Data sharing policies can’t be one size fits all. Crucial to address privacy, ownership

02 May 2024
Data sharing policies can’t be one size fits all. Crucial to address privacy, ownership

Opinion: Palash Baruah and DL Wankhar.

The Indian data market remains in its infancy due to regulatory ambiguity, despite the global trend of enterprises monetising various types of data.

The potency of data becoming a critical asset is now a reality. Familiar phrases such as “data is the new gold” or “data is the new oil” underscore its value. In the growing pile of information, we need a new shovel to dig up gold.

The Internet of Things (IoT), Artificial Intelligence (AI), cloud computing (CC) and machine learning (ML) would leverage the utilisation of data. With data being generated at an unprecedented rate and quantity, its monetisation has also been in focus. It is the process of generating revenue or economic value from data assets. This can include selling or trading data to third parties or using it internally.

Data sharing and monetisation in India
Despite the global trend of enterprises monetising various types of data, the Indian data market remains in its infancy due to regulatory ambiguity. Just like elsewhere in the world, India is in the middle of a data revolution with the government being the largest repository of data. There have been several attempts to frame policies and frameworks.

In March 2012, the National Data Sharing and Accessibility Policy (NDSAP) was published with the objective of increasing the accessibility and facilitating easier sharing of non-sensitive data generated using public funds by various agencies of the government of India, for scientific, economic, and social developmental purposes. It excluded, among others, personal information, and data related to intellectual property rights such as patents, trademarks, official marks, and identity documents. In pursuance of this policy, the government, through the National Informatics Centre (NIC), set up the Open Government Data (OGD) platform to provide open access through the proactive release of data available with various ministries and departments.

Next was the Kris Gopalakrishnan Committee on Non-Personal Data Governance Framework (2020). The Committee suggested that non-personal data should be regulated to (i) enable a data-sharing framework to tap the economic, social, and public value of such data, and (ii) address concerns of harm arising from its use.

The Committee identified three purposes for Non-Personal Data Sharing—Sovereign Purpose (national security, legal purposes), Public Good Purpose (public good and benefits of society at large), and Business Purpose (sharing of non-personal data between two or more for-profit private entities). But the Committee also cautioned that current methods for anonymising data still leave individuals at risk of re-identification, as research has shown.

India’s first formal foray into monetising data was the formulation of the Draft India Data Accessibility and Use Policy (IDAUP) of February 2022. It laid down that every government ministry and department will identify non-personal datasets and classify them as open, restricted or non-shareable. It also lays down protocols for the sharing of non-personal datasets. The policy further specified the “pricing & licensing” process for high-value datasets (HVD) of the government, which have undergone value addition through defined pricing guidelines. To address privacy concerns, it suggested anonymisation tools be put in place and to include a “negative list” of datasets that will not be accessible to the public. However, this policy got scraped after facing criticism that monetisation of data would go against the principle of open government data.

In May 2022, the government released the revised National Data Governance Framework Policy, which did away with the idea of monetising data. It, inter alia, proposes to launch “non-personal data based India Datasets program and addresses the methods and rules to ensure that non-personal data and anonymised data from both government and private entities are safely accessible by research and innovation eco-system.”

Then, in Union Budget 2023-2024, the government announced that it will launch the National Data Governance Policy (NDGP) to enable access to anonymised dataset, and unleash innovation by startups and academia. It will aim to enhance citizen awareness, participation, and engagement with open data, increase the availability of datasets of national importance, identify suitable datasets for sharing, and improve overall compliance with secure data sharing and privacy policies and standards.

Meanwhile, the Digital Personal Data Protection (DPDP) Act 2023 was enacted with the objective to “provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes…”. In case of any personal data breach, the Data Protection Board of India (DPBI) will be responsible for looking into the matter. The body is supposed to inquire into the breach and impose penalties. However, “data monetisation” as a concept and dealing with the associated privacy concerns has not been specifically spelled out or defined under the DPDP Act.

Need for threadbare approach
Data is one of the most valuable intangible assets. By leveraging it, India can drive innovation, enhance productivity, and address societal challenges across various sectors. Data has grown to be an important resource and services driven by it would be the next thing. It can also provide useful inputs for policy formulations and assist government agencies in identifying issues at the granular level.

The sovereign authority commanded by the government enables its agencies to collect vast amounts of data, with little hesitation or reluctance from the public in sharing information. Hence, data collection cannot be solely driven by profit motives. Security and privacy concerns require serious and adequate attention.

The overall legal framework should include adequate, stringent and well-balanced provisions. The lesson learned from the scrapping of the government’s policy, which allowed private entities to access the vehicle registration databases Vahan and Sarathi, and the Indian Railway Catering and Tourism Corporation’s (IRCTC) roll-back of a tender for hiring a consultant to monetise its passenger and freight customer data should be kept in mind. With the advancement in AI models, the possibility of “de-annonymisation” or “triangulation” or matching the data with other available databases with the ultimate aim to misuse is now becoming a greater possibility and threat. Another issue that needs equal attention is the possibility of data storage systems and networks being hacked.

India’s cautious approach to data sharing and monetisation reflects the need for nuanced strategies amid rapidly evolving technological landscapes. It is becoming more apparent that a ‘one size fits all’ approach will not work. It is crucial for the government to address key challenges related to data privacy, ownership, quality, and standardisation in a threadbare manner.

Dr Palash Baruah is Associate Fellow at National Council of Applied Economic Research (NCAER), New Delhi and DL Wankhar is a retired officer of the Government of India. Views are personal.

Published in: The Print (online), 02 May 2024