Nikhil Sud on India's Non-Personal Data Report
Read the original article via MediaNama here.
By Nikhil Sud
In July last year, an expert committee established by the Ministry of Electronics and Information Technology (MEITY) released a report on the Non-Personal Data (NPD) Governance Framework for India. My analysis of that report argued that the report had five key shortcomings that could undermine the report’s praiseworthy vision. In December 2020, the committee released an amended report, commendably taking several steps to remedy those shortcomings. However, scratching beneath the surface reveals that some of those steps are less reassuring than they seem.
1. The amended report only partly remedies the original’s flawed approach to competition law
Implicit application to competition. Commendably, the amended report deletes the requirements to share data for an “economic purpose” (“encourage competition and provide a level playing field or encourage innovation”) and for a “business purpose” (which could have implied companies having to share data with competitors). It also deletes competition-related language from some of the functions of the NPDA Authority (NPDA). However, a “public good purpose” — which is featured in the amended report — is defined so broadly that the government could use it for competition-related reasons even if neither the report nor the government explicitly says so. A “public good purpose” includes “community uses/benefits or public goods”; “a wide range of societal objectives”; and the repeated use of the small but mighty “etc.” and its equally formidable cousin: “and others.”
Almost explicit application to competition. Some of the amended report’s descriptions of a “public good purpose” and the NPDA’s role almost explicitly scream “competition” (and scream “protectionism,” an issue related to competition). Cases in point: “create new businesses”; “creating new innovations, newer value-added services/applications”; and “Unlike [the] CCI, this authority will be a proactive actor providing early and continued support for Indian digital industry and startups” – casting the NPDA as addressing concerns potentially similar or overlapping to those the CCI addresses, but
(a) more aggressively because the NPDA would always act proactively, and
(b) through an explicitly protectionist lens, unlike the CCI.
Revealing appendices. Though the amended report does not allege the original report’s numerous competition-related concerns upfront when discussing the case for regulating data, all those concerns remain intact in the amended report’s appendices — strongly suggesting that competition remains firmly on the committee’s mind, despite the amendments.
Unreliable claim of competition law’s irrelevance. The amended report encouragingly claims that competition-related data regulations are irrelevant. But this claim is severely undermined by the points discussed above. Further, the amended report backs the claim with a weak explanation: competition-related data regulations are “primarily oriented towards the regulation of anti-competitive effects” of data, whereas the report relates to creating “rights in the data itself”. However, much of the report’s language (discussed above) vividly betrays its intention to target alleged anti-competitive effects of data; further, doing so is hardly mutually exclusive from creating “rights in the data itself”.
Intent vs. impact. Importantly, even if the report and its eventual enforcers addressed the problems noted above and therefore chose not to pursue competition issues, that would merely rectify the report’s intent. Its impact, however, could still be deeply concerning. Large-scale, mandatory data-sharing among competitors, even when not for competition reasons, could eviscerate competition and innovation.
IP protections don’t help much. The amended report’s seemingly reassuring claim that companies will not need to share “trade secrets or other proprietary information” does little to address any of the problems discussed above (regardless of whether the report intends to pursue competition matters, or whether only its impact is on competition). Data could be competitively sensitive — and therefore its sharing (for competition or other reasons) could hurt competition — even when it is neither a trade secret nor proprietary, which are intellectual property concepts and distinct from, even if related to, competition law concepts. Further, the report blatantly requires companies to share potentially competitively sensitive information, including when it asks them to disclose metadata — i.e., the types of data they collect. Even if certain data is not itself competitively sensitive, the fact that a company collects it (this fact comprises the metadata) could be non-obvious and competitively sensitive as it could reveal the company’s “secret sauce” to the benefit of its competitors. This could spur an economy-wide culture of free-riding, ultimately crushing all companies’ incentives to innovate and their ability to compete.
Better, but still insufficient expertise. The committee must be applauded for including a respected legal data protection practitioner in the amended report’s drafting group. However, competition law expertise is distinct from data protection expertise and is also sorely needed for developing a report that is inextricably linked with competition. The omission of a competition law expert is glaring also given the report’s own admission that the NPDA will need various relevant kinds of “specialized knowledge.” If the NPDA requires that (and it does), so does the group that is developing the NPDA, its functions, and the entire NPD framework.
2. The amended report only partially cures the original’s mistreatment of the data principal.
Consent. The amended report commendably allows opt-outs, requires express notifications of that right, and permits revoking of consent. However, a data principal may find it challenging to understand the potential uses of their data under the NPD framework and potential harms from misuse — even more so than under the Personal Data Protection (PDP) Bill, given the NPD framework’s novelty. Stakeholders, including policymakers, must invest significantly in educating data principals about potential uses of data under the NPD framework for the consent-related protections to be meaningful.
