Nikhil Sud on Key Concerns with India's Non-Personal Data Report
Read the original article here.
By Nikhil Sud
An expert committee established last year by the Ministry of Electronics and Information Technology (MEITY) recently released a report on the “Non-Personal Data Governance Framework” for the country. The report is a praiseworthy step toward leveraging data to advance the country’s goals. However, the report suffers key (often related) shortcomings — five of which are discussed below — that, in sum, risk eviscerating competition and innovation in India to the detriment of Indian consumers, undermining consumer privacy, spurring mistrust of companies and the government, and fostering a regulatory regime that is unclear, overly burdensome, and lacks nuance, all outcomes that are starkly opposed to the report’s noble intentions.
1. The report rests — in major part — on a fundamentally flawed view of competition law.
The report assumes data is an antitrust problem. In reality, this is far from clear. The question is an extremely complex one that competition law jurisdictions around the world — including those significantly more experienced in competition law than India — are still debating. In fact, many traits of data strongly suggest that data is not an antitrust problem. For example, data is inexhaustible. It is also non-excludable; this is true inherently and in the absence of exclusive data-sharing agreements between businesses and consumers. Relatedly, data is omnipresent and easily collectable. Also, data is not nearly as valuable as the report assumes; innovations in data processing are much more valuable. Further, data’s value is ephemeral. The new oil? Not quite.
Additionally, no matter the value of data, competition law should not require companies to share resources with competitors. Contrary to the report’s view, competition law is designed to protect consumers, not competitors. This principle, though critical to sound competition law, sometimes eludes lawmakers and regulators, resulting in erroneous and consumer-harming interventions. Requiring businesses to share resources with competitors, like the report does, can eviscerate incentives to invest, innovate, and compete, thereby reducing the quality of products and services available to consumers, defeating the very purpose of competition law.
Despite this, even competition authorities that claim to recognize the aforementioned critical principle, have sometimes sought to require resource-sharing under “duty to supply” theories such as the substantially criticized essential facilities doctrine. But here, even such theories do not apply. The Competition Commission of India (CCI) has in the past noted that the requirements for a “duty to supply” include (among others):
- Competitors should not be able to replicate/duplicate the facility; and
- Access to the facility must be critical for enterprises to compete effectively in the relevant market.
If either requirement is unmet, the duty does not exist. Here, as discussed above, both requirements are unmet.
Relatedly, in targeting companies the report views as dominant, the report appears to conflate dominance with a violation of competition law. However, only the abuse of dominance infringes competition law; dominance itself does not. Through this conflation, the report penalizes success, not unfair competition. Alternatively, the report could be interpreted as alleging abuse of dominance when dominant companies do not share data with competitors, relying perhaps on the broad language of Section 4 of India’s Competition Act, and the Act’s per se approach to abuse. That allegation, however, does not withstand scrutiny, because the language of Section 4, no matter its breadth, does not warrant this conclusion, and even though the Act appears to adopt a per se approach, the intent of the Act (reflected in, among other things, its legislative history), the CCI’s prudent decision-making, and relevant international legal precedent demonstrate that a per se approach to abuse is unwarranted. Under an effects-based approach, abuse cannot be established here, not that the report even attempts it.
Another error the report commits is that it ignores key aspects of the internet space that render traditional notions of antitrust invalid. Though the report is not limited to the internet space, it will likely significantly impact that space and even frequently cites examples from that space to support its conclusions (which, of course, makes this error even more surprising). Aspects of the internet space that make it unsuitable for conventional competition law analysis include, among others: when assessing dominance in the internet space, market shares are irrelevant (examples abound of companies which seemed dominant based on their market shares but were suddenly and completely replaced by more innovative rivals); the existence of multiple competitors; low entry barriers and therefore multiple potential competitors; low switching costs; multi-homing; and how several of these (and other) factors significantly limit any concerning impact of network effects. The report’s ignoring of these aspects of the internet space is also concerning because the likelihood of erroneous antitrust intervention, and the extent of consumer harms that can result from erroneous antitrust intervention, may both be higher in high-innovation sectors like the technology space, which includes the internet space.
