Towards robust data regulation

The non-personal data committee’s data governance framework raises many questions

Updated - July 22, 2020 07:45 am IST

Published - July 22, 2020 12:15 am IST

Representational image only.

Representational image only.

For a country that does not have a personal data protection bill, the setting up of a committee to regulate non-personal data seems premature. However, there is global realisation that data should be unlocked in public interest beyond the sole service of commercial interests of a few large companies. There is also recognition that data, in many cases, are not just a subject of individual decision-making but that of communities, such as in the case of ecological information. Therefore, it is critical that communities are empowered to exercise some control over how the data are used. On July 12 the NPD committee released a governance framework, which raises many concerns.

Key stakeholders

To enable a robust regulation of NPD, the report defines key stakeholders for the ecosystem. First are data principals, who/ which can be individuals, companies or communities. The roles and rights of individuals and companies in the context of data governance are well understood. However, the idea of communities as data principals is introduced ambiguously by the report. While it provides examples of what might constitute a community, e.g. citizen groups in neighbourhoods, there is little clarity on the rights and functions of the community. The report does not problematise the ways in which communities translate offline inequalities and power structures to data rights. There are examples in indigenous data governance, which imagine collective rights and community-personhood on data-related issues, which may have found useful mention here.

Next are data custodians, who undertake collection, storage, processing, and use of data in a manner that is in the best interest of the data principal. The details in this section are fuzzy – it is not specified if the data custodian can be the government or just private companies, or what best interest is, especially when several already vague and possibly conflicting principal communities are involved. It is also not clear how communities engage with the custodian. Further suggestion that data custodians can potentially monetise the data they hold is especially problematic as this presents a conflict of interest with those of the data principal communities. Based on current literature, data custodians can be interpreted as data stewards, imagined in many cases as independent entities that intermediate with technology companies on behalf of communities, which they represent.

Unclear relationship

Next, the report talks about data trustees as a way for communities to exercise data rights. Trustees can be governments, citizen groups, or universities. However, the relationship between the data principal communities and the trustees is not clear. The articulation of trustees does not explain how “trust” is extended and fructified with the community, and how trustees are empowered to act on behalf of the community. The idea of trusteeship for data is being discussed globally — the principles of a legal trust and the fiduciary responsibility that come with it are critical. Trustees, by definition, are bound by a duty of care and loyalty towards the principal and thus work in their best interests, negotiating on behalf of their data rights with technology companies and regulators. This thinking is not reflected in the report.

Finally, the report explains data trusts comprising specific rules and protocols for containing and sharing a given set of data. Trusts can hold data from multiple custodians and will be managed by public authority. The power, composition and functions of the trust are not established. One possible way to simplify the ecosystem would be to consider data trusts as a type of custodian, such that fiduciary responsibilities can be extended, and trustees can represent the community and act on behalf of the data principals.

The committee should organise broader consultations to ensure that the objective of unlocking data in public interest and through collective consent does not end up creating structures that exacerbate the problems of the data economy and are susceptible to regulatory capture.

Astha Kapoor is the co-founder of Aapti Institute

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.