The Committee of Experts (CoE), led by Kris Gopalakrishnan, has released a revised report on the Non-Personal Data (NPD) Framework (NPD Version 2) report on 16 December 2020. The revised NPD report is available at https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf
The CoE is inviting comments and responses to the revised report, the deadline for which is 27 January 2021.
Add your submissions - responses, comments, questions - to Version 2 here. The Privacy Mode team will consolidate the responses and share with the CoE in January 2021, when launching responses to Version 1 of the report.
Add submissions on https://hasgeek.com/PrivacyMode/non-personal-data-version-2/sub
NPD Committee should tighten incentives and accountability for different stakeholders
There’s much to like in this new report. First among them is the fact that it restricts itself to a narrow goal — of opening up non-personal data for public good purposes. It explicitly stays away from being a general non-personal data governance framework, which would have included direct government access to such data and B2B sharing of data (as was there in the first report). While not explicitly stated, this narrow goal also speaks to a market failure — that data has positive externality, i.e. it can benefit more people than just the one who collects it, but the collector has no way to monetise others’ benefits. Mandatory sharing of non-personal data is a credible way to solve it.
Another thing to like in the report is that, if done well, it could create transparency in the data-sharing ecosystem. It envisions creation of high-value datasets that will be accessible to all organisations registered in India, without discrimination. Theoretically, this will level the playing field and also build trust among stakeholders, since they will be able to see what kind of data is available for use. Most existing data-sharing mechanisms in India are meant to serve government access, and have very little transparency built into it. Therefore, this ‘deliberate friction’ in the NPD report deserves appreciation.
The report, however, falls short in being rigorous and detailed about translating its lofty principles into practical guidance. Ambiguity into how these concepts will be implemented will create uncertainty for businesses, unnecessary discretion with quasi-regulatory bodies, and even failure of the framework to catalyse data-sharing at scale. To bridge this gap, the committee should pay special attention to the following:
1) Think about incentives and enforcement that ensures ‘public good’ objectives. Currently, it is unclear what level of operational discretion a data trustee has in order to ensure appropriate use of data, what data requestors can do with that data, and how they will be held accountable to the ‘public good’ function post-facto.
2) Define the ‘duty of care’ better and provide enforcement and accountability tools. Keeping aside the question of whether protection from harms and unlocking value are conflicting aims within the same framework, the bill imposes a ‘duty of care’ on certain stakeholders without providing them specific guidance or holding them accountable.
3) Guard against expanding too much government in data markets. A powerful non-personal data authority (NPDA) will determine who is a data trustee and will adjudicate on disputes. Because India has low state capacity, the NPDA could turn more restrictive than enabling. It’s role and functioning should therefore be based on regulatory best practices.
In addition, some hygiene factors need to be taken care of to avoid ambiguities in the framework. For example, the scope of mandatory data-sharing is unclear, and it is unclear why the meta-data directory needs to be open to all entities. There is a recurring theme of restricting the framework to organisations ‘registered in India’ — which needs greater justification.
I have arrived at these suggestions by evaluating the institutional architecture of this framework — who are the stakeholders, what is their (intended) role, why should they play this role (i.e. incentives) and what happens if they don’t (i.e. accountability). This is an important lens because one cannot rely only on the benevolence of different stakeholders to act in public good. Scroll down for my notes and specific recommendations.
Analysis of Key Stakeholders
How they’re appointed: Government or non-profit body (Section 8 company/society/trust) can apply to NPD Authority to host a HVD. Once approved, it becomes trustee of NPD.
Role: (i) creation, maintenance, data-sharing of HVD (ii) ensure HVDs are used only in the interests of the community (iii) ensure that no harms to people due to re-identification (iv) set up grievance redressal mechanism for community (v) complaint to NPDA about harms emerging from sharing of non-personal data about their community (vi) storage non-personal data as per the personal data protection bill requirements for the personal data underlying the NPD
Incentives: (i) Can charge a ‘nominal charge’ from data requesters for data infrastructure, data processing etc. but not towards data collection (ii) Create HVD that might benefit related entities financially or operationally (iii) altruistic goals — research, social good, etc.
Accountability: Unclear. Presumably to NPD Authority.