Duty of care. The amended report sheds some light on the meaning of a “duty of care”, which is commendable given the original’s alarming silence on the matter. However, additional guidance will be helpful for the reasons discussed in my analysis of the original report.
The vanishing “best interest”. The original report noted the importance of acting in the data principal’s “best interest” but stopped short of explaining what that means. The amended report seems to address that concern not by providing an explanation but by deleting all references to the data principal’s “best interest”! It is unclear — and potentially worrying — why the amended report does not require acting in the data principal’s best interest when the original report did. Perhaps the committee:
- decided that was too high a standard; or
- did not have a definition in mind when they used the term (a bizarre situation which could raise significant concerns); or
- felt that explaining the “duty of care” compensates for deleting references to the “best interest” (but the original report required acting in the “best interest” and with a “duty of care”).
Regardless, consumers and industry would benefit from learning from the committee their motivations behind the change. Of course, the change from mentioning “best interest” without any definition, to not mentioning “best interest,” seems small and potentially not worth probing, but that is the incorrect comparison. The correct comparison is between mentioning “best interest” without any definition and mentioning it with a definition (something the amended report could have done but did not).
Limited benefits from scope-narrowing. Though the amended report omits several data-sharing purposes, thereby narrowing the scope of data-sharing and potentially further protecting data principals, the protection from that narrowing is limited. This is because that narrowing itself is limited. As discussed above, the data-sharing purpose that remains — “public good purpose” — is described extremely broadly.
Likely government overload. All concerns regarding potentially insufficient protections for data principals are heightened by the fact that many important stakeholders in the framework are highly likely to be government entities, a fact clear from both the original and amended reports.
3. The amended report only partly retracts the original’s carte blanche to the government to collect and use data.
“Sovereign purpose” — gone or a ghost? The amended report seems to omit recommendations on data-sharing for a “sovereign purpose,” thereby eliminating the significant undue government surveillance risks they created in the original report. The amended report encouragingly says it “does not propose anything new” on the topic beyond the regulations that “[a]lready exist” outside the report. However, it contains substantial language on the topic. The committee may claim that this language is mere commentary, but the existence of this language — much of which sounds prescriptive — creates the risk that regulators and other enforcers may rely on the language for guidance, even if only implementing the regulations that exist outside the report. This creates a risk of undue government surveillance because it would allow the government to collect data for broadly worded reasons (“national security, legal purposes”), which are further broadened unpredictably and potentially endlessly by “etc.” In fact, the language — when providing examples of data-sharing for a “sovereign purpose” — explicitly frames the list as “non-exhaustive,” signaling yet again a broad scope.
Broad “public good” purpose. Regardless of the “sovereign purpose” language, the language describing data-sharing for a “public good purpose” — i.e., the purpose that remains — is also extremely broad as discussed above, amplifying the risk of undue government surveillance.
Guidelines/safeguards. The amended report commendably creates some “[g]uidelines/[s]afeguards” for sharing NPD, but additional requirements – including the explicit accountability of the government and the explicit provision of judicial oversight – will likely be important to protect against undue government surveillance. In fact, the original report admitted the need for an “elaborate institutional structure” to protect “against abuse of power by [the] government.” The amended report’s guidelines/safeguards are hardly an “elaborate institutional structure.” Further, the original report — though it called for an “elaborate institutional structure” — did not provide that structure, a glaring discrepancy which the amended report seems to address — alarmingly — not by providing the structure but by deleting the call for it (and instead providing the insufficient guidelines mentioned above).
4. The amended report tries to abandon the axe for a scalpel, but with limited success.
“Public good” is a scalpel on steroids. The original report cast too wide a net and should have instead focused on the most pressing public welfare needs. The amended report reduces the number of data-sharing purposes from many to one — a “public good purpose” (similar to one of the original report’s purposes). This attempt at reducing scope is commendable. It addresses the original’s shortcoming almost explicitly — but alas, insufficiently. As discussed above, a “public good purpose” is defined extremely broadly.
Omitted but potentially lingering purposes. Though the amended report omits making recommendations on several data-sharing purposes such as a “sovereign purpose,” it still contains substantial prescriptive language on some of those purposes, creating the risk that regulators and enforcers may rely on that language for guidance, even if implementing regulations not in the NPD report, as discussed above. This would at least partly undo the amended report’s narrowing of scope. And this concern is heightened because the language on some of these purposes, such as a “sovereign purpose,” is overly broad.
