Data. Basis for research. Input for knowledge. Grounding for understanding. Stable object. Reusable goods. Asset. Tool of power and domination. Subject of legislation and governance.
The once humble data today denotes all the above and much more. Activated across contexts and aggregated with others, ever-growing in quantity, range, and value with implications across the social, economic, political, and technological fabric. The complexity with not only humans meeting, working, playing, shopping, and interacting online leaving gigabytes of data crumbs, but potentially machines in an IoT-enabled world.
Data continues to be at the heart of driving economic, social, and political transformation around the world. Big tech has come up primarily over the last 25 odd years since when data flows have surpassed what took centuries to develop: trade flows and financial flows.
In such times, the world has been looking up to India as the Indian government tries to enact laws both for personal data protection (awaiting Parliament’s approval) and for non-personal data protection.
The non-personal data protection framework
A committee was formed under the chairmanship of Infosys co-founder Kris Gopalakrishnan to suggest the framework of non-personal data protection. The committee is said to have consulted top companies such as Amazon, Uber, and Microsoft, besides international experts.
The committee submitted its recommendations earlier this month. Like any report on a complex subject, there are contentious issues to tackle and the report creditably brings out clarity on several subjects while leaving ambiguities on some others. The report is out in the public domain and feedback is to be submitted before mid-August, after which it is taken to its logical conclusion.
The report defines non-personal data across three categories of public, community, and private depending upon ownership and origin of creation, looks at issues of consent for anonymisation, and acknowledges the sensitivity of such data and recommends setting up a non-personal data protection authority having an “enabling and enforcing” role.
According to the report, non-personal data is defined as any data which is not personal or personally identifiable and includes such data as was originally personal but has been anonymised. Such data may consist of weather information or other public infrastructure information which when looked at in a collective analysis can provide insights into improving public services.
Data business—the collection, storage, processing, and managing of data on a large scale—is a welcome concept that can lead to an exciting future. The committee recommends regulating the same.
The report has been criticised for leaving out defining “data transformation techniques” to anonymise data which could lead to exploitation owing to data compromise.
The Indian government is taking recourse in asserting sovereignty and leadership with a billion-plus people consumption market as also due to the possible vulnerability of data exploiting or colonising fears. To the extent that there is an overarching role of the state in defining and determining the use of non-personal data for “national security, law enforcement, legal or regulatory purposes,” apprehensions of state surveillance are bound to be reported from various quarters.
The committee defines three purposes for data sharing: sovereign, core public interest, and economic purpose. Provisioning for requesting data to encourage competition or providing a level-playing field is perhaps the biggest contentious issue as reported by several quarters.
Privacy, data governance, user safety, surveillance, data anonymity, data breaches, data protection, data regulation, data handling ethics are all closely related issues with data being at the heart of many of the major world fiascos, the U.S. elections being the most visible case in point. The all-pervasive importance of data issues is being recognised with GDPR in Europe, California’s similar statute in the U.S. and other major governments worldwide following suit.
The value and vulnerability of data cannot be appreciated enough. Like the Internet and cloud computing becoming accepted parts of doing business in the past, the time for data governance has come. From a mere business target-enabling tool to also becoming the instrument of state power-wielding is, however where the humble data is; it has surely come a long way but promises to go much beyond.
Data is not a neutral field. Governance is imperative.
The tech giants are on the receiving end of policy shocks from regulations around the world restricting their unlimited powers as nations try to assert control over yet another sovereign “national asset”.
Real life has institutions—not that they are perfect—that have stood the test of time to, more often than not, deliver. These consist of the executive, judiciary, polity, civil society, law, the Constitution, and others.
Platforms need to incorporate public values—privacy, probity, security, truth, fairness, accountability, democratic control—and deliver public good, and not the other way round.
Regulation is important and to that extent, the non-personal data regulation report provides a useful framework as the first step in legislation trying to catch up with ever-racing-forward technology while addressing contentious issues in the data universe. An unambiguous approach is what could clear the way to arrest manipulative practices, disputes, and policy logjams benefitting the larger public and not the vested interests.
Striking the right balance between effective data privacy, security, and innovation is the key to help expand the economic opportunity for India.
Views are personal. The author is Executive-in-Residence at ISB and at UCLA, and a global CEO coach and a C-Suite + Start-up advisor.