Translate to...

View: The bad, the ugly & the questionable about regulating non-personal data

By Nikhil PahwaIt’s 2025, and for seven years, you’ve been running a company at the forefront of innovation in healthcare. Millions have bought your fitness trackers, and used them to measure their heart rate, body temperature, sleep patterns, physical activity, blood pressure, dietary habits and nutrition intake, apart from also storing their medical reportswith you.Your business is at centre of a healthcare ecosystem that enables access to cheap insurance, medical consultations and ordering medicines and healthy food online. Using artificial intelligence (AI), you crunch millions of data points collected, and help users and their doctors identify potential health risks. Business is booming. But you have a problem.The 25,000 data points you collect on each user each day are at the core of your ability to differentiate, and validates the risk you took starting up. A competitor, launched recently, wants your company’s anonymised data. You’ve refused, but your competitor has now gone to the Non-Personal Data (NPD) Authority to demand this data.The uncertainty around this decision is impacting your next round of funding, and your prospective investors want to know how you’re planning to deal with this. This imagined scenario — a nightmare for both founders and investors— could become reality if GoI follows through on the report submitted to it by a committee of experts on NPD led by Infosys co-founder Kris Gopalakrishnan. The committee has recommended the creation of a regime — a law and a regulator — to enable both government and businesses to acquire ‘non-personal data’.NPD, according to the report, could be either factual data, or analysis, which has been stripped of any personal identifiers. Thus, while data of what a particular user eats may not be available to competitors of an e-commerce company, details of people of which age group buys burgers via, say, Zomato will be. Factual information will need to be made available for free.But data where there is value-add may be available to your competitors for a ‘fair, reasonable and non-discriminatory’ price. Large data businesses will have to register with GoI, and mandatorily make data available through ‘data pipes’ to what is being called a ‘Non Personal Data Policy Switch’.First Mower’s Walled GardenGopalakrishnan has highlighted two key rationales for the recommendations. One, that there is a need to disable the first-mover advantage that leads to the establishment of walled gardens. However, this move would hamper innovation, given that, by definition, innovators are first-movers. Incidentally, dominant players like Googleand Facebook have not been first-movers in their segments. What’s more, legally, dominance is not a problem, but abuse of dominance is. That is already being overseen by the Competition Commission of India (CCI).Two, that enforcing sharing of data will unlock its value. While businesses that collect data may do it for one purpose, restricting access to it hinders usage for other purposes, especially by mixing it with other data sets. There is some truth to this. In case of emergencies such as the Covid-19 crisis, access to data from private entities can enablebetter decision-making by the government. The idea of data trusts is being also explored by countries like Canadato enable voluntary sharing of data for wider public use. However, no country in the world makes it mandatory to share data.Investors look for the ability of a business to create a competitive advantage for itself, of which, the ability to acquire data and use it to innovate is key.The fact that competition — or even the government — can take business data away will significantly disincentivise investment in India’s technology ecosystem, and disable the creation of unicorn businesses like Paytm, Zomato, Flipkart and Ola. It will also hurt exits and destroy value: why buy a business, when you can force it to give up itsdata by going to the government?This report also needs to be seen in the larger context of India’s position on data. We have refused to sign the G20 agreement to enable free transfers of data across borders. Both the Personal Data Protection Bill, 2019, and thisreport place restrictions on data being sent beyond India’s boundaries. Importantly, India has claimed that thesovereignty of a country needs to extend to the data of its citizens.BYOD: Bring Your Own DataClaims of data sovereignty, meant to address a key internet governance issue of jurisdiction, are very differentfrom this committee’s recommendation that a government authority can force a company to give away its data tothe government or a competitor. Enabling this control would mean an extension of the principle of eminent domain to data sets and intellectual property. Creating the technology-enabled data-sharing framework recommendedin the report would make such a forceful action the norm.This isn’t data sovereignty. It is ‘nationalisation’ of data. India would do well to not take such a drastic step in adomain as open and competitive as the internet.The writer is founder-editor, MediaNama