We have sent our comments as part of the public consultation exercise for the Draft India Data Accessibility & Use Policy, 2022. Under the policy, the Ministry of Electronics & Information Technology aims to enable interdepartmental data sharing as well as sale of public data to support the government’s economic goals. In light of the glaring privacy (& other) concerns arising from the policy, we have recommended an immediate recall. Responses can be sent to Shrimati Kavita Bhatia at [email protected] and [email protected]. The last date for submission of responses is March 18, 2022.
Why Should You Care?
In a digital economy, every interaction you have with a government agency or a private entity can be reduced to a data point. This data can then be used to target you, whether for advertising or for the purpose of surveillance. In such an ecosystem, informational privacy becomes essential. However, under the Draft India Data Accessibility & Use Policy, 2022, your data will:
- be shared interdepartmentally within the government enabling the creation of 360° profiles &
- be sold by the government to generate revenue.
It is also important to note that there is no data protection law which will protect citizen interests. Therefore, it becomes imperative to ensure that this policy which proposes unrestricted data sharing, especially with a revenue generation incentive, is recalled.
On February 21, 2022, the Ministry of Electronics and Information Technology (MeitY) published the first draft of the India Data Accessibility and Use Policy, 2022 (Draft Data Access Policy). The policy aims to 'radically transform' India's use of public data to improve governance, service delivery, and innovation. This will be done through interdepartmental sharing between government ministries to create a robust data sharing ecosystem. The Background Note accompanying the Draft Data Access Policy document states that emerging technologies are “expected to generate $1 trillion in economic value for India”. Further, the preamble of the policy states that harnessing the value of data will help India reach its ambitious goal of becoming a $5 trillion economy. The proposal's perverse economic incentive has put the policy in the spotlight as it permits the government's licensing and sale of public data to the private sector.
Clause 6 of the policy envisages the setting up of an India Data Office (IDO) by MeitY, which will operationalise the policy. The IDO will provide stakeholders access to data under the policy. These stakeholders include government departments, researchers, start-ups, enterprises, and individuals. It will also create the India Data Council (IDC) consisting of an India Data Officer and Chief Data Officers of the Union and State governments who will supervise deliberations between different ministries and provide technical support to the government.
Our Key Concerns
1. Flawed Consultation Process
In formulating the Draft Data Access Policy, MeitY skipped the legally mandated consultation process required to draft a good policy, raising accountability concerns. MeitY did not abide by the provisions of the Pre-Legislative Consultation Policy, 2014 ('consultation policy'), which was put in place to promote transparency in law-making. By forsaking these provisions, MeitY resorted to a policymaking process that failed to garner public and civil society participation in areas that affect the fundamental rights of every citizen.
According to the consultation policy, the concerned department/ministry should publish any proposed policy both on the internet and through other means. The publication should, among other things, include a brief justification for the legislation, essential elements of the proposed legislation and its broad financial implications. This should be kept in the public domain for at least three days to allow comments from stakeholders. However, MeitY's website on February 21, 2022 claimed the policy had been arrived at after consultation with stakeholders whose identities were not revealed. After receiving stark criticism on the lack of transparency in the consultation process, MeitY updated their website to edit the sentence but failed to provide any meaningful response on the transparency concerns. The website now states that the policy "will be finalised after getting inputs of stakeholders in the consultation process".
2. Privacy Concerns
The robust data ecosystem envisaged in the policy seriously goes against the purpose limitation principle of data processing. According to the principle, personal information collected and processed should be relevant to the purpose for which it is processed. The entities collecting the information should use it only for the specified purpose, and any further use should be conveyed beforehand to the user to obtain their consent. Contravening this principle, the Draft Data Access Policy will instead make the government the owner of the data collected. The data can then be shared with other entities based on each ministry's pricing and licensing framework. Hence, citizens would not know how, why, and by whom their data is being processed.
