit sans any evidence, that mandating data sharing will spur innovation and digital economy growth at an unprecedented scale in the country.
To this end, it recommends open access to meta data and mandates sharing of raw/ factual data without any remuneration. Is there is any evidence to suggest that start-ups are facing difficulties in accessing raw data and need it for free? Will stripping raw data of its potential value not adversely impact small and medium enterprises engaged in data collection, and be counter intuitive to the objectives of the Committee? Will today’s start-ups, who will grow to be more, have any incentive to develop new products and services on the back of data they gather (i.e. process) today, only to part with it tomorrow?
Is there a government failure?
In the absence of market failure, a regulation typically intends to address government failure. What is the government failure in data markets? What are the public interest objectives which the regulation intends to achieve? This is not clear. Can we not envisage a better mechanism than those suggested by the Committee to achieve such objectives?
The Committee gives non-exhaustive examples of sovereign purpose for which sharing could be mandated, without prescribing for due process to be followed in this regard. This tantamounts to state having a blank cheque to use non-personal data as it pleases, and raises suspicion on any public interest objective which is sought to be met from such provisions.
It appears that the Committee aims to tackle the issue of few large platforms that have a “first-mover advantage”. However, is penalising innovators a productive approach? The Report fails to recognise that platform markets and data markets need to be treated differently. Both have distinct issues resolving which would require different approaches, and mandatory data sharing cannot be a panacea.
For instance, a platform to business regulation may be needed for addressing concerns relating to platform markets, while there is a need to ensure that entry barriers are reduced in data markets. The role of Competition Commission of India is crucial in this regard, and it needs to build its capacity and expertise.
The way forward
There are instances galore of ill-thought through regulatory frameworks designed without considering their direct and indirect, intended and unintended consequences. Ordinary citizens, micro and small enterprises are already bearing the burden of such disproportionate regulatory frameworks. The regulation of non-personal data cannot be allowed to add insult to injury.
There is a need to go back to the drawing board and rethink the need of non-personal data regulation. We may as well find that it is premature to intervene as we run the risk of over regulation. At present, regulating and protecting personal data may be sufficient, including violations from deanonymisation of personal data. At the end of the day, the consumer must necessarily and unequivocally be at the centre of this discourse.
Whenever and this is not at an immediate requirement, the need to regulate non-personal data arises, thinking on first principles would be useful. Such regulation should be citizen centric, focus on achieving equity and correcting power imbalance, addressing informal asymmetry and fixing accountability of players in respect of consumers in the data markets.
Personal and this yet to be clearly articulated concept of non-personal data are two halves of the data economy. Taking inspiration from Kahlil Gibran, we should focus on getting the first half i.e. regulation for personal data, right at this stage. Unnecessary mixing of non-personal data may ruin things and should be avoided.