Top

Tech This Week | India needs to be more mindful in regulating non-personal data

If non-personal data is made subject to mandatory sharing, data businesses will begin classifying such data as personal.

In September 2019, the Indian Government formed a committee chaired by Infosys co-founder Kris Gopalakrishnan to look at the regulation for non-personal data. The committee recently came out with a governance framework, comments to which can be submitted by August 13.

As far as I can tell, the committee is one of the first efforts in the world to exclusively look at non-personal data, which itself is a vast term. Non-personal data refers to the universe minus personal data. This can include a company’s financials, information on a country’s infrastructure projects, traffic data and so on. Besides, unlike the mandate to regulate personal data, where the goal is to put more power in the hands of the users, the committee is tasked exclusively with unlocking the value of non-personal data.

At this point, a law for the regulation for non-personal data seems far away, but the governance framework presented by the committee outlines the approach the Government may end up adopting. There is a lot to be debated around the report, such as the concept of ‘raw’ data, the incentives of data trustees and so on. There have also been arguments to contest whether regulation in the space is even necessary when a market does not even exist in the first place. But I would contend that in its own way, making a market place is exactly what the governance framework intends to do.

The question I want to look at is how well the framework does that, and whether there are things it does not take into account. The answers to both those questions lie in economics.

Hal Varian (Chief Economist at Google) and Carl Shapiro (Professor of Business Strategy at University of California, Berkeley) write in Information Rules, “Even though technology advances breathlessly, the economic principles we rely on are durable”. For a quote that was written in 1999, it does remarkably well to apply to the framework. Let me explain.

The underlying principle behind the frameworks approach to non-personal data is that it is to be treated like a public good. This is exhibited best in sections where the framework which talks about sharing of non-personal data. For instance, the framework advocates for raw/factual data collected by private organisations related to community data to be shared at no remuneration. It also enables start-ups to raise requests to ‘data businesses’ to develop innovative products and services.

A public good in theory is non-rivalrous and non-excludable, as often explained by Anupam Manur at Takshashila and in his chart attached below. Data is not rivalrous, since my consumption of it does not deplete the resource for others. The committee’s recommendation seems to work towards making it non-excludable as well.

But treating data as a public good will have second-order effects that are not necessarily accounted for in the framework. For example, in case you are a company that provides goods and services that differ from the competition through your application of non-personal data, the comparative advantage is likely to be lost.

In his article, ‘India must avoid Nationalisation of Data’, Nikhil Pahwa looks at this from the perspective of India’s investment space and the founders that inhabit it. The basic argument is that this is going to have downstream effects on how the investment space operates in tech, and those have not been addressed in the framework.

People also make a case that such regulation will deter companies from collecting non-personal data. And the committee’s answer seems to be that with the rise of the Internet of things as well as the digital economy in general, data is going to be collected regardless of what incentives are in place. India is a big market and if companies want to continue to operate here, they will play by the Government’s rules.

However, if this is the plan, then the policy does not do justice to the amount of importance placed on incentives. If non-personal data is going to be subject to mandatory sharing, this will provide more data businesses with an incentive to classify more data as personal.

Categories such as personal and non-personal data are not fixed. Often, the classification can be altered as a result of context and the purpose it might be used for. This provides bigger companies with incentives to not only maintain more mixed datasets, but also with a rationale to disclose that an increasing amount of the data held by them is personal in nature.

Because disputes with regard to sharing of data will need to be resolved by the Non-Personal Data Authority (NPDA), this is going to be a fairly transaction-intensive process. At this point, it is hard to estimate how many disputes will land up with the Authority, but it is safe to say that the workload placed on the body from just this task is going to be immense and potentially crippling. None of that seems to be intended or anticipated as a consequence.

Earlier in 2019, when the Personal Data Protection Bill addressed non-personal data in one of its sections, there was a huge outcry about how that should have been left to a different non-personal data protection legislation. Now that the time is here, the framework is the first step to unlocking the value of non-personal data. However, it cannot do that without being more mindful of the incentives it is putting in place for businesses.

Next Story