Introduction

In February 2022, the Ministry of Electronics and Information Technology (‘MEITY’’) notified the Draft India Data Accessibility and Use Policy(‘Policy’). The overarching aim of the Policy is to leverage public datasets available with various government departments and ministries to facilitate product innovation, service delivery and governance to its citizens. However, following criticism of the Policy after its release for public consultation, Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar has offered that the Policy will be replaced with new guidelines termed the National Data Governance Framework and Policy. Even though the current policy has been scrapped, it nonetheless sheds light on the fundamentally fragmented regulatory ecosystem around data governance. Recognising and remedying these faultlines can yield valuable insights for whatever data access policy the government brings out later.

A principles-first approach to data governance

The draft Policy was released with a Background Note that provides an overview of past and ongoing open data initiatives in India, identifies challenges with data sharing and use, and lists envisioned policy outcomes. However, despite this, the provisions of the Policy do not seem informed by existing initiatives or geared toward achieving the stated outcomes. Primarily, the Policy does not seem to make an effort to reconcile the various state-level efforts regarding data sharing, or the differing approaches to digitisation undertaken by different Ministries at the level of the Union Government. Therefore, implications for data governance in a milieu characterised by competing for data-use regimes remain unclear.

To begin with, the Policy comes at the heels of several state-level announcements of a similar nature -aimed at monetising anonymised datasets available with state government departments. While the Background Note recognises these developments, there is no mention of how competing provisions between the METIY’s Policy and various state policies will be rationalised.

This incongruence in data governance regimes is furthered by the creation of certain offices by the Policy -the India Data Office and India Data Council. While these offices will fall under the aegis of the MEITY, the Policy does not address how these offices will interact with other departmental institutions involved in governing data collection, use and sharing -such as the National Health Authority, the mooted Data Protection Authority under the Data Protection Bill or the AgriStack.

The Policy’s applicability is to all non-personal data available with Union government departments, ministries, agencies and autonomous bodies. It only suggests that state-level governments are “free to adopt the policy…as applicable”. This recommendation, however, is undesirable as it seeks to introduce multiple regimes within Indian jurisdiction for data accessibility, sharing and use.

Moreover, as mentioned above, competing provisions in state-level data accessibility policies and the current MEITY Policy could prove to be a logistical and regulatory nightmare for government officials seeking to harness data, creating unprecedented challenges for the Policy’s eventual operationalisation. Instead, MEITY should look toward harmonising the current draft Policy with state-specific policies already introduced in Karnataka, Punjab and Telangana to name a few.

In keeping with the federal structure of the Indian polity, the Policy should adopt a principles-first approach to data use and accessibility by prescribing standards, norms and mechanisms for data sharing and use that state governments could adopt as a part of their data policies. Additionally, the current Policy must clarify its powers regarding the sale of data generated by state governments as there is considerable ambiguity regarding the same. If the Union government should go ahead with the sale of state-generated data, a predefined, transparent revenue-sharing formula ought to be put in place, after consultation with provincial governments.

Lastly, the publishing of the Policy is akin to putting the proverbial ‘cart before the horse’, surfacing glaring vulnerabilities in the Policy’s licensing framework. This is because India does not have an operative data protection legislation, let alone a meaningful mechanism for regulation of non-personal data that this draft Policy hopes to exploit for government revenue generation. In the absence of such safeguards, citizens are vulnerable to harm arising from breaches of group privacy (like reidentification) as well as potential misuse of their data.

Other gaps in the Policy

The MEITY Policy is now a part of a long list of proposed data governance frameworks with little clarity on their concurrent operation. This has surfaced certain problematic aspects of the Policy that compels nuanced discussions. For instance, although the Policy calls for citizen participation in the process of data accessibility and use, it fails to articulate norms and mechanisms that would enable public participation in decision-making over data. It even goes as far as to deem the respective departments of the central government as owners of the data.

This is in direct repudiation of the recommended Non-personal Data Governance Framework that places anonymised data firmly under the control of communities and puts forth community rights over anonymised datasets, such as the ones seeking to be monetised under this Policy. This is of concern, inter alia, in terms of revenue earned from such data. Under the Policy, all revenue is captured entirely by the central government. In an ideal use case, members of the public would see some benefit from data they generate/contribute to -and there exist real-world examples of this from Europe and elsewhere in Asia.

Despite stated outcomes of a robust governance strategy with interoperable digital infrastructure, the Policy is silent on the technical standards for interoperability, privacy and safety of data-opting to leave these decisions to the India Data Office and India Data Council. The Policy in itself lacks adequate safeguards to ensure the security and privacy of public data. While the Policy does mention that data will be anonymised, it is important to note that anonymisation is not a fool-proof or irreversible process. There have been various instances of anonymised data being used to glean personal information on individuals and can be easily de-anonymised.

The Policy has no penal provisions for willful or accidental re-anonymisation / de-anonymization that can lead to harm. This risk is further exacerbated by the absence of data protection legislation as it leaves affected individuals with very little recourse for such harms. The lack of data protection legislation also points to a larger issue about the Policy -that executive action supersedes legislative intervention on matters of data governance, bypassing the need for democratic deliberation in the process.

Way forward for the Policy

While it is heartening to see that MEITY is thinking critically about unlocking public sector data for social benefit purposes, it falls short of making significant inroads into data governance. At the outset, policymakers must recognise that data is not a mere economic resource to be exploited as a public good but is intrinsically tied to individuals and communities that produce them.

Recognising individual and collective claims over data while simultaneously outlining mechanisms for community participation in the process of data accessibility and use is an indispensable forerunner to all regulatory frameworks seeking to harness data. Similarly, democratising social value inherent to data is essential to achieve bottom-up, equitable development and this can be achieved through consultations with provincial governments before such policies are rolled out nationwide.

The Policy requires revision, ideally under the aegis of an expert committee and with meaningful public dialogue, to achieve the stated outcomes in the Background Note. It is also imperative that such a policy be promulgated only after robust data protection legislation is put in place. This article was originally published on May 23, 2022, on Medianama. It can be accessed here.