My Take: Data trustees are the most important actor in this framework. There will presumably be hundreds of trustees created under this framework. If regulatory oversight is too tight, it will stifle the very purpose of the report. If it is too loose, it could be misused to benefit certain corporate interests over others. Therefore, I suggest five ways to strike a balance-
a) It isn’t clear how the data trustee can fulfill its functions (ensuring dataset is used only for benefit of community; no harm, data requests not being ‘generic or broad-based’ etc.) without some discretion in who to give access to. Discretion, however, may conflict with the ‘no-discrimination’ rule. The report should clarify this. My suggestion is that the trustee should have less discretion — it cannot block a data request, unless it appeals to the NPDA. Greater discretion will create incentives for regulatory capture and corruption.
b) Many non-profits are institutionally linked to corporate entities. Despite an obligation to not discriminate between data requesters, data trustees could unduly benefit a related corporate entity because of weak enforcement in India and lack of financial incentives for data trustees. Therefore, the NPDA should be mandated to set ownership and funding criteria if a non-profit wants to be data trustees, such that corporate-linked non-profits can be excluded.
c) Data requesters should be allowed to complaint to (a separate quasi-judicial arm of) the NPDA if their data requests have either been denied, or provided on discriminatory terms
d) Since they deal with the community’s data, data trustees should be mandated to be transparent, by releasing publicly annual reports that list the HVDs it operates, the data it contains, how many requests it got, from whom, etc. The specifics could be delegated to the NPDA.
e) This is a unique opportunity to provide recourse against group harms like algorithmic bias against racial, ethnic or religious groups. These are not adequately covered by the personal data protection bill (since harms are at a community level), and could be brought in here.
How they’re appointed: Any organisation that collects, stores, processes or manages data (i.e. data business), except those that process data collected by another entity (i.e. data processor). Entities may be classified as data businesses based on certain threshold of data collected/processed, as defined by NPDA. Data businesses above a certain threshold — to be determined by NPDA — will need to register (presumably with NPDA). Not clear if both thresholds will be the same.
Role: (i) share data with data trustees when data requests are made (ii) ensure no harm to data principal from re-identification (iii) use best anonymization technique and data sharing protocols (iv) share meta-data with NPDA
Incentives: No incentives specified.
Accountability: If a data custodian denies a data trustee’s request, the latter can appeal to the NPDA. Other accountability measures (e.g. related to duty of care towards community) undefined.
My Take: Data custodians will need to meet a new set of obligations if this framework is actualised through law. The repercussions of not meeting those obligations needs to be defined further, to provide more certainty for businesses. This version addresses most of the competition concerns from the first report, but some issues remain.
a) Data custodians have no incentives; only obligations. Data trustees — which make no investments in collecting the data — have financial incentives. This could dis-incentivise custodians from collecting socially useful data. Therefore, the framework should mandate that the trustees share a share of revenue with the underlying custodians, on terms that may be specified by the NPDA later.
b) The scope of mandatory meta-data sharing is unclear. Section 6.1(V) seems to indicate that all data businesses will need to share data, whereas Section 6.3 seems to indicate that only registered data businesses will need to. This should be clarified.
c) Depending on this clarification, the purpose of registration may need to be clarified if the interpretation from Section 6.1(V) holds.
d) Since the purpose of the meta-data directory is to enable creation of HVDs, access to it should be restricted to potential data trustees (i.e. government or non-profits), rather than all organisations registered in India — a group that could include potential competitors of the data custodian.
e) The ability of data trustees to complain about harms from non-personal data — which will presumably be either against a custodian, processor or trustee — is included but not defined. It should be defined. Moreover, the right to complaint should be extended to all individuals (the equivalent of a PIL), so that NPDA-appointed trustees don’t act as gatekeepers for rights violations.
How they’re appointed: Any organisation that processes non-personal data on behalf of a data custodian. Thresholds similar to data custodians.
Role: (i) ensure no harm to data principal from re-identification (ii) use best anonymization technique and data sharing protocols (v) share meta-data with NPDA
Incentives: No incentives specified.
Accountability: Accountability measures (e.g. related to duty of care towards community) undefined.
My Take: Data processors are not expected to share non-personal data with data trustees, unless it collects such data itself. However, specific obligations around sharing meta data and accountability for non-personal harms are unspecified, as noted above.
