Examining the Draft India Data Accessibility Policy
Arshad Shaikh studies the ‘Draft India Data Accessibility & Use Policy 2022’ and finds out how the policy is part of the tectonic shift in governance and the political economy in our country since 2014. While the government and its supporters see it as a major initiative in India’s quest for becoming a $5 trillion economy, critics feel that not only is it dangerous in terms of transparency and privacy but is also another blow to our democratic polity.
In July 2019, Road Transport Minister Nitin Gadkari told the Upper House of Parliament that the government had sold 25 crore vehicle registration records and 15 crore driving licence records. Those who purchased this data were 32 government organisations and 87 private entities. The Minister informed the Rajya Sabha that the government earned Rs 65 crore from this “sale of data”.
This sale was preceded by the publication of the Economic Survey of India 2018-19, which vigorously advocated the concept of treating citizens’ data as a public good that can be sold by the government to generate revenue. In chapter 4 of the Economic Survey titled ‘Data – of the people, by the people, for the people’, Section 4.56 says, “The private sector may be granted access to select databases for commercial use. Consistent with the notion of data as a public good, there is no reason to preclude commercial use of this data for profit. Undoubtedly, the data revolution envisioned here is going to cost funds. Although the social benefits would far exceed the cost to the government, at least a part of the generated data should be monetised to ease the pressure on government finances. Given that, the private sector has the potential to reap massive dividends from this data; it is only fair to charge them for its use.”
Equipped with the above background, the proposed policy released by the Ministry of Electronics and Information Technology (MEITY), titled “Draft India Data Accessibility & Use Policy 2022”, will make a lot of sense. Some of the aims of this policy are, “Maximizing access to and use of quality non-personal data available with the public sector, increasing the availability of datasets of national importance and facilitating the creation of public digital platforms”.
One of the stated objectives is also to protect the privacy and security of all citizens. However, critics have worriedly pointed out that this data accessibility may lead to more data leaks or data hacking than its protection. Hence, it is important to study this newly introduced policy initiative given its broad ramifications and impact on governance and transparency.
DATA AS PUBLIC GOOD
A ‘public good’ is a commodity or service that is provided without profit to the public, by the government or by a private firm. Usually, public goods are administered by the government and paid collectively by way of taxation. Examples include the police, the armed forces and access to clean air and drinking water. To some extent, education and healthcare are still public goods in our country.
Since 2014, our government is unabashedly following a neoliberal agenda and consequently, efforts are directed towards transforming the state from a provider of public welfare to a promoter of free markets and competition. One of the key characteristics of neoliberalism is the privatisation of public goods.
The argument for viewing data as a public good is as follows: (1) data has become cheaper and its consumption has multiplied manifold (2) private sector may not invest in harnessing data where it is profitable, therefore the government must intervene in creating data as a public good, especially in the social sectors of the economy (3) given that sophisticated technologies already exist to protect and share confidential information, data can be created as a public good within the legal framework of data privacy. Once data becomes a public good, its natural outcome is the monetisation of data and its sale to private players for the benefit of the public.
CONCERNS AROUND THE POLICY
The MEITY released a 10-page document on February 21, 2022, called the India Data Accessibility and Use Policy (Draft). We know that the government is sitting on humungous amount of citizens’ personal data, in the form of massive databases like Aadhar (biometric), Agristack (for agriculture), e-SHRAM (unorganised labourers), Aarogya Setu (healthcare), and NDEAR (National Digital Education Architecture).
These databases contain our private and personal information. The government is not the owner of this data. It is only a custodian. Once the government starts believing the data is their property, and starts calling it “open data”, there are bound to be some scams and scandals related to its sale to private business entities.
One of the major concerns flagged around the policy is that it is devoid of any legal framework. In the Puttaswamy judgment, the Supreme Court of India has clearly stated – “Privacy has been held to be an intrinsic element of the right to life and personal liberty under Article 21 and as a constitutional value… any curtailment or deprivation of that right would have to take place under a regime of law. The law which provides for the curtailment of the right must also be subject to constitutional safeguards.”
Therefore, in the absence of any data protection law, the abuse and misuse of our data is bound to take place and the citizens will have no legal recourse available for redressal.
Another critical concern pointed out by critics is the lack of transparency in its drafting. We are not aware of the specific suggestions made by various stakeholders. The draft has avoided following the guidelines of the Pre-Legislative Consultation Policy, 2014 that mandates the spelling out of the financial and social costs, benefits and key challenges and how it intends to overcome them. There are some vague terms like ‘high value data sets’, the pricing and licensing of which has been left to individual ministries. There are issues related to data anonymisation, which is the process of protecting personal information in a database, by erasing or encrypting identifiers that connect an individual to the stored data. There is no information in the draft regarding which anonymisation standard shall be adhered.
It is undeniable that we now live in an age of ‘big data’ and its associated functionalities like data capture, data storage, data analysis, data visualisation, privacy, and data sourcing. The government holds some of the largest amounts of personal data of its citizens. If the government feels that with the capability of “de-identifying” the data and anonymising it, it can generate revenue for itself by selling that precious “de-personalised” data, this concept itself is highly controversial and requires serious debate and discussion.
We know that our economy is dominated by duopolies and oligarchs. Is there any guarantee that our data will not be exploited bypassing all standards of transparency and data protection? The entire data accessibility proposal leads to slippery ground when it comes to privacy and the fundamental rights of citizens.
Europe now has the General Data Protection Regulation (GDPR), which has key privacy and data protection requirements that include mandatory consent of subjects for data processing, anonymising collected data to protect privacy and providing data breach notifications. Until India develops its own GDPR, data accessibility will be a synonym for data theft. Bruce Schneier has correctly inferred that: “Data is the pollution problem of the information age, and protecting privacy is the environmental challenge.”