The Change Game: MeitY Resorts To Quick Fixes To Silence Experts

tl;dr

On February 21, 2022, the Ministry for Electronics & Information Technology (MeitY) published the Draft India Data Accessibility & Use Policy, 2022. Immediately, civil society experts pointed out several flaws concerning data privacy and security rights of citizens. To our shock, on March 6, 2022, we noticed MeitY had made substantial changes to the Draft India Data Accessibility & Use Policy, 2022, during the consultation period, without any public acknowledgement. Effectively this resulted in multiple versions of it, contracted the consultation timeline, and confused stakeholders. Responding to this, IFF wrote to MeitY indicating the need for a fresh consultation process as these actions have completely vitiated the ongoing consultation process and led to an erosion of public trust.

Why Should You Care?

Don’t we assume that any policy proposed in the country goes through a rigorous and transparent consultation process? Well, guess what -  that might not be the case. The Draft India Data Accessibility & Use Policy, 2022 (Draft Data Access Policy), published by the Ministry of Electronics and Information Technology (MeitY) on February 21, 2022, has seen multiple changes (we have noticed at least three versions, i.e on February 21, February 24 and March 6, 2022) during the period of the consultation itself! Change is good, however it has been done in a manner that undermines public trust. The faulty process adopted by MeitY now raises serious questions over the ministry’s adeptness to formulate a policy concerning your data. Further, these actions erode public trust in the consultation and policy-making process as well as the Draft Data Access Policy itself. We are alarmed because the lack of transparency through which these changes have been affected raises serious questions of government accountability in this process. However, what is most concerning is the attempt to silence valid concerns over commercialisation of citizen data through quick-fix changes (which ultimately fail to address these valid concerns).

Background

The Ministry of Electronics and Information Technology (MeitY) recently formulated the Draft Data Access Policy. The objective is to utilise data to improve the quality of governance & service delivery and promote innovation. While the intent towards enhancing India’s digital economy is commendable, the objective of the Draft Data Access Policy can only be achieved from a rights centric framework. In our submission to MeitY, we highlighted the following key considerations:

  1. Lack of transparency and faulty consultation process: The Draft Data Access Policy failed to follow the Pre-Legislative Consultation Policy, 2014 put in place to promote transparency in law-making. By failing to meet this critical threshold of policy-making, the consultation process adopted by MeitY remains under a dark cloud raising grave transparency and accountability issues.
  2. Privacy concerns with respect to enhanced data sharing: The interdepartmental data sharing ecosystem envisaged in the Draft Data Access Policy goes against the purpose limitation principle of data sharing. According to the principle, personal information collected and processed should be relevant to the purpose for which they are processed. However, as India still lacks a data protection law, there is no clear standard on data exchange, sharing and processing of personal data. Further, MeitY attempts to reassure citizens of data privacy by saying the government ministries will have to abide by certain data anonymisation standards. However, these standards have not been set through the Draft Data Access Policy and several studies have shown that certain anonymised datasets are vulnerable to de-anonymisation techniques.
  3. Primary objectives undergirded by perverse economic incentives: The Draft Data Access Policy states that “India’s ambition of becoming a $5 trillion economy depends on its ability to use data for better service delivery”. This policy approach is unfortunate as citizens’ data will be exploited in the name of achieving the country’s economic goals.
  4. Ambiguous definitions and the resultant arbitrariness: The Draft Data Access Policy also suffers from vagueness, which can result in arbitrary and overbroad interpretations. Key concepts like data anonymisation and licensing have not been adequately defined, making it difficult for stakeholders to provide practical recommendations.

Hence, our recommendation to MeitY was to reconsider implementing the Draft Data Access Policy as it has failed to consider the risks that may arise. We recommended that the Draft Data Access Policy should be recalled, and instead, a fresh consultation process be commenced to incorporate suggestions from all relevant stakeholders.

The Issue

We submitted our comments to MeitY on March 4, 2022. To our great surprise, on March 6, 2022, we noticed that MeitY had made substantial changes to their webpage for the Draft Data Access Policy consultation and the underlying policy documents. Upon further inspection, we observed that the metadata of the Background Note showed that the document was created on February 17, 2022, but modified on February 23, 2022. Similarly, the policy document was created on February 17, 2022, and modified on February 26, 2022.

Document Properties of the Background Note
Document Properties of the Draft India Data Accessibility and Use Policy, 2022

Shocked with the changes made in a covert manner, IFF filed an RTI request on March 7, 2022 with MeitY asking the reason behind each change as well as the date and time when the changes were made. Additionally, we made another submission to MeitY on March 17, 2022 expressing our concern about the public consultation process followed by them. Below is a brief table on some of the key differences between the old and present versions of the Draft Data Access Policy document. Any text added or changed in both the versions has been italicised.

