Take 2: MeitY's attempts at data governance continue to fall short

tl;dr

The Ministry of Electronics & Information Technology (MeitY) published the Draft National Data Governance Framework Policy (National Data Governance Policy) for public consultation on May 27, 2022. The policy, which seeks to improve “governance through a whole-of(-)government approach towards data-led governance”, fails to adequately address resultant concerns regarding data privacy and citizen rights. In this post, we provide a brief overview of the comments we submitted to MeitY as part of this consultation process. Read our complete comments here.

Why should you care?

The National Data Governance Policy seeks to harness citizen data to improve governance which includes interdepartmental data sharing and creation of non-personal or anonymised datasets. However, it fails to consider the risks associated with these actions thereby putting citizen data at risk.

Think about the various categories of data that you share with the government such as your name, gender, address, phone number, income, details about your bank account, domestic and foriegn travel, marriage, any vehicles you own, details about your health, sexual orientation, disease history, blood type etc. The list goes on and on. Now imagine all of this data being collated and made accessible to government employees with no safeguards in place to ensure your right to privacy is protected. In addition to the data being vulnerable to breaches, this would also result in the creation of 360° surveillance databases.

What does the National Data Governance Policy do?

On May 27, 2022, MeitY put out the National Data Governance Policy for public consultation. The National Data Governance Policy incentivises the collection of data and the creation of datasets by government departments to fulfil its objective of data-led governance. Under Clause 6.2, it envisages a government-to-government data access ecosystem. For this, it mandates the creation of searchable data inventories.

The National Data Governance Policy creates the India Data Management Office (IDMO) as an institutional framework for its implementation under Clause 5. The IDMO has been tasked with the framing, managing and periodical review, and revision of the Policy. Further, the IDMO will also be responsible for developing rules, standards, and guidelines under the National Data Governance Policy.

Clause 6.3 of the National Data Governance Policy directs the IDMO to enable and build the India Datasets program. The program will consist of non-personal and anonymised datasets collected from government entities which have collected citizen data in India. Further, private entities shall also be “encouraged” to share such data. To ensure informational privacy is maintained, the IDMO will set and publish data anonymisation standards and rules as per Clause 6.5.