Additionally, the report favours Indian businesses over international businesses. And it does so explicitly and repeatedly. That approach starkly violates principles of fair competition which require competition on the merits (and the approach could exacerbate already tense trade relations with the US on digital issues). Further, the report’s flawed view on competition law is clear from the fact that India’s internet space — a sector on which the report relies heavily to support its view — already sees countless innovative Indian businesses thrive and compete alongside international businesses.
More fundamentally, the report does not consider the complexity of competition law. As any competition law practitioner or scholar will testify, competition law is a highly complex and specialised subject. Though competition issues may feel intuitive, framing and implementing sound competition law requires deep expertise on the subject, and presents thorny challenges to even the most highly trained, experienced, and respected minds in the field. And this is especially (but not only) true when antitrust law intersects with modern technology like the internet. And though India is a relatively young competition law jurisdiction, the CCI has generally demonstrated great sophistication in dealing with the subject, including in relation to internet issues. For example, the CCI has generally resisted intervening on “Big Data” grounds and more broadly, resisted intervening in the internet space. In doing so, the CCI has also resisted adopting precedent from jurisdictions on which India traditionally relies, because the CCI has recognised that India merits a more innovation-friendly approach. Through these prudent approaches, the CCI has contributed to India’s vibrant and competitive internet space.
On the other hand, the report — which seeks to largely sidestep the CCI’s thinking on the subject and instead implement its view on competition law (and economy-wide at that) — does not appear to acknowledge the extremely complex and specialised nature of competition law. This is clear not just from the report’s view on competition law (which is flawed in the several ways discussed above) but also from the fact that the report appears to base its view not on rigorous legal analysis, but on anecdotal evidence and intuition. Relatedly, the committee that drafted the report does not appear to include a competition law practitioner or scholar.
2. The report does not account sufficiently for the interests of the data principal, despite appearing to do so.
The report prudently recognises that collecting and processing certain non-personal data (NPD) could harm data principals if that NPD is de-anonymised and even if it remains anonymised. To prevent potential harms from de-anonymised data, the report commendably suggests anonymisation techniques and that the data principal’s consent be sought before data is collected and used. And of course, of these two safeguards, only the latter is relevant to harms that may result from NPD when it is remains anonymised.
However, consent may not provide significant protection from either kind of harm. This is because it is not clear whether consent would be meaningful under the framework envisaged in the report. The report cites the Personal Data Protection (PDP) Bill as evidence on the helpfulness of consent but the NPD framework is dramatically different from the PDP Bill’s framework. Under the report’s framework, when the data principal is asked for consent, it is unclear whether the principal would — or even could — be informed of all potential uses of that data; cognizant of what exactly anonymisation means and protects; and what harms can result from anonymised data (average consumers may not understand the concept of collective harm).
Additionally, the report frequently — and commendably — notes the importance of acting in the best interest of the data principal but it stops short of explaining what that means. This omission is striking because, in many ways, balancing the interest of the data principal with the interest of others is where the rubber meets the road. Any rules regarding NPD beg — perhaps first and foremost — the question: how do we ensure the data principal’s interests are sufficiently protected?
By calling for a “duty of care” but deferring to subsequent regulations to define it, the report acknowledges that critical question but then dodges it. In fact, it undermines the question, by discussing at length the interests of stakeholders other than data principals. And given the significant decision-making powers (including the power to mandate data-sharing) that rest with those other stakeholders in the report’s framework — including data trustees which seem almost certainly likely to be government entities — the data principal’s best interests seem vulnerable. This vulnerability can, of course, hurt individuals. It can also hurt businesses – and not just when businesses are data principals (which appears possible under the report’s conception of Public NPD and Private NPD) but also by discouraging consumers from sharing their data with businesses.
3. The report appears to provide carte blanche to the government to collect and use data.
The report suggests that the government may collect and use NPD “for purposes of national security, legal purposes, etc.” This broad language — broadened seemingly endlessly (but not only) by the “etc.” — can spur concerns regarding state surveillance, and potentially discourage consumers to share data with the government or with businesses, stunting innovation and growth. Similarly — and surprisingly — the report characterises data demands “by a regulator to understand and keep abreast of developments in a sector with regard to need for regulatory interventions” as a “sovereign purpose,” clearly a high-priority purpose for which compliance is likely to be far less negotiable (if at all) than the other purposes outlined in the report, such as “core public interest purposes” and “economic purposes” — both of which, in fact, seem substantively far better fits for such data demands than does “sovereign purpose.” This characterisation too spurs concerns regarding governmental overreach — not just in relation to data requests but also in relation to the eventual “regulatory interventions” signalled in this language. Such provisions can make investors flee.