Section in Older Version of Policy Document (February

21, 2022)


Section in

Present

Version of

Policy

Document

(March 23,

2022)

Older Version of Policy

Document (February

21, 2022)


Present Version of Policy

Document (March 23,

2022)


Cover Page

Cover Page

India Data Accessibility and Use Policy


India Data Accessibility and Use Policy (Draft)


1.1

1.1

Data is a valuable economic and social resource offering

enormous opportunities for citizens, businesses, and governments.


Non Personal Data is a valuable resource offering

better ways of service delivery for citizens, businesses, and

governments.

2.6

2.6

Streamlining inter-government data sharing.


Streamlining inter-government data sharing while maintaining

privacy.


2.12

2.12

Increasing the availability of high-value datasets of national importance.

Increasing the availability of datasets of national importance.

5.1

5.1

Open by default

Identification of datasets for sharing


7, 7.1, 7.2, 7.3

7

Making Data Open by  Default:


All data for every Government Ministry/ Department/ Organisation shall be open and shareable by default unless:

- Categorised under the negative list of datasets that won’t be shared

- Categorised under restricted access and shared only with trusted users - as defined by the concerned Ministry/ Department - under a controlled environment.

Identification of Datasets:


Every Government Ministry/

Department/ Organisation shall identify the non- personal datasets available with it and classify them as open, restricted or non-shareable.


11

No such section

Pricing & Licensing

No such section

13.2

12.2

All ministries/ departments must comply with the minimum anonymisation standards defined by IDO/MeitY or by any statute/ act/ policy issued by the government of India.


All ministries/ departments must comply with the anonymisation standards defined by IDO/ MeitY or by any statute/act/policy issued by the government of India.


Broadly speaking, certain key concepts of the Draft Data Access Policy have now been removed, which includes its application over personal data, identification of certain data-sets as high value, and pricing & licensing frameworks to enable the sale of these datasets. While the new version has incorporated some recommendations by IFF, our core concerns remain and have, in fact, increased because:

  1. Change is the only constant with MeitY: The multiple changes made by MeitY in a clandestine manner during the consultation period itself completely vitiates the public consultation process. Beyond the policy document, the MeitY webpage has also been changed. The older version (February 21, 2022) of the MeitY webpage said the policy “has been evolved in consultation with various stakeholders including academia, industry, and government”. Upon receiving questions over the stakeholders consulted and the inputs given, the MeitY consequently changed the policy webpage to say the  “clauses will be finalised after getting inputs of stakeholders in the consultation process”. These version changes and the lack of transparency & accountability result from MeitY’s failure to abide by the provisions of the Pre-Legislative Consultation Policy, 2014 formulated to incorporate stakeholder perspective and increase transparency.
  2. Mum’s the word: Not only did MeitY make substantial changes to the Draft Data Access Policy, it made them without any public acknowledgement. Stakeholders responding to it, including IFF, were completely unaware of these changes till after they submitted their comments. Such actions inspire a lack of trust in the consultation. It may also lead to varying responses from various stakeholders given that several facial changes were made after receiving criticism from civil society experts.
  3. Not changed enough: The cursory changes made to the Draft Data Access Policy still fails to recognize the fundamental issues with the policy. Non-personal data has not been defined, leaving the door open to vagueness and arbitrary interpretations. The threat of deanonymisation has also not been adequately accounted for as several studies have shown that certain anonymised datasets have been found to be vulnerable to techniques of de-anonymisation.

Our Recommendation

While these quick fix changes superficially try to incorporate some of the criticism levied towards the Draft Data Access Policy, they fail to resolve the core conceptual criticism with it. Hence, once again, we have recommended that the Policy is immediately withdrawn and a fresh consultation is initiated.

Important Documents

  1. IFF’s letter to MeitY on numerous changes made to the Draft India Data Accessibility and Use Policy 2022 dated March 17, 2022 (link)
  2. IFF’s submission to MeitY on the Draft India Data Accessibility and Use Policy 2022 dated March 4, 2022 (link)
  3. Draft India Data Accessibility and Use Policy, 2022 dated March 23, 2022 (New version) (link)
  4. Draft India Data Accessibility and Use Policy, 2022 dated February 21, 2022 (Older version) (link)

Note: This post was drafted by Shivangani Misra, a Capstone Fellow hosted at IFF, and reviewed by IFF staffer Anushka Jain.