How they’re appointed: Any organisation registered in India can request for data from data trustees, and need to pay a ‘nominal fee’. Individuals cannot ask for data.
Role: (i) Use requested data only for specific purposes, and to benefit greater good (ii) storage non-personal data as per the personal data protection bill requirements for the personal data underlying the NPD
Incentives: None specified. Report says that a requestor can use data to benefit greater public good, but is silent on using it for private profit.
Accountability: None specified.
My Take: The framework aims to benefit organisations that seek data from high-value datasets. It uses principles like ‘specific purpose’ and ‘greater good’, without clarifying what these mean, how they will be interpreted or enforced. To avoid any such confusion, the committee should provide more details.
a) The report says that non-personal data sharing should benefit greater public good, but does not lay out a process for ensuring it. The process could require a requestor to specify the purpose for which it would use the data. The data trustee should be obligated to provide that data, unless it chooses to dispute it with the NPDA.
b) Relatedly, the report is silent on what the data requestor can do with non-personal data (i.e. equivalent of ‘licensing requirements’). Can it combine datasets and create proprietary data? Can it make data freely accessible to the public, thus bypassing the data trustee? Just like with open source software, the NPD law can impose licensing requirements on requestors, to be determined by the NPDA at the time of approving an HVD. Using NPD for private profit should be an acceptable use — anything else will prevent start-ups from using these datasets.
c) There is no post-facto accountability to ensure that the data requestor used the data for specified purposes. This is understandable and desirable because too many restrictions might defeat the purpose of the framework. However, the framework should have a mechanism for complaints by either trustees or individuals, to be adjudicated by (a quasi-judicial arm of) the NPDA.
d) As stated in the report, the purpose of non-personal data is to benefit India and its people. Companies registered abroad may provide such benefits too, especially young foreign start-ups for whom registering in India is cumbersome and expensive. Therefore, access to HVDs should be open to any organisation that is using it to benefit Indians — which can be monitored by the relevant data trustee.
Non-Personal Data Authority (NPDA)
How they’re appointed: Only says that it ‘must be created with industry participation and should be harmonised with other (regulatory) bodies’
Role: (i) ensuring unlocking economic benefit from non-personal data for India and its people (ii) create data sharing framework (iii) manage meta-data directory (iv) establish rights over Indian non-personal data (v) address privacy and re-identification risks, and prevent misuse (vi) adjudicate when data custodian refuses to share data with trustee
Incentives: None specified.
Accountability: None specified.
My Take: The report misses an opportunity to suggest a transparent, predictable and targeted regulatory regime. It says very little about the appointment and powers of the NPDA, arguably the most powerful stakeholder in this scheme. In light of India’s mixed experience with so-called independent regulators, the committee should suggest some best practices on regulatory governance, including:
a) The board of the NPDA should have a majority non-executive members (i.e. non-employees). Board members should be appointed by a govt committee — ideally with opposition or judiciary representation — and should not be removable before the end of their term, except in cases of misdemeanour. Other service terms should also be fixed during a term.
b) NPDA must be mandated to organise a public consultation process before bringing out a new regulation. This should include a cost-benefit analysis, public consultation, revision of draft, another round of consultation, and a final regulation that responds to major comments received.
c) Judicial functions of NPDA — e.g. resolving disputes between data trustees and data custodians — should be with a different entity, whose officers are trained in law and appointed by a majority judicial body. This will maintain ‘separation of power’ and ensure specialisation.
d) NPDA should submit detailed annual reports to Parliament (and also make it public), meet with the Parliamentary IT Committee every quarter and release publicly detailed minutes from its board meetings. This will ensure accountability and transparency of the NPDA.
e) For any investigative or enforcement functions (e.g. in addressing misuse of data), the NPDA should create and enforce SOPs that provide businesses clarity on what to expect. Not doing so will create uncertainty for tech businesses, and thereby hamper innovation in the economy.
f) In situations of low state capacity (like in India), regulators often respond by limiting the number of entities that it regulates. Such behaviour will be harmful under this framework, since NPDA determines who is recognised as a data trustee (and, by extension, as a ‘community’). Restricting the number of data trustees will limit the rights of communities over their data. Hence, NPDA should be mandated to provide in writing, and within a few weeks, responses to all those who apply to be a data trustee. The rejected applicants should be able to challenge the decision.