Building a Data Economy in India

?

Lawmakers in India have been contemplating a legislation on privacy and data protection for a few years now. Following the landmark SC judgement in Justice K.S Puttaswamy v. Union of India in 2017, a committee under the stewardship of Justice B.N. Srikrishna was set up to propose a Personal Data Protection Bill (PDPB) for India. In 2019, the draft PDPB was referred to a Joint Parliamentary Committee (JPC) for further deliberation.

The JPC’s Report on the Personal Data Protection Bill, 2019 was tabled in the Parliament on 16th December 2021. In its recommendations, the JPC has taken an approach that is in keeping with the unique challenges and opportunities India presents. ?While being mindful of the necessity to protect an individual’s privacy, it also acknowledges that data, in today’s world, is an economic asset. Data fuels innovation, commerce and socio-economic development, if harnessed properly. If data is the new oil, then India is surely one of the largest oilfields with around 150 exabytes of data generated annually, per the Report.

With this in mind, the JPC has made recommendations to make sure economic value accrues to the individual and communities in India when their data is exploited.

Data Localisation

The Report makes a strong argument for storing certain categories of data only in India. It also makes an argument for mirroring existing sensitive data in India. The most obvious reason stated for this is that foreign governments should not be able to spy on Indian citizens when data is hosted in their countries and access to data by Indian law enforcement agencies in crime detection and prevention. There is also sound economics behind it.

Setting up a data centre and maintaining it requires land, manpower and local partners. ?The economic potential of localisation is detailed in the Report- ~30,000 jobs, ~ USD1.5 billion in wages and ~ USD 4.6 billion in local economic activity for every large data centre.

The Report also recommends formulation of a separate policy on data localisation and alludes to taxation of data flow, something which does not have a parallel globally.

Non-personal data within the ambit of data protection

A unique approach in the Report is to bring non-personal data also within the ambit of the Bill. The JPC makes an argument that non-personal data is derived from personal data, sensitive personal data or critical personal data and therefore it needs to be regulated in the same vein as personal data. This argument is flawed for the simple reason that personal data is protected because it’s breach can cause significant harm to the individual whereas a breach of anonymised data, which cannot be traced back or connected to an individual, cannot be said to cause harm to an individual. A significant reason for regulating non-personal data though, maybe economic.

ML/AI are the drivers of innovation across industry sectors and large data sets are crucial for building and training ML/AI models. These data sets mostly use de-identified or anonymised data to fall outside the purview of strict privacy laws like the GDPR which only regulate data of an identified or identifiable individual.

By bringing non-personal data also within the ambit of this legislation, two things can potentially be achieved: 1) enable access to and sharing of large data sets that can drive innovation in India and 2) control over export of non-personal data outside India thereby having some leverage over monetisation of Indian data, especially if it is combined with data localisation.

Further, the proposed Bill gives the central government the right to direct any data fiduciary or data processor to provide non-personal data to enable better targeting of services or formulation of policies. The Report also encourages integration of data sources across public sector, private sector, academic and research institutions for better delivery of services and improve last mile delivery This will enable the government to leverage private-public partnerships in data analytics for the benefit of the public.

A comprehensive policy on the processing of non-personal data, which could be in-line with the Non-Personal Data Governance Framework, may follow in due course.

Fostering innovation and growth of digital products and services

The Report recommends amending the provisions of the 2019 Bill to protect the interests of start-ups and to encourage innovations. Some of these recommendations include framing regulations to allow processing personal data in connection with mergers and acquisitions without requiring consent and creation of a Sandbox for controlled and regulated testing.

The Report also proposes that the Data Protection Authority keep in mind the interest of start-ups while framing regulations. This could be in the form of exemptions from certain compliance for start-ups registered in India.

An exciting prospect in the Report is the recommendation on creation of an indigenous financial system that can be an alternative to SWIFT. Considering the success of the UPI and India Stack, this can further revolutionise financial transactions in India.

A calibrated and well-defined approach to monetising data can open up India to limitless possibilities in innovation and service delivery.

A clear picture is emerging on how our government is thinking about data. The message seems to be that Indians are not a product and their data does not come free and that data must be used judiciously, primarily for the benefit of the society to which it belongs.?