On digital governance, don’t repeat mistakes

GOVERNANCE/ SCIENCE & TECH

Topic: General Studies 2, 3:

• Science and Technology- developments and their applications and effects in everyday life
• Government policies and interventions for development in various sectors and issues arising out of their design and implementation

On digital governance, don’t repeat mistakes

Context:  There have now been two versions of the Personal Data Protection Bill, a report on non-personal data, and a variety of other proposals to regulate the digital economy from telemedicine to e-commerce to drones.

At a macro-level though, two key problems may emerge related to digital governance

1. State overreach 

• State is entrenching itself excessively in the process of regulating the data economy
• Compulsory Data Sharing: Both the Personal Data Protection Bill as well as the non-personal Data report contains various clauses and suggestions that mandate compulsory data-sharing with the government. 
• Lessons not learnt: The Industries (Development and Regulation) Act of 1951, gave the State a number of similar regulatory powers to dictate the output and prices of industries. This led to suppressing growth and innovation for decades.
• Lack of Clarity on Pricing: Almost 70 years later, the data regime is suggesting mandatory sharing of data for businesses on a fair, reasonable and non-discriminatory (FRAND)-based remuneration. It is not clear on how the State will decide on this remuneration.
• Price Controls: The 4 Vs of data — velocity, volume, veracity and variety — will amplify the problems in setting a price for the data economy. Price controls on data also reduce the incentives for companies willing to invest in the creation of databases — leading to economic and geo-political advantages for other countries
• India’s past experience tells us that State-led pricing will be anything but FRAND-friendly, and, therefore, the State must step away rather than jump in.

2. Multiple Regulators

• There is a proposed regulator for non-personal data as well as for e-commerce, in addition to the Data Protection Authority (DPA) to be set up.
• These regulators may be aimed at different aspects of the data economy, yet the significant overlaps among them can’t be ignored. 
• Consider an instance where non-personal data linked to an individual’s IP address, which is easily re-identifiable, could be used for targeted advertising for an e-commerce platform. 
• This could lead to similar battles between regulators as seen in the SEBI and IRDAI on regulating Unit-Linked Investment Plans (ULIPs). IRDAI had to step in because ULIPs were provided by insurance companies and SEBI had to do so because these consisted of money invested in the market generating returns
• Multiple regulators also lead to the possibility of a lack of oversight, given that each authority presumes another regulator is responsible for regulating that issue. 
• The Personal Data Protection Bill earmarks mergers and acquisitions as one area where data can be processed without user-consent — but this could have adverse competition and privacy concerns and can largely become an area overlooked by both the Competition Commission of India (CCI) and DPA.

Conclusion

While keeping the complexities of data in mind, India should not forget the complexities of regulation learnt from its own experience across sectors.

Connecting the dots:

• Non-Personal Data Regulation- Part I and Part II
• K.S. Puttaswamy Case & Right to Privacy