India's Non-Personal Data (NPD) framework

India's Non-Personal Data (NPD) framework

Knowledge repo, archives and collaborations

Nadika N

Nadika N

@nadikanadja

Summary of Session: Eminent Domain, Non Personal Data and Rationale for regulation

Submitted Feb 20, 2021

Moderator: Ambika Joshi
Speakers:

  • Dr Usha Ramanathan, Lawyer, Human Rights Activist
  • Beni Chugh, Research Manager, Dvara

One of Hasgeek’s Non-Personal Data Week sessions in January spoke of the NPD framework’s Sovereign Purpose sharing rule and its similarities to the government’s eminent domain in taking over private property such as land, for the purposes of development.
It is against this context that the session on Eminent Domain, with speakers Dr. Usha Ramanathan and Beni Chugh was held.

Dr. Usha Ramanathan spoke first, and said that she was not going to discuss the NPD framework directly, but address how technology and technology regulation has been enacted in India, and how those are also being reflected in other countries in the world. Making an example of Financial Inclusion or Unique Identification rollout and how the basics of such schemes have either been exported to African or Far East countries, and how they don’t really mean financial inclusion or service delivery for citizens.

Usha said, “So the idea that the state can take private land and convert it to a purpose that the state thinks is a public purpose. How have people responded to that? How have institutions responded to that? And the question that could well be asked is why is this relevant in the context of technology, because the uses to which technology is being put the various kinds of relationships that are being developed, and which are evolving between technology and technology controllers, between technology controllers and the state, between the state and the resource that’s being created. All these have already been experimented in political philosophy before they are not new.”

Usha said that the relationship between the people and the state has changed, and as technologists, we must understand the constitution before we deal with the conflict between people and technology.

Citing the land acquisition act which allowed for the government to take over public or private lands without encumbrance, without a due-process of asking for and clearing any objections, Usha explained that a similar idea in the Non-Personal Data framework is the idea that data has reached a point where it is “non rivalrous” and free to be used by anybody.
“This is not like I said, a new notion. So this idea of cutting off the person from what belongs with them, regardless of what is done with it after that, is a notion that has existed for at least 140-150 years. And we are seeing that comeback in the context of data,” she said.

Usha cited further examples, including how taxes and the GST rollout happened, and the Aadhaar ID programme, and said, “See, today, we are seeing a relationship between the state and business interest, which is, you know, we’ve gone through many phases of this where this collaboration of various kinds today, we are actually seeing them working together and refusing to acknowledge rights in people.”

Beni Chugh, Research Manager at Dvara, on the Future of Finance project, responded to Usha.
In her response, Beni said her analysis of the Non Personal Data (NPD) framework is coming from an economic perspective and she asks, “what is the market failure” that the NPD is aiming to solve for.
From her specialization of financial inclusion, Beni said that the market has failed in consumer protection, and thus it makes the case for a government or regulator to step in. So from that perspective, what is the NPD regime doing? What requires the creation of new institutions, what articulated market failure demands the setting up of a Non-Personal Data Authority (NPDA), and the institutions such as Data Trustees?
Making the point that the data collected by various institutions of the government is data owned by citizens, Beni said there is rationale for the government to open up its data and share it back to the citizens, in a “reverse” of the Eminent Domain, but there was no reason to mandate the sharing of data collected by private organisations.
“Ultimately, the government doesn’t really own it (data). And it’s the public’s money that has gone into collection of it. So there is a case for opening up, the public needs collected data,” she said.

She states that academic literature exists that shows mandating data sharing has led to the market being less competitive. “Legally as well as economically, what is the merit of asking private enterprises to open data and what its potential downfall could be?”

Based on what the NPD framework envisages as public use, it is very vaguely defined and wide in scope, and that anything could be made to fit into it. There is no principle guiding this usage of public good clause in demanding data sharing. Further, irrespective of how badly it is followed or enforced, personal data at least has some principles guiding its use, and there are established rules for data protection, data use. However, when it comes to NPD, there are no fetters, and that there are no guidelines for data minimisation, limitation of use and no consent in how NPD is used. Beni used the term ‘Blank Cheque Consent’ to describe this.

She further said that empirical research has shown the principle of ‘Diminishing marginal utility’ of data operates, and each additional unit of data yields lesser value. So the business-rationale for collecting data goes down, but the risks to privacy goes up.
“We need to take a step back and kind of look at the two next to each other and see where the optimization is, and where we really need to draw that line,” Beni said.

Drawing a parallel with land as property and data as property, even with eminent domain, when the state takes over private property, private land, and provides an alternative parcel of land to the individual, one could make the argument that the right of ownership over that property has ceased to exist and a new right has been created in the new property. However, with data, that association with the data never ends and there is no mechanism in which the state or other operators can provide “alternative data” in return for what has been taken over.

“It’s not fungible, which is to say that tomorrow, if my data is leaked, you cannot say, ‘here take the new data points about you’, it’s not going to work out like that.”

The NPD report doesn’t define harms from data sharing, except for privacy harms, and that too isn’t fully defined. “We may not even be able to gauge the full magnitude of the harm beforehand, right? So the report itself is kind of conditioned on a conflict,” she said, and listed other harms that could arise from the NPD framework, including marginalisation, exclusion.

Saying that the underlying principle of the NPD framework was to benefit communities, Beni said that the report as currently framed does not actually do so.
“But actually, when I come to NPD, and when so many people’s data are meshed together, and people don’t even know what’s happening to their data, there is absolutely no sense of community.”

Beni summed up her response with the four concerns she has with the NPD framework:

  • Lack of rationale for asking private players to share NPD.
  • A wide, loose definition of what is public good.
  • Lack of nuance in constituting what is community.
  • Weak conceptualization of harms arising from data sharing.

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more