India’s answer to non-personal data regulation: A lamentable effort?

On July 12, 2020, the Committee of Experts chaired by Kris Gopalakrishnan published its Report containing recommendations for creating a regulatory framework governing non-personal data. While the Report leaves much to be desired, there are four core drawbacks that hit at its foundation.

1. Lack of empirical evidence on the Indian data industry and reliance on presumptions

One of the Report’s driving force is the need to level the playing field between the established players and the start-ups in the Indian data market. Interestingly, the Report’s starting point on this is the unsupported presumption of lack of level playing field. The Report contains no empirical research on the current landscape of the data ecosystem in India. Distressingly, this lack of supporting research and in-depth discussion is not a solitary occurrence, but a consistent theme threaded throughout the Report.

A framework intended to regulate the Indian data market ought to consider the factual data in order to identify the on-ground realities. In fact, in proceeding on such an over-arching presumption, the Report fails to recognise the different kind of players, the extent of their involvement in data collection, storage, aggregation, analysis, etc. and the possibility that such imbalance may not be prevalent in the entire industry.

Resultantly, the Report’s recommendations fly in the face of established legal principles, and in fact, are inimical to the Report’s own objective of spurring innovation and encouraging competition. In reality, the proposed recommendations will not create a level playing field, but obliterate the field altogether.

Similarly, the various definitions are not supported by any in-depth discussion and fall prey to unjustified presumptions. For instance, the definition of ‘community data’ appears to presume that the community would be geographic (and the same is also evident from the examples given in the Report). In fact, the whole Report can be watered down to one simple, but flawed presumption– that data is binary.

The definitions of private, community and public non-personal data are worded with the presumption that data will necessarily fit under one of them. Flowing from such a basal flaw in the approach, are recommendations grounded in ambiguous language and providing no discussion on the feasibility of their implementation. In the end, the Report fails in its objective of providing directional clarity to the legislature to draft a law on non-personal data.

2. Ignorance of the legal fundamentals of proprietorship

The committee’s treatment of data as analogous to an asset sculpts its approach to non-personal data from the lens of its acquisition – by the government, by a start-up or by the general public. While treating data as a tradeable asset, the Report fails to consider the established principles of the law governing proprietorship.

This ignorance of legal principles of proprietorship becomes even more glaring when considered from the aspect of governmental acquisition of data. Notably, any law concerning expropriation of property has to be precise in its scope, purpose and interpretation. The law on this point is settled – expropriation of property must be circumscribed by transpicuous limitations of purpose, manner of acquisition and use.

A regulation governing non-personal data must not be swathed in such a broad and sweeping language so as to virtually permit any data to be acquired, especially by the government, for indiscriminate purposes. The Report, however, fails in providing such definite demarcation as to when, why, to what extent, and what kind of non-personal data can the government acquire, from private entities, individuals or the general public.

3. Should data be treated as a natural resource?

This is a question that the Report fails to scrutinize, but proceeds to asseverate that data is a natural resource. Absurdly though, the Report appears to contradict itself by stating that data is different from a natural resource because it is non-rivalrous. Notwithstanding the incorrect understanding of the first principles of economics, this presumptive assertion appears to be included in the Report as an afterthought to lend credence to the committee’s unrelenting focus on acquisition and ownership of data.

Data is not finite and, as the committee rightly notes, is non-rivalrous, i.e. the use of data by one does not deplete its availability for another. In fact, equating data to a natural resource serves no purpose besides indicating its economic value. Data is in itself a unique, vendible commodity, the rules regarding which are still to be hammered out even globally. Saddling it with the laws and policies governing finite, physical natural resources will, instead of capitalising on the extraordinary power of data, lead to the death of the data industry.

The Personal Data Protection Bill, 2019 was drafted around the central themes of consent and privacy. Assuming that these were also the chief concerns of the Kris Gopalakrishnan committee, treating data as a natural resource goes against these principles. Similarly, if the Report intends to keep the data principal at the center of the framework, then it must necessarily recognize that data is an individual right of the person to whom such data pertains or of the entity that has derived and developed such unique data, and therefore ought not be equated to a common natural resource.

Regulating data through the lens of proprietorship may result in overlooking of interests that may not have traditional ownership over such data but are impacted by it nonetheless. Instead of labelling data as a natural resource and debating over its ownership, the regulation must aim at creating an equitable data ecosystem bulwarked on the principle of rights, duties, obligations and remedies.

4. Overlooks overlapping laws

Competition Law

While the entire report is built on the committee’s idea of creating a level playing data market, in doing so, it not only overlooks potential conflicts with Competition Law, but also proceeds on an unsound understanding of the principles of Competition Law. In fact, the Report appears to have muddled the vital difference between market dominance and abuse of such dominance.

Moreover, while recommending the establishment of a Non-Personal Data Authority, the Report does not justify the creation of such a body over the Competition Commission of India (CCI) or how its role is to be harmonised with the CCI.

Copyright & Information Technology Laws

The committee has completely disregarded the laws under the Copyright Act, 1957 and the Information Technology Act, 2000. Section 2(o) read with Section 14 of the Copyright Act lends protection to databases as copyrightable works. In fact, courts of law in India have upheld copyright in compilations and databases. Therefore, any legislation seeking to confer ownership rights on such data, ought to consider the provisions under the Copyright Act.

Similarly, any law providing for safeguards and protection of data should also consider the provisions under the Information Technology Act that lay down remedies for unlawful breach or disclosure of information.

Trade Secrets

The Report’s recommendation mandating ‘Data Business’ (the problems with the definition and scope of ‘data business’ is a matter for another discussion) to disclose the manner in which data is collected, used and processed, is likely to clash with the right of ‘trade secret’. While there is no written law on trade secret in India, courts of law have been receptive of and upheld trade secret rights.

Moreover, India is a signatory to the TRIPS Agreement which provides for protection of undisclosed information. As such, the committee’s recommendations on data sharing may also undermine India’s international obligations under the TRIPS Agreement.

Personal Data Protection Bill, 2019

The most striking conflict that the committee has omitted to consider is with the Personal Data Protection Bill, 2019. In laying down ambiguous definitions and unchartered recommendations, the Report overlooks potential overlaps between the jurisdictions of the law on personal and non-personal data. One such prominent overlap is the issue of mixed datasets, i.e. data sets containing both personal and non-personal information which may or may not be inextricably linked. There is neither any discussion on this or on the likely conflict between the Data Protection Authority and the proposed Non-Personal Data Authority under the Bill and the Report, respectively.

Conclusion

While the Report is a first step towards creating a regulatory regime for the data ecosystem in India, it is vital that the committee as well the lawmakers recognise that an almost mathematical balance has to be struck between over-regulation and under-regulation in order to bring about an equitable law. For this, the key lies in ensuring that the process is kept transparent with stakeholder, expert and even public involvement at all stages and that the recommendations are based on sound understanding of the laws and the on-ground facts.

The author is a litigation associate at Saikrishna & Associates. The views of the author are personal.

The author would like to express his sincere thanks to Sidharth Chopra, Sneha Jain and Savni Endlaw for their guidance and inputs.