Further, building this data ecosystem will invariably work against the data minimisation principle, which states that only the minimum amount of personal data needed to fulfil a purpose should be collected. As the policy document does not mandate the government to meet these principles, there is a considerable risk that under the policy the government will be incentivised to carry out overbroad collection of data for the purpose of maximising revenue generation. The interdepartmental data sharing framework envisaged under the policy would also enable the creation of 360° profiles of citizens. The owner of this dataset will possess a tremendous volume of information about a person, potentially without their knowledge of the nature of the datasets being used or how the dataset may be utilised. The policy further states the data will be anonymised; however, several studies indicate that re-identification from anonymised data sets is possible unless strict access control provisions are put in place.
3. Revenue generation over privacy?
Clause 1.1 of the Draft Data Access policy labels data as an economic resource. It is unfortunate to see that a policy premised on public data is driven by the aim of helping the Government achieve its ambitious goal of becoming a $5 trillion economy. The policy uses statements like "data is a valuable economic resource", "data inventories", and "promote such data sharing", transforming the personal data of citizens into a saleable commodity. This revenue generation or data monetisation objective of MeitY sets a dangerous precedent as it will prompt a financial incentive for authorities to collect more data than necessary.
Such a case was seen in 2020 when the Ministry of Road Transport and Highways (MoRTH) withdrew the Bulk Data Sharing Policy following concerns over privacy and data misuse. The Bulk Data Sharing Policy, formulated in 2019, allowed MoRTH to "share complete data" with specified agencies, automobile industries, banks and finance companies. While they mostly held non-personal details like chassis number, model type, year of manufacture, among others, the MoRTH itself admitted that this data could be subject to triangulation. Triangulation refers to the combination of different datasets, which individually do not reveal much but, when viewed together, lead to individual identification and the dilution of user privacy.
The Bulk Data Sharing policy helped the government earn Rs 1,11,38,79,757 over 2019-20, a year wherein the country's fiscal deficit widened to 4.6 per cent of the Gross Domestic Product (GDP). Hence, it appears that the Bulk Data Sharing policy proceeded from an economic standing ignoring data privacy issues acknowledged a year later. This incident highlights how financial gains can overshadow digital rights, making the economic incentive of the Draft Data Access policy a matter of serious concern.
4. Vague Definitions of Key Concepts
Lastly, the Draft Data Access policy introduces several vague provisions which suffer from the vice of being susceptible to overbroad and harmful interpretation. The Supreme Court, in its landmark decision in Shreya Singhal vs Union of India, had declared S.66A of the Information Technology Act, 2000 as unconstitutional and void for vagueness. The provision was struck down specifically because its overbroad provisions allowed for arbitrary interpretations, which were used to curb free speech on the internet. Several key concepts which have either been introduced or used in the Draft Data Access Policy suffer from a similar vice of vagueness and lack of clarity or, in some cases, wilful misinterpretation.
Further, important terms have been left to be defined by subsequent frameworks, to be released at a later date. It is unclear whether these subsequent frameworks will be available for public consultation and feedback.
Our recommendation is that MeitY should reconsider implementing the Draft India Data Accessibility & Use policy, 2022, as it has failed to consider risks that may arise and aim to recall it.
Changes have been made to the webpage on the MeitY website pertaining to the Draft India Data Accessibility & Use policy, 2022 public consultation. The underlying draft document has also been replaced. However, these actions have not been publicly acknowledged. The new document for the Draft Data Access Policy contains the insertion of the term "non-personal" to limit the scope and applicability of the Draft Data Access Policy. However, it fails to define the term "non-personal data" and also does not define the "anonymization standards" mentioned in the document. Hence, the concerns raised by us in our submissions remain.
- IFF comments on Draft India Data Accessibility & Use Policy 2022, dated 4 March 2022 (link)
- India Data Accessibility and Use Policy (Draft), dated 21 February 2022 (link)
Note: This post was drafted by Shivangani Misra, a Capstone Fellow hosted at IFF, and reviewed by IFF staffer Anushka Jain.