[Editorial] Our data, not for sale

Context

The Ministry of Electronics and Information Technology (MEITY) has recently released the “Draft India Data Accessibility & Use Policy 2022”.

What the editorial is about?

The reason why the draft data accessibility policy is dangerous.

Draft India Data Accessibility & Use Policy 2022

Objectives

• The policy aims to “radically transform India’s ability to harness public sector data.”
• If passed, it would govern, “all data and information created/generated/collected/archived by the Government of India” as much as, “State Governments [who] will also be free to adopt the provisions of the policy”.
• The twin purpose to which this data will be put will be government-to-government sharing and high-value datasets for valuation and licensing.

Major issues associated with the draft policy

• There are three clear reasons why this policy deserves a relook.

Dilution of original objectives in favour of commercial interests

• The (first and) immediate risk arises when a government starts licensing citizen data.

Database for every aspect of our life

• Over the past three years, there has been a rapid expansion in the nature and scope of our most intimate details.
• While the middle classes faced the mendacity of voluntarily linking their Aadhaar to their bank accounts and mobile connections, today, the digital sweep is all-pervasive.
• For agriculture, there is an Agri stack; for unorganised labourers, we have the e-SHRAM portal; in health, we have Arogya Setu and ABHA (Ayushman Bharat Digital Health Mission); and for school children and teachers there is NDEAR (National Digital Education Architecture).
• For every area of our lives, the government now has a database filled with our personal data.

What is the purpose of this data collection?

• The stated purpose for collection has been improving service delivery, planning and checking leakages.
• Public data is now being viewed as a prized asset of the Union government that should be freely shared, enriched, valued and licensed to the private sector.
• Given that more data means more money, commercial interests will prompt the government to collect granular personal details through greater capture and increased retention periods.
• Tying government policy determinations with a fiscal potential may also lead to distortion of the aims of data collection — the welfare of farmers, healthcare, unorganised labourers or even schoolchildren.
• There is no indication that consent will be sought in a meaningful form.
• Over time, the original objectives for which databases are built will get diluted in favour of commercial interests.

Transparency related values and objectives are absent

• The second issue emerges from the disingenuous phrasing of “making data open by default”.

Why open data is important?

• The World Bank notes that one of the first benefits of open data is that it supports “public oversight of governments and helps reduce corruption by enabling greater transparency”.
• These principles were recognised in past policy pronouncements of the government.
• Specifically, the National Data Sharing and Accessibility Policy, 2012 and the implementation guidelines formulated in 2017 refer to the Right to Information Act, 2005.

Then, where lies the issue?

• Within the present draft data accessibility policy, while the phrase “open data” has been used, its values and objectives are absent.
• The primary, overpowering objectives in the draft data accessibility policy and the background note are commercial.

Absence of legal basis

• The final area for reconsideration is a larger trend of policy-based administration detached from our constitutional framework.
• Compounding this problem, the present policy, like many others, is untethered to any legislative basis and contains no proposals for the creation of a legal framework.

Significance of having a legal basis

• As per the Supreme Court’s Puttaswamy judgment on the fundamental right to privacy, the first ingredient to satisfy constitutionality is the existence of a legal, more often a legislative, basis.
• Without a law, there is an absence of defined limits to data sharing that are enforceable and contain remedies.

Inadequate provisions for privacy preservation

• In this case, the promise of privacy preservation through anonymisation tools holds little promise when it cannot be independently assessed by a body for data protection.
• Even heavily sampled anonymised datasets are unlikely to satisfy the modern standards for anonymisation set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model.
• This becomes vital as it is the principal measure suggested in the draft data accessibility policy.

Need of the hour

An independent regulatory body or penalties

• Such risks will become a reality without an independent regulatory body or penalties.

Parliamentary enactments

• It can also help bring accountability through deliberation that furthers foresight and contains financial memorandums – given that public money would be spent to enrich datasets of public data.

Need to deliberate further in the Rajya Sabha

• Since the policy contemplates sharing data between databases of the central and state governments as well as through central funded schemes, it may also be prudent to deliberate further in the Rajya Sabha.
• Federalism becomes a relevant issue given that such data, when it is generated, processed and enriched by state governments to comply with interoperability standards, will lead to revenue generation for itself.

Conclusion

• Draft India Data Accessibility & Use Policy 2022 will allow the government to enrich and sell data to the private sector, will risk prioritising commercial interests over privacy. So, it needs an urgent relook.