Our concerns with the National Data Governance Policy

  1. Faulty consultation process: Remember the Draft India Data Accessibility & Use Policy, 2022? Released on February 21, 2022, it immediately faced widespread criticism for its objective of commercialisation of citizen data and for enabling government surveillance by authorising interdepartmental sharing of citizen data. It also received significant backlash due to the manner in which its consultation process was carried out as well as for the provisions it contained. On March 6, 2022, it was noticed that MeitY had made substantial changes to the Draft Data Access Policy during the consultation period, without any public acknowledgement. The existence of multiple versions of the policy in the midst of an active consultation process resulted in confusion among stakeholders, effectively rendering the process suspect. Reports suggest that the National Data Governance Policy is a new iteration of the Draft India Data Accessibility & Use Policy. However, this raises several questions such as why the Draft India Data Accessibility & Use Policy consultation process was discontinued, why a fresh consultation process for the National Data Governance Policy was started instead, and what is the status of the Draft India Data Accessibility & Use Policy. The ambiguity around the status of the Draft India Data Accessibility & Use Policy, and its relation with the National Data Governance Policy can adversely impact the present consultation as stakeholders may be unaware of how these policies are related, and what implications that has from an operationalisation perspective.
  2. Absence of a specific data protection law to ensure protections: The right to privacy is an individual right which attaches itself to the person and allows them to exercise control over the extent and manner in which they want information about themselves, i.e., their data to be processed. Presently, India does not have a specific data protection law which would regulate the collection and processing of citizen data by the government. In the absence of such a law, citizen data may end up being processed and stored beyond the purpose of its collection leading to a violation of their privacy. Framing, and subsequently operationalising a National Data Governance Policy in the absence of an adequate data protection law poses a risk to the individual right to privacy. The boundary between personal and non-personal data is not protected by any provisions that penalise re-identification of individuals based on data that has been deemed to be ‘anonymised’. Without any means to enforce purpose limitation on datasets, they can also be used for surveillance.
  3. Absence of any specific legal enactment that authorises the National Data Governance Policy: There is no underlying framework which authorises the National Data Governance Policy which would provide clarity with regard to the need, use and applicability of the policy. The lack of an anchoring legislation also limits the accountability of the authorities who are drafting and implementing the policy. Further, the National Data Governance Policy, in its Preamble, states that it, “addresses the methods and rules to ensure that non-personal data and anonymised data from both Government and Private entities are safely accessible by Research and Innovation Eco-System”. Here, it is essential to ensure accountability in the implementation of the National Data Governance Policy so that all relevant stakeholders are able to access the datasets created without any arbitrariness.
  4. Privacy concerns with respect to enhanced data sharing: The National Data Governance Policy incentivises the collection of data and the creation of datasets by government departments to fulfil its objective of data-led governance and does not contain any provisions for data deletion. As a result, it violates the widely recommended best practices of purpose limitation, data minimisation, and storage limitation. Further, collection of data by multiple agencies can lead to the creation of comprehensive profiles of individuals and may facilitate greater surveillance, thus impeding the efforts towards recognising privacy as a fundamental right flowing from the right to life & liberty under A.21 of the Constitution of India.
  5. Issues with the India Data Management Office (IDMO): In the absence of an anchoring legislation, it remains unclear as to how the IDMO will be operationalised as it does not have the force of authority. Further, with the Data Protection Bill, 2021 proposing the creation of a Data Protection Authority (DPA), it is unclear if the IDMO will be answerable to the DPA since the latter is designated to be the primary authority regulating data protection norms. It is also unclear how the IDMO will be constituted and how its composition will be decided. Since the IDMO is tasked with formulating “all data/datasets/metadata rules, standards, and guidelines” as per Clause 5.2 of the National Data Governance Policy, it is essential to ensure its independence in order to to safeguard the rights and interests of the citizens and their data which it is tasked with overseeing. Presently, the IDMO is to be set up under the Digital India Corporation under MeitY.
  6. Regulation of non-personal data through the India Datasets program: The National Data Governance Policy seeks to harness non-personal data through the creation of anonymised datasets. However, international studies show that “current methods for anonymising data leave individuals at risk of being re-identified” and that, “99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes”. These studies highlight the likelihood of re-identification through de-anonymisation of anonymised or non-personal data. This situation is made worse by India’s lack of a data protection law or any protection against such re-identification, which could lead to severe violations of privacy of the citizens whose data would be used to build the India Datasets program. Further, the anonymisation standards under the National Data Governance Policy have not been issued yet thereby restricting subject matter experts from ascertaining their efficiency. Lastly, the voluntary nature of non-personal data sharing by private entities also raises questions. The National Data Governance Policy states that private entities will be “encouraged” to share non-personal data. However, it is unclear how this will be done. The concern that arises is that this voluntary sharing may actually end up being mandatory in practice, as has previously been the case with Aadhaar and Aarogya Setu.

Our recommendation: India needs a comprehensive National Data Strategy!

In the absence of a data protection law to clearly prioritise data privacy and to resolve the confusion caused by the various policy proposals over the years for data governance, a comprehensive data governance framework is the need of the hour. We recommend that the MeitY should create a specific National Data Strategy which conceptualises and articulates an overarching framework that will clarify how the various policy proposals, launched over the years, will operate together and where they stand in relation to each other. This strategy must also be backed by a legislative process.

The National Data Strategy and the anchoring legislation should recognise the need for governance of data in public interest and while protecting the privacy of the citizens. The legislation should clearly demarcate how government-to-government sharing for different categories of data can take place while ensuring that privacy protection principles are being respected to safeguard against the creation of a comprehensive database that would operationalise 360° surveillance. An office, such as the IDMO, may be created under the anchoring legislation to operationalise its provisions. The legislative framework and policy must also specify the nature of protections that will exist for citizens, as well as a grievance redressal mechanism. Specific working groups consisting of subject matter experts, civil society actors, and other relevant stakeholders will have to be constituted and tasked with drafting the necessary standards, presently left undefined. These should subsequently be opened up for public inputs.

Important documents

  1. IFF’s comments on the Draft National Data Governance Framework Policy dated June 11, 2022 (link)
  2. The Change Game: MeitY Resorts To Quick Fixes To Silence Experts dated March 26, 2022 (link)
  3. IFF’s comments on the Draft India Data Accessibility and Use Policy 2022 dated March 4, 2022 (link)