The evolution of data governance is in a state of healthy flux right now. India is simultaneously juggling fundamental questions such as the nature and categories of data, while moving steadfastly on building a regulatory apparatus to govern these. There have now been two versions of the Personal Data Protection Bill, a report on non-personal data, and a variety of other proposals to regulate the digital economy from telemedicine to e-commerce to drones. At a macro-level though, two key problems may emerge. The first is of State overreach and the second is of multiple regulators. India’s past experience — particularly with industrial licensing and regulation of the financial sector — may be useful in informing the future of data governance.
There is little disagreement that the State is entrenching itself excessively in the process of regulating the data economy. Both the Personal Data Protection Bill as well as the non-personal Data report contains various clauses and suggestions that mandate compulsory data-sharing with the government. We shouldn’t be surprised at this, considering India’s history with State entrenchments. The Industries (Development and Regulation) Act of 1951, gave the State a number of regulatory powers to dictate the output and prices of industries. This led to suppressing growth and innovation for decades. Almost 70 years later, the data regime is suggesting mandatory sharing of data for businesses on a fair, reasonable and non-discriminatory(FRAND)-based remuneration. How will the State decide on this remuneration? The same issues that existed with price controls under the industries Act are bound to affect the data economy should we go down this route.
In fact, it may be even more problematic, given the value of data changes based on its end-use, other data points available and the intelligence the underlying algorithm can generate. The 4 Vs of data — velocity, volume, veracity and variety — will amplify the problems in setting a price for the data economy. Price controls on data also reduce the incentives for companies willing to invest in the creation of databases — leading to economic and geo-political advantages for other countries. India’s past experience tells us that State-led pricing will be anything but FRAND-friendly, and, therefore, the State must step away rather than jump in.
The more important issue is the creation of multiple regulators to regulate data in the country. There is a proposed regulator for non-personal data as well as for e-commerce, in addition to the Data Protection Authority (DPA) to be set up. These regulators may be aimed at different aspects of the data economy, yet the significant overlaps among them can’t be ignored. Consider an instance where non-personal data linked to an individual’s IP address, which is easily re-identifiable, could be used for targeted advertising for an e-commerce platform. This could lead to similar battles between regulators as seen in the Securities and Exchange Board of India (SEBI) and Insurance Regulatory and Development Authority of India (IRDAI) on regulating Unit-Linked Investment Plans (ULIPs). IRDAI had to step in because ULIPs were provided by insurance companies and SEBI had to do so because these consisted of money invested in the market generating returns. In other jurisdictions, ULIPs are transferred by insurance companies to asset management companies, and kept in check by market regulators. But this is barred in India, leading to a complex structure of financial regulation. We see ourselves making the same mistake with data governance too.
Specifically, two key issues arise out of such confusion — uncertainty for businesses and increased cost of regulatory compliance. The Economic Survey (2018-19) shows that policy uncertainty in India was at its highest in 2011-12, directly affecting the input costs, especially the cost of capital or borrowings for firms. This led to the subsequent dampening of investment by businesses for the next few quarters. The digital economy is no different. Multiple regulators will exacerbate these already existing fissures — for instance, India’s draft e-commerce policy is already being criticised for bringing in uncertainty for investors.
Multiple regulators also lead to the possibility of a lack of oversight, given that each authority presumes another regulator is responsible for regulating that issue. The Personal Data Protection Bill earmarks mergers and acquisitions as one area where data can be processed without user-consent — but this could have adverse competition and privacy concerns and can largely become an area overlooked by both the Competition Commission of India (CCI) and DPA. All this is due to unclear jurisdictions and no demarcation of authority across regulators. This problem was one of the contributing factors to the 2008 financial crisis, with the United States having at least nine regulators for the financial sector alone. India should applaud itself for adopting a holistic approach to economic regulation of data. But, while keeping the complexities of data in mind, it should not forget the complexities of regulation learnt from its own experience across sectors.
Prakhar Misra is senior associate and Sharmadha Srinivasan is associate, IDFC Institute, and members of the Data Governance Network
The views expressed are personal