The Agriculture & Cooperation (A&C) Department, Government of Telangana issued the Draft Agricultural Data Management Policy, 2022 (“Draft Policy”). Issued in July 2022, the draft policy is set to be taken into consideration after August 06, 2022. The Telangana Government, through this draft policy, aims to streamline and codify the processes, responsibilities, norms, and practices relating to the management of agricultural data for the overall benefit of all the stakeholders, principally the farmers. On the bright side, it includes several provisions that establish strengthened user consent, internationally recognised principles of purpose limitation as well as data minimisation. However, the grass is not so green on the other side. Inter alia, ambiguous phrasing, absence of a state-level data protection law, perverse monetisation incentives, and undefined anonymisation standards raise several key concerns regarding privacy and security of data. Read our comments on the draft policy here, wherein we have, in a detailed clause-by-clause analysis, listed our concerns, comments and suggestions, in the format prescribed by the state government.
Why should you care?
The preamble of the draft policy refers to the continued efforts of the Telangana Government to prioritise the development of the agriculture sector in the state, especially considering that “5 million farmers depend on it and that the sector contributes to about 15% of the GSDP.” With a similar intent, the union government proposed “AgriStack”, which is a collection of technologies and digital databases focussed on India’s farmers and the agricultural sector. Additionally, the union government revealed last year that they were in the process of bringing out a data policy for the farm sector. While such interventions hold the potential to bring about sweeping changes in the agriculture sector, it must be done in a way that promotes the rights of the stakeholders, primarily the farmers. Given that India does not yet have a data policy specifically for the agriculture sector, this draft policy could inform similar policy drafting in the future not just at the national level, but also at the state level. Continue reading to know more about the hits and misses of the draft policy, and how it could impact the data rights of the farmers of Telangana.
On the bright side
- Well-defined concepts: The draft policy significantly reduces the scope of ambiguity by defining “data”, “open data”, “personal data”, “sensitive personal data”, “consent”, “processing” and “agriculture data” as per international standards.
- Precedence to user consent: The principles of the draft policy strengthen the rights of the data principal by giving privacy and consent primacy over any other objectives of data collection. The draft policy mandates sharing of a privacy notice with the data principal prior to collection of personal data. It contains information regarding the purpose for processing of personal data, right to withdraw consent, identity and contact details of the data provider collecting data, details of individuals or entities with whom data may be shared, period of time for data retention, and/or criteria for determining such period. Furthermore, in addition to making consent mandatory, it also recognises the right of data principals to access and amend their personal data
- Acknowledgement of internationally recognised principals: The draft policy respects the principles of purpose based as well as collection based limitation and data minimisation, while complying with standards of proportionality, necessity, fairness, and lawfulness.
- Miscellaneous: The Inter-Departmental Committee (“IDC”) has been empowered to frame and issue access control guidelines on the types of datasets available for varying levels of access to specific stakeholders based on the purpose of the access. The draft policy also specifies the nature of protections that will exist for aggrieved persons, as well as a detailed grievance redressal mechanism, thus strengthening the rights of a data principal.
Where the grass is not so green
- Concerns regarding the consultation process: The notice accompanying the draft policy states that the “draft policy will be taken into consideration after 6th August 2022.” The ambiguous phrasing of this statement fails to provide clarity on whether the given date is the deadline for responding to the consultation or the date for when the draft policy will go into effect, and if there is a distinction between the two at all. This provides stakeholders no assurance on whether their inputs will be taken into consideration by the Agriculture department before enforcing the policy. Furthermore, the notice also specifies a very strict format to be followed for sending suggestions or comments to the draft policy, deviation from which will lead to the submission being deemed as invalid submissions. Such strict adherence to a restricted format could potentially discourage wider public participation. Lastly, the prescribed format for responding to the consultation is entirely online, excluding those unconnected with the internet.
- Ambiguous and vague phrasing: Several instances of ambiguous phrasing and undefined concepts throughout the draft policy opens it up to scrutiny and prevents stakeholders from meaningfully participating in the consultation process, thus defeating the purpose. For instance, ambiguous phrasing, particularly under Clause 2 (“All the individuals, teams, entities who collect, process, or share personal data of any individuals associated with the agriculture sector” [Clause 2(a)(v)]), leads to lack of clarity on the scope of applicability of the draft policy. It is also, for the same reason, difficult to distinguish between personal and non-personal agriculture data.
- Undefined terms: Several terms, such as “restricted data'' (i.e., accessible through only prescribed process of registration and authorisation), “anonymisation”, and “negative list” (i.e., non-shareable data) have not been included in the list of definitions under the draft policy. Since the draft policy deals with management of personal as well as anonymised data, inclusion of these terms will provide additional safeguards against misuse of data.
- Undermined rights of data principal: The draft policy undermines the rights of the data principal by defining it as the natural person to whom the personal data “relates to” and not “belongs to”. Such phrasing essentially takes away ownership status from the subject of their own data.
- Perverse commercial incentive: The preamble primarily focuses on monetising the profits promised by the digital economy, by deploying new and emerging technologies like “AI, ML, IoT, Drones and satellite imagery”. The draft policy includes various provisions which could incentivise government departments to monetise data of farmers by collecting more granular personal details, beyond need or purpose, through greater capture of agriculture data as well as increased retention periods.
- Inadequate anonymisation standards: Clause 9(6), that deals with de-identification and anonymisation, fails to acknowledge the possibility of re-identification from anonymised datasets and thus, the anonymisation specifications and processes that may be notified by the IDC provided in the draft policy, may not be sufficient to protect against re-identification. It is also not known whether the technical specifications and processes, that are yet to be issued, will be opened to scrutiny by independent actors who will be able to verify their effectiveness.
The way forward
The aim and objective of the draft policy reiterates the need to manage agricultural data efficiently for the advancement of the agriculture sector, while “protecting the rights of individuals”. We appreciate the Telangana government’s efforts towards balancing the efficient management of agriculture data with protection of individual’s rights. Although the references to the importance of “protection of the rights of the farmers and other stakeholders” are mentioned only twice throughout the draft policy, it does, in several instances, encourage a privacy-respecting approach. But it still has a long way to go before it can truly, in letter and spirit, empower the data principal and protect their fundamental right to privacy. As the very first step, the government must engage extensively and continuously on the merits of the proposal with farmer groups and unions before any policy document is implemented. Additionally, any data sharing exercises for the purpose of increasing efficiency must only be implemented keeping in mind any privacy concerns that may arise. Ambiguity in key provisions and vagueness in phrasing must be reduced, wherever possible, in order to avoid arbitrary and overbroad interpretations, which may result in harm. Pre-existing legal definitions must also be used for existing terms as well as to define missing terms, wherever possible, to strengthen transparency, legal certainty, consistency and clarity. The state must explicitly acknowledge that the aim behind monetising data is not to gain profit, but instead to recoup data collection, processing and storage costs, if at all necessary. Lastly, robust guidelines are required for anonymisation procedures which are mandated and enforced (in addition to any retroactive procedures) to deal with the emerging threats posed by de-anonymisation.