Metadata. It is not crystal clear — but should be — that the amended report’s requirements regarding metadata are also limited to a “public good purpose.” That lack of perfect clarity is exacerbated by the amended report’s new and vague instruction (missing from the original report) that businesses will share metadata “under appropriate regulations,” suggesting the amended report envisions regulations (including criteria) beyond those associated with a “public good purpose.” In fact, this instruction in the amended report applies not just to metadata but also the underlying data, creating the same risk for underlying data (albeit a smaller risk, given other parts of the amended report which state that sharing the underlying data will be required only for a “public good purpose”).
5. The amended report partially addresses other concerns too through good consultation but the road ahead is long.
The data processor’s role. The amended report more clearly (than the original report) explains the roles and interaction of different players envisioned in the framework, such as the data principal, the data custodian, and the data trustee. However, additional clarity will be helpful, including in relation to the data processor’s role.
For example, the amended report states that a data processor (a company processing NPD on a data custodian’s behalf) will not need to share (a) data belonging to the data custodian, and will need to share (b) data that the processor “collects, processes, uses, etc. as part of its business operation,” because that’s the data in relation to which the processor is a custodian, rather than a processor. But those two categories of data – (a) and (b) – need not be mutually exclusive. In other words, the data processor could “collect [from the data custodian], process, use, etc. as part of its business operation” data “belonging to the data custodian.”
Perhaps the amended report means that the processor would need to share only that data which it collects from an end-consumer (an individual). If that’s the case, the report should make that clearer. The closest the amended report comes to making that clear is when it states “[t]ypically,…the data custodian…has a relationship with the consumer from whom the data is collected.” However, even this is not perfectly clear, partly because of the word “typically” (suggesting the report envisions some exceptions) and because of the word “consumer” (without the all-important prefix “end-”) – a data custodian could well be construed as its data processor’s “consumer” and from whom the data processor collects data.
Further, data processors should note that the mere fact that a data processor need not share certain data does not shield that processor from all the risks associated with that data being shared. After all, that data may still be shared, just by another entity (the data custodian). Such sharing could place the data processor at a disadvantage among its competitors, if that data (or even the fact that that data was collected and processed) is competitively sensitive to the data processor.
Interplay with other policies. The amended report makes clearer (than the original report) how it relates to the Personal Data Protection Bill. However, clarity on how it might relate to other policy initiatives will also be helpful, such as the potential e-commerce policy, the first draft of which seemed to involve NPD. The absence of such clarity could trigger conflicting and unclear obligations.
Metadata. The amended report provides more clarity than the original report on metadata. However, several concerns around metadata remain, some of which have been discussed above. Additionally, much more clarity is required on exactly the metadata that entities need to share. Further, the report seems to incorrectly assume that sharing metadata is easy. It can, instead, be extremely onerous (in addition to competition-dampening as discussed above).
Data localisation. The original report quoted an unclear cross-border data flow limitation from the PDP Bill. The amended report addresses that somewhat insufficiently by deleting the quote (so that the unclear language is no longer in the report) but still citing that requirement (without quoting it), likely hoping that the language is made clearer in the PDP Bill itself. Further, and relatedly, the amended report continues to impose potentially harmful cross-border data flow limitations.
Additional examples. The original report suffered from unclear explanations of the differences between various types of NPD. The amended report, commendably, does not. The original report’s definition of Community NPD could have unintentionally precluded anonymized data. The amended report does not involve Community NPD, thereby eliminating this risk.
These aren’t “just details.” More generally, the issues discussed above – in points 1 through 5 – are not minor issues that should be deprioritized and handled close to the report’s finalisation or after it (e.g., in Parliament when a law on this matter is potentially introduced, or during implementation). These issues are fundamental. They require immediate and rigorous attention, just like the attention that the original and amended reports provided several other issues. For example, the original report avoided establishing limits on the government by claiming that would require an “elaborate…structure,” implying the report was not equipped to create elaborate structures, even though the report went to great lengths to create other elaborate structures. (And as discussed above, even the amended report’s efforts to limit the government are insufficient.)
Kudos but stay the course. Despite all of the above, the committee’s decisions to amend the original report and open the amended report to consultation are praiseworthy. Also praiseworthy is the committee’s willingness to incorporate feedback from stakeholders – clear from the significant amendments discussed above. However, several major shortcomings remain, and given the size, complexity, and unprecedentedness of this initiative, it is critical that the committee not hurry to finalize the report, but continue to meaningfully consult stakeholders and incorporate their feedback – even if that means multiple more rounds of consultation. Getting this framework wrong – even slightly – could irreparably harm the currently vibrant competition and innovation that Indian consumers enjoy.
Nikhil Sud serves as Regulatory Affairs Specialist at the Albright Stonebridge Group. He is a lawyer by training and specialises in legal and policy issues relating to technology. Views expressed are personal and do not constitute legal advice.