In the first instalment of this two-part series on the Non-Personal Data Report (NPD), we examined the competition concerns that emanate from NPD and how the Committee resolved them to ‘foster innovation’: through the ‘free’ sharing of NPD. Click here to read the article.
The NPD Committee’s Report tries to address questions of competition when it comes to monopolistic controls over NPD among Big Tech. Yet, the Report does not provide sufficient clarity on the overlap between mandatory data sharing and existing commercial rights, such as copyright and trade secrets. It also fails to adequately illustrate how value may be assigned to datasets, given the several possible uses any such dataset can be put to.
However, many of these problems can potentially be solved by existing laws, which allow for the use of both ex-ante and ex-post measures.
Ex-ante measures seek to promote responsible behaviour amongst market players and pre-empt a possible market failure. So, the creation of a robust Non-Personal Data sharing mechanism would be an ex-ante measure, as would prescribing that players engage with each other on fair and non-discriminatory terms. Ex-post measures look to correct a market failure that has occurred and as far as possible, return the market to a competitive state. Such measures would include checking the abuse of a dominant position, or predatory pricing.
The Committee entrusts the implementation of both kinds of measures with a new state regulator, the Non-Personal Data Authority (NPDA). However, this may be an unnecessary regulatory overstep.
As far as ex-ante measures are concerned, it can be argued that the Copyright Act already provides a framework for the creation of a Non-Personal Data sharing mechanism. The Act contains provisions for licensing, which allows the creators of datasets to monetize their creations. It also includes safeguards in the form of statutory licensing and fair dealing to address public interest concerns that arise from the use of data. This is not to say that the Act in its current form can serve the intended purpose of protecting intellectual property while also fostering innovation. Suitable changes and adaptations are required—but it contains the potential to achieve some of the outcomes of the proposed NPD framework.
EU Commission prepares new legal frame for big digital players & platforms by the end of the year: the “Digital Services Act”
For Europeans to better monitor how large platforms expand their activities, manage disinformation and personal datahttps://t.co/MoJIEYkZNq
— Jean-Michel Glachant (@JMGlachant) September 20, 2020
Alternatively, the Committee has not adequately shown why systems of self-regulation and co-regulation cannot be adopted to serve the purposes of ex-ante regulation. In the Netherlands and Japan, the Government provides guidance and sets some basic standards for the creation of data sharing contracts. Large and small firms are required to adhere to these guidelines while making contracts between themselves, thereby ensuring a level playing field between such entities, without the need for direct Government intervention.
Importantly, it is entirely unclear as to why the Committee arrives at the conclusion that the Competition Act and Competition Commission of India (CCI) are unsuitable for enforcing the ex-post measures.
This is all the more surprising because in 2019 another government Committee reviewed competition law in the country, and found that the law requires no major changes to deal with competition concerns arising in digital markets. While concerns do exist about the institutional strength of the CCI, it appears to be more sensible to correct problems in an existing institution than to create an entirely new one, which is likely to face its own set of teething problems.
It seems fairly clear that there isn’t really a need for a new regulatory body to address concerns over competition, access, and ownership arising from NPD. A similar argument can also be made for individual privacy.
The Data Protection Authority (DPA) proposed in the Draft Personal Data Protection Bill (PDP Bill), will enjoy the specific mandate of protecting personal data and individual privacy. A host of provisions dealing with anonymized personal data, which the Committee classifies as NPD, are contained in the PDP Bill. These provisions relate to penalties for de-identifying data—or anonymizing it—and setting standards of anonymization.
But, by giving the NPDA the mandate to address privacy concerns emanating from anonymized Non-Personal Data, the Committee creates a significant regulatory overlap between the two authorities. Such overlap could lead to regulatory arbitrage as well as a tussle between the regulators in exercising their powers.
Towards An Enabling Data Ecosystem
So, simply making more data available may not lead to innovation, due to questions of copyright, regulatory overlaps, and meaningful applications of data analysis. The question we’re now left with is: what should the NPD Governance Framework deal with?
Answering this question requires us to move away from the ideas of command and control which have informed legacy regulatory frameworks in India. An example of this is the use of the Drugs and Cosmetics Act, 1940 to regulate the online sale of medicines. The Act contains no provisions to license platforms acting as intermediaries between the chemist and the customer. This has created much uncertainty as to the legal status of e-pharmacies in the country, potentially stymying investment and growth prospects.
In his latest article for @BWBusinessworld titled ‘Prescriptions For E-Pharmacy’ our Research Assistant @chawdhrymohit argues for legal clarity in the #ePharmacy landscape.
Read: https://t.co/vlQIw9xyCE@NetMeds @1mgOfficial @pharmeasyapp #healthcare #onlinemedicine
— Esya Centre (@esyacentre) September 24, 2020
We need to view the role of regulatory bodies more as development corporations. Such a corporation looks to develop a particular sector by making smart investments, building necessary infrastructure, and developing the necessary human capital to enable meaningful utilization of data.
An example of such a corporation is the Malaysian Digital Economy Corporation. The MDEC promotes the uptake of digitization by small and medium enterprises, gives grants to potentially disruptive solutions, and also provides courses on Coursera for the general population. It also works with foreign companies to secure increased investment flows.
We need to start thinking about how a regulator can actually promote development by taking on a more enabling role, as opposed to an enforcing one. Digital technologies are far too disruptive for regulations that are slow and unresponsive to change. India’s ambitions of emerging as a global leader in tech policy can be achieved if we invest in capacity building, infrastructure, human capital, and administration, alongside newer forms of regulation and protections.
The Bastion is happy to announce a new Technology vertical, where we’ll be covering how the future intersections of tech, policy, and society will affect India’s development journey. To read more of our technology coverage, click here. Interested in writing for us? Click here to read our submissions guidelines.
Featured image courtesy of NASA on Unsplash. | Views expressed are personal.
[…] This article is the first instalment of a two-part series by Mohit Chawdhry of Esya Centre on the new government-led regulatory framework proposed in the Centre’s Non-Personal Data Report. Click here to read part two. […]