The Ministry of Electronics, and Information Technology ('MeitY') on February 22, 2022 released the Draft India Data Accessibility and Use Policy ("Draft Policy"), with the stated overarching policy objective of "radically transform(ing) India's ability to harness public sector data" towards achieving the goal of becoming a $5 trillion-dollar digital economy. Broadly, the Draft Policy is applicable to government data, which is to be open and shareable by default unless otherwise categorised under either a negative, non-sharing and prohibitive list or a restricted list. The Draft Policy, as such, can be said to have two specific focus areas: (i) designing a policy framework to enable and facilitate government wide and integrated searchable database(s) for government to government ('G2G') data sharing and; (ii) identification of High-Value Datasets ('HVDs') including datasets that have undergone value enhancement, addition or transformation to be monetized and priced appropriately.
To achieve the above highlighted objectives, it proposes a dual institution framework primarily comprising of an India Data Office ('IDO') to be housed under the ministerial structure of the MeitY and an India Data Council ('IDC') which will be constituted by an India Data Officer and Chief Data Officers of different government departments as its members. The IDO under the Draft Policy has been principally tasked with providing access to HVDs to researchers, start-ups, enterprises, individuals and government agencies, through licensing frameworks and valuation models, and for monitoring its implementation/enforcement. The IDC will complement the IDO, and will bear the responsibility of coordinating data sharing across governmental entities, specify data quality, anonymization and meta-data standards, provide technical support and periodically evaluate the performance of the members of the IDC.
The Draft Policy, on an overall examination, is an interesting document because the MeitY touches upon on an important thematic area of data regulation, which materially impacts the informational privacy of individuals in their day-to day interface with governmental agencies. However, there are fundamental issues that are associated with what the proposals outlined therein, and two concerns are highlighted below:
Absence of a Legislative Framework: The Draft Policy, for all practical purposes, recommends throwing open the floodgates of data collected, generated, accessed by the Central government i.e. what it classifies as 'non-personal or anonymized data' to the start-up and entrepreneurial ecosystem, individuals and researchers etc., through a paid licensing regime. However, it is noteworthy that the applicability extends to even personal data including Aadhar, Unique Health ID, Permanent Account Number etc., as the Draft Policy claims to cover all data and information created/generated/collected/archived by the Central Government directly through various ministries, autonomous bodies and authorised agencies.
The implementation of the Draft Policy, which envisages the sale of enormous troves of government data to private entities, through an institutional structure to be set up using public funds without a validly enacted legislative framework, is unlikely to pass the muster of a functioning constitutional court. It also possibly infringes on the informational privacy rights of citizens because of the possibility of inter-linkages of non-personal datasets, wherein an individual maybe identified through triangulation, enhancement of existing 360-degree surveillance databases due to G2G data sharing, risks of re-identification due to reversibility of anonymization etc., must necessarily be based on anchoring legislation, as recognised by the Supreme Court in K.S. Puttuswamy v. Union of India. Further, it is worthy of mention that the Joint Parliamentary Committee ('JPC') has submitted its report to the Parliament including the Data Protection Bill, 2022. And, logically, in a country such as India, which is based on the rule of law, any policy like the Draft Policy, ought to have waited for the enactment of a data protection legislation or be guided by the principles contained therein.
Therefore, in the absence of a specific legislative framework, and a robust data protection law with minimal governmental exemptions and which places strict limitations on the collection, use-purposes, retention of data, - Data licensee entities including start-ups and enterprises that access government databases for commercial use, could be potentially exposed to significant future risks and liabilities.
Lack of policy clarity and direction: It is well recognised that the governmental as a whole, and also across departments - collects, maintains, and has access to large-scale data. And, for that reason, there is evidently enormous scope to utilize such data for careful, participative evidence-based policy making, conducting performance audits of government schemes, and sharing with other entities for innovation/research only after necessary data security safeguards are ensured. Globally, as well, Open data initiatives such as the one proposed by MeitY, have been piloted by multi-lateral institutions like the United Nations, with the aim of enhancing transparency and accountability in public delivery of services as well as encouraging high level innovation and research. In respect of the same, there is a need to ensure consistency, balance and clear risk-safeguarding through clearly defined legislative measures, to allow participants in the ecosystem that include (i) Departments and ministries to invest time and resources for seamlessly and securely implementing policy recommendations and make available reliable data; (ii) Private entities to undertake compliances related to instituting strict data access control measures, in addition to implementing effective anonymization standards.
However, as recently confirmed by the report of the Comptroller and Auditor General of India ('CAG') on the functioning of the Unique Identification Authority of India ('UIDAI') in relation to the Aadhar project, - In India, this specific area of regulation concerning the collection, use and access of data has been marked by uncertainty, and often willful ignorance and deliberate, calculated ambiguity premised on executive writs without any protective legal safeguards such as those described in the foregoing paragraph. Within the last decade alone, the Central Government has placed in the public domain, both at the stage of consultative draft(s) and of operationalization, different iterations of open data access, sharing and use policies that have pulled in different policy directions. Some of the prominent ones include, (a) the National Data Sharing and Accessibility Policy and Open Data Use License, framed by the Department of Science and Technology in 2012 and 2017 respectively, to facilitate the availability of government datasets on the Open Government Data Platform, (b) the Bulk Data Sharing Policy (now discarded due to the social costs of misuse of data), that had been formulated by the Ministry of Road, Transport and Highways ('MoRTH') through which it sold the vehicular registration and driver license database(s) and; (c) the Reports of the Expert Committee on the Non-Personal Data Governance Framework, that released its revised report, only within a year of finalizing its initial set of recommendations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.