Tech This Week - India should be more mindful in regulating non-personal data
In September 2019, the Indian Government formed a committee chaired by Infosys co-founder Kris Gopalakrishnan to look at the regulation for non-personal data. The committee recently arrived with a governance framework, comments to that can be submitted by August 13.
As far as I can tell, the committee is among the first efforts on the globe to exclusively look at non-personal data, which itself is a vast term. Non-personal data identifies the universe minus personal data. This may add a company’s financials, information on a country’s infrastructure projects, traffic data and so forth. Besides, unlike the mandate to modify personal data, where the goal is to put more power in the hands of the users, the committee is tasked exclusively with unlocking the worthiness of non-personal data.
At this time, a law for the regulation for non-personal data seems far away, however the governance framework presented by the committee outlines the approach the federal government may conclude adopting. There exists a lot to be debated around the report, including the idea of ‘raw’ data, the incentives of data trustees and so on. There are also arguments to contest whether regulation in the area is even necessary whenever a market will not even exist to begin with. But I would contend that in its own way, making market place is accurately what the governance framework intends to do.
The question I would like to look at is how well the framework does that, and whether there are things it does not take into account. The answers to both those questions lie in economics.
Hal Varian (Chief Economist at Google) and Carl Shapiro (Professor of Business Strategy at University of California, Berkeley) write in Information Rules, “Despite the fact that technology advances breathlessly, the monetary principles we count on are durable”. For a quote that was written in 1999, it does remarkably well to apply to the framework. I want to explain.
The underlying principle behind the frameworks method of non-personal data is that it's to be treated such as a public good. This is exhibited best in sections where in fact the framework which discusses sharing of non-personal data. For instance, the framework advocates for raw/factual data collected by private organisations linked to community data to be shared at no remuneration. In addition, it enables start-ups to improve requests to ‘data businesses’ to develop innovative products.
A public good in theory is non-rivalrous and non-excludable, as often explained by Anupam Manur at Takshashila and in his chart attached below. Data isn't rivalrous, since my consumption of it generally does not deplete the resource for others. The committee’s recommendation appears to work towards which makes it non-excludable as well.
But treating data as a public good could have second-order effects that are not necessarily accounted for in the framework. For instance, if you're a company that delivers goods and services that change from the competition through the application of non-personal data, the comparative advantage is likely to be lost.
In his article, ‘India must avoid Nationalisation of Data’, Nikhil Pahwa looks at this from the perspective of India’s investment space and the founders that inhabit it. The basic argument is that is going to have downstream effects how the investment space operates in tech, and those have not been addressed in the framework.
People also make a case that such regulation will deter companies from collecting non-personal data. And the committee’s answer appears to be that with the rise of the web of things in addition to the digital economy generally, data will probably be collected whatever incentives are set up. India is a big market and if companies want to continue to operate here, they'll play by the Government’s rules.
However, if this is actually the plan, then the policy will not do justice to the amount of importance positioned on incentives. If non-personal data will probably be subject to mandatory sharing, this provides more data businesses with an incentive to classify more data as personal.
Categories such as personal and non-personal data aren't fixed. Often, the classification could be altered because of this of context and the purpose it may be used for. This provides bigger companies with incentives never to only maintain more mixed datasets, but also with a rationale to reveal that an increasing amount of the info held by them is personal in nature.
Because disputes with regard to sharing of data will need to be resolved by the Non-Personal Data Authority (NPDA), that is going to be a fairly transaction-intensive process. At this stage, it really is hard to estimate just how many disputes will land up with the Authority, nonetheless it is safe to state that the workload located on your body from just this will probably be immense and potentially crippling. None of this appears to be intended or anticipated as a result.
Earlier in 2019, when the non-public Data Protection Bill addressed non-personal data in another of its sections, there was a huge outcry about how that should have been left to another non-personal data protection legislation. Given that the time is here now, the framework may be the first step to unlocking the worthiness of non-personal data. However, it cannot do that without being more mindful of the incentives it is investing in place for businesses.