The report commendably recognises the need for “adequate checks against abuse of power by government or other representative agencies” but does little to establish those checks. It merely observes that such checks “require an elaborate institutional structure.” It does not establish that structure. The omission is glaring not just because it jeopardises the report’s entire vision but also because the report, in other contexts, does not shy away from establishing “elaborate … structure[s].” This omission is reminiscent of the PDP Bill which, like its 2018 draft, provides wide powers to the government to collect and use data without judicial oversight, even though the report accompanying the 2018 draft acknowledged the importance of judicial oversight. Such omissions can foster mistrust of the government and of businesses, directly undermining the government’s goals of advancement.
4. The report uses an axe, not a scalpel.
One of the report’s premises — that data can be used for public benefit — is commendable. However, by casting an economy-wide, all-encompassing net, the report creates many concerns (several of which are discussed above and below), and generates less benefit than it imagines (such as in the context of competition as discussed above). In some ways, the report thus reads like a solution looking for a problem.
To address this and fulfil the potential of its aforementioned laudable premise, the report should consider focusing the NPD initiative on the most pressing public welfare needs, such as public health needs created by the pandemic. The report could also consider making several data-sharing provisions voluntary and making compensation clearer, more attractive, and more readily available. These and other measures — that help tailor the report’s currently sprawling vision — could help unlock the report’s potential without creating the major concerns it currently creates.
5. The report should evolve based on more thorough and open consultation, given several other concerning and unclear aspects of the report.
The long and dense report seeks to tackle issues of arguably unprecedented ambition and complexity. Such issues warrant unprecedented consultation and collaboration — not just one round of written comments developed over a few weeks (which is of course infinitely better than the one-week deadline that first appeared when the report was released!), but potentially several rounds of written comments, in addition to a series of multi-stakeholder townhall-style sessions (the insights from which should, of course, be transcribed given the ambiguity that may stem from purely verbal interactions).
Illustratively, several issues in the report (in addition to those discussed above) are ambiguous or more broadly concerning, highlighting the critical need for open and rigorous consultation with all stakeholders including industry experts.
A few such issues, and some related recommendations, include:
- The report would benefit from clearer explanations of the differences between the types of NPD.
- The report seems to say that Community NPD will comprise data that is not processed, but that language could unintentionally preclude anonymisation.
- The report should more clearly explain the roles and interaction of the different players it envisions (the data principal, the data custodian, and the data trustee).
- The report should clearly explain how it might relate to other policy initiatives that might address NPD including potentially the upcoming e-commerce policy.
- The report should re-consider whether a separate regulator (the NPD Authority) is needed, as it could create an unwieldy regime that is onerous on the government, businesses, and individuals.
- The report should more clearly discuss the traits of metadata — and ensure that the requirement to disclose metadata does not compromise privacy or competitively sensitive information — rather than deferring seemingly entirely to the NPD Authority on the matter.
- The report’s limitations on cross-border data flows, though seemingly designed to promote data security, could undermine data security because global cloud networks may be far better positioned to protect data than local servers.
- The report’s limitations on the flow of Sensitive NPD are unclear (the report, like the PDP Bill, says Sensitive NPD “may be transferred outside India, but shall continue to be stored in India,” but it is unclear, based on this language and based on other related language in the report, if this means that it can move abroad while a copy stays in India or that it can be processed abroad but then must be brought back to India).
- The report’s extraterritorial application could be impractical, and if it is not, it could undermine the report’s justifications for limiting cross-border data flow.
Without rigorous consultation, these and other aspects of the report risk undermining the report’s praiseworthy vision by creating an ineffective, unclear, and damaging regulatory regime.
Nikhil Sud serves as Regulatory Affairs Specialist at the Albright Stonebridge Group. He is a lawyer by training and specialises in legal and policy issues relating to technology. Views expressed are personal.