An op-ed by Soujanya Sridharan and Vinay Narayan on the Karnataka State Open Data Policy, spotlighting data stewarding initiatives that allowed for private access of public data in a rights-respecting manner. This article originally appeared on the Deccan Herald website, and can be accessed here.

The Government of Karnataka is reported to have been studying the Union Government’s draft guidelines on data anonymisation. It assumes significance as the state government is seeking clarity on data monetisation at a policy level. Data monetisation is possible only when the data under question is masked and stripped of all personal indicators to ensure an individual’s right to privacy.

This announcement is a follow-up to the Karnataka State Open Data Policy, notified in October 2021. The policy proposes monetisation of anonymised personal data, which is available with various departments and offices of the state government, to support research, innovation and evidence-based governance in the state. However, this move is not desirable, even hasty, in the current milieu. There are several barriers to monetisation – from conceptualising and capturing the value of data to the real threats it poses to communities and businesses alike, not to mention the techno-legal issues involved in anonymisation and data protection. Given this context, it is imperative that the GoK reconsider its position on monetisation and open doors for reflexive policymaking that incorporates the perspectives of privacy researchers as well as citizens.  Data valuation is an exceedingly complex exercise and must go beyond treating data as a mere economic resource to be traded and sold by the state. Inherent to datasets is immense social value that has the potential to inform and influence not only individual behaviour but also the actions of social groups. A market-based logic that treats data as a “property” fails to capture the non-rivalrous nature of data that makes it amendable to re-use.

This would imply that once individual and communities’ data is sold in anonymised form, they cease to have any claim or rights over it. Such an approach is untenable given that the right to privacy is inalienable and any move to abrogate this right violates an individual’s personal liberty, as upheld by the Supreme Court in its K Puttaswamy verdict. There is also a mounting threat of creating perverse incentives for governments who may be willing to sell more and more data in exchange for boosting their revenues, foregoing the privacy and data rights of their citizens.  An alternative approach to data valuation is needed to recognise and respect the decisional autonomy of individuals and communities who help produce this data.

A paradigm anchored in consent can help uphold the rights of individuals through the entire lifecycle of data – from its collection to processing and, eventually, anonymisation and sharing. Enabling citizens to participate in data sharing should be the overarching imperative of data governance, such that GoK remains accountable for its actions to monetise data.

Another dire unintended consequence of data monetisation is the potential to create and prop-up data monopolies. This would be the case especially if the datasets to be monetised are priced high, in which case it becomes unaffordable for start-ups, small and SMEs. In turn, the price of datasets would be determined by the specific pricing formula by the GoK, but neither the state’s Open Data Policy nor subsequent notifications clarify this aspect. Thus, the potential accumulation of anonymised datasets in the hands of a few private players will undermine the ability to use datasets for public interest purposes, preventing citizens from deriving value from the sale and distribution of their data. Fundamentally, data monetisation by public agencies is a hazardous policy experiment with little global precedent.

As has been pointed out by researchers on numerous occasions, anonymisation is not foolproof. The draft guidelines themselves note that no particular technique is 100% effective. There have been multiple instances of anonymised datasets being used to identify individuals, violating their privacy. For instance, researchers in Australia were able to re-identify individuals using an open-source health dataset that was anonymised. Similarly, a team from Imperial College London, proved that individuals could be reidentified, even from incomplete datasets, using 15 demographic attributes.

In the absence of a data protection bill that penalises de-anonymisation, it poses a serious risk to privacy without necessary safeguards or mechanisms for redressal.

The GoK’s move also stands at odds with the Union Government’s policy regarding governance of public sector data. The Union Government had, in February 2022, released the draft India Data Accessibility and Use Policy which envisioned monetisation of public sector datasets. However, following criticism from the public, this draft was withdrawn and replaced with the National Data Governance Framework Policy, which notably omitted provisions relating to data monetisation. This new policy also notes that state governments will be encouraged to adopt its provisions, rules and standards. Given this context, Karntaka’s move to monetise data would make it incongruous with data sharing policies at the Union level.

There is no denying that public sector data has immense value to inform public service delivery. However, any move to monetise such data must necessarily ensure that individuals whose data is being shared receive some value for this data. A telling example of how this can be achieved is the Gyeonggi province’s ‘data dividend’ programme in Korea, which ensures that profits generated from data monetisation are returned to individuals who produce this data.

The process of data monetisation must not lead to unilateral State action. Individuals should be granted a degree of agency over whether their data can be shared, with whom, and for what purposes. The DECODE project, piloted in Amsterdam and Barcelona, is an example of such participatory data governance. Public agencies created an infrastructure that made data available for social benefit use, whilst still allowing individuals to retain control over their data.

Finally, all of this must take place within a strict legal regime that provides stringent standards and regulations for protecting the rights of individuals and providing them with avenues for redressal. Such measures must be backed by legislation, and should not be the result of sole executive action. Findata, the Finnish Social and Health Data Permit Authority, serves as an example in this regard. It is established through legislation that imposes purpose limitations for downstream use of anonymised well-being data for research, policymaking and development interventions. This makes sure that data is available for the public good with necessary safeguards. Karnataka can learn from it.