Examining the contours of consent in the non-personal data governance framework
By Sarada Mahesh
In January 2021, a committee of experts appointed by the Government of India released the non-personal data governance framework. The report hopes to encourage data sharing between businesses and governments, with the objective of promoting innovation in the economy. While this might seem like a noble cause, the policy is not without criticism. One of the biggest issues is its idea to make data sharing mandatory which will be decided depending on the ‘data drivenness’ of the industry. Using the example from the policy itself, it says that industries with a ‘high degree of data drivenness’ will be mandated to share data, while those with a ‘mildly data driven’ market will not be mandated to do so.
Businesses have sufficient cause to be worried about this new framework. They have been given very little visibility about how the system will work, and what they will get back in return for participating in it. But this is just one aspect of the problem. Data subjects, people from whom data is being collected, are the other set of stakeholders who are going to be impacted by this framework.
The first step to sharing data is collecting the information from the data subjects after confirming their consent. This there has to be sufficient information including the details about the party with whom the agreement is being entered, what information is being collected, how it is going to be used, and if the data is going to be shared further with other third parties. In reality, however, consent is not collected in such a straightforward manner.
Consent is either forced upon users (like in the private sector, which denies or limits services of users who deny consent), assumed (the Government justifies collecting data without consent on the grounds that it is acting in the best interests of citizens), or confirmed in a questionable manner (with civil society organizations, which will be discussed below).
The framework introduces a concept called ‘data trustees’ or data stewards. They can be individuals or organizations who handle community data and have a ‘duty of care’ towards it. They have to protect the community against any harm that might occur due to the re-identification of their data. The data steward must set up a grievance redressal mechanism to respond to this harm if it occurs. Because of the large amount of data they handle, data trustees have been classified as data businesses.
Civil society organizations usually take on the role of data trustees. Such organizations already exist, albeit without the formal nomenclature used here. They establish relationships of trust with the community through direct on-field interactions, continuous communication, and supporting them in important decision-making processes.
As a part of this responsibility, data stewards have to collect data from the community, but only after confirming their consent. This can either be done at an individual level (for example, by going to each household and explaining the terms of the contract) or at a community level (for example, in panchayat meetings, with the help of the community leaders or other trusted persons). The idea behind this is to ensure that the community retains agency over their data – they must understand the terms of the agreement before deciding whether they want to share it or not. This process however comes with a lot of obstacles.
Sometimes, the terms of the agreement may not be fully understood by the data stewards themselves – this makes them incapable of delivering the full and correct information to the community. Other times, individuals may agree to the terms of the contract under peer pressure – they don’t want to be the only ones denied the services. Thus, the data finally collected and shared may not have been collected after getting the real or complete consent of the data subject. This impacts the rights that the community has over their resources – if the community in question are farmers from a particular region, sharing their data further without fully understanding the consequences would possibly mean a marginal loss of control over the information relating to their land or the crops is grown on it.
Third parties who get this data will not redirect additional resources to confirm this question of consent, which means that it is a one-off thing. The importance of the role of data trustees in this primary but crucial stage of data collection cannot be underestimated.
What does all mean in the context of data sharing being made mandatory by the NPD Governance Framework? In the pre-NPD system, individuals have the option to reject the sharing of their data with third parties by shifting to another platform or by just rejecting consent. In the post-NPD framework, however, this freedom is taken away. Individuals will be mandated to share their data with the Government, irrespective of which platform they shift to, as long as it fulfills the framework’s “data drivenness” standard. Consent, which was already questionable, will now cease to exist in this forced framework.
Consent finds very few mentions in the NPD Framework. It states that the characteristics of consent being ‘specific’ and ‘capable of being withdrawn’ which are applicable to personal data, do not apply to non-personal data. This is immediately followed by a caveat – that the consent to anonymize personal data cannot be assumed for non-personal data. Data stewards have to provide the option to the subjects to opt-out of anonymization of their non-personal data, even though the personal data can continue to be anonymized when used for certain purposes. If data subjects do give their consent to anonymize data, they have the option to revoke it before it is anonymized, after which they lose this right.
These provisions are problematic for many reasons. Non-personal data is just as sensitive as personal data. For example, the data about the specific fertilizers used by an individual can be accessed by their competitors without their knowledge. The option to opt-out from protecting their data from being anonymized is dangerous. The limited-time span to revoke their consent is also an issue – what happens in instances where the community understands the impact of sharing their data only much after it has been anonymized, and wants to revoke their consent then? This denial of the right to withdraw consent is a serious limitation on the agency of the data subject over their data.
What can civil society organizations do in order to prepare themselves for this framework, keeping in mind their responsibility to act in the best interests of the community?
First, they must take their time to fully understand the contracts they will be entering into. Preferably, they must be willing to allocate resources to get the support of lawyers or experienced individuals in the field for this. They can also come up with their own internal data protection guidelines – limitations about what data can be collected, how it can be used, and with whom it can be shared. Finally, they must negotiate with businesses for data minimization – only very limited or the most necessary data needed for the purpose of the contract must be shared with them.
While it goes without saying that the framework puts an additional burden on communities rather than empowering them, they must begin to prepare themselves for the worst.