From UPSC perspective, the following things are important :
Prelims level : Non-Personal Data
Mains level : Paper 3- Key stakeholder in the regulation of Non-Personal Data
The article examines the structures and role of key stakeholders in regulation of Non-Personal Data as per the report submitted by the committee headed by Kris Gopalakrishnan.
- There is a realisation that data should be unlocked in public interest beyond the use by a few large companies
- Data, in many cases, are not just a subject of individual decision-making but that of communities, such as in the case of ecological information.
- Therefore, it is critical that communities are empowered to exercise some control over how the data are used.
- Recently the Non-Personal Data committee released a governance framework, which raises many concerns.
Following are the key stakeholder as defined in the report
- As per the report, the first keyholders are data principals, who/ which can be individuals, companies or communities.
- The idea of communities as data principals is introduced ambiguously by the report.
- The report does not address the translation of offline inequalities and power structures to data rights.
2) Data custodians
- Data custodian is the one who undertake collection, storage, processing, and use of data in a manner that is in the best interest of the data principal.
- The details in this section are unclear.
- It is not specified if the data custodian can be the government or private companies only.
- It is also not clear what best interest is, especially when several already vague and possibly conflicting principal communities are involved.
- It is also not clear how communities engage with the custodian.
- Suggestion that data custodians can monetise the data they hold is especially problematic as this presents a conflict of interest with those of the data principal communities.
3) Data trustees
- The report talks about data trustees as a way for communities to exercise data rights.
- Trustees can be governments, citizen groups, or universities.
- There is no clarity on how “trust” is extended and fructified with the community, and how trustees are empowered to act on behalf of the community.
- The principles of a legal trust and the fiduciary responsibility that come with role of trustees are critical.
- Trustees, by definition, are bound by a duty of care and loyalty towards the principal and thus work in their best interests.
- Trustee has to negotiate on behalf of Data Principals’ data rights with technology companies and regulators.
- This thinking is not reflected in the report.
- Also, the relationship between the data principal communities and the trustees is not clear.
How will the ‘Trust’ function?
- The report explains data trusts comprising specific rules and protocols for containing and sharing a given set of data.
- Trusts can hold data from multiple custodians and will be managed by public authority.
- But the power, composition and functions of the trust are not established.
- One possible way to simplify the ecosystem would be to consider data trusts as a type of custodian.
- So that trustees can represent the community and act on behalf of the data principals.
Consider the question “What do you understand by Non-Personal Data. Examine its utility and need to treat as a public good.”
The committee should organise broader consultations to ensure that the objective of unlocking data in public interest and through collective consent does not end up creating structures that exacerbate the problems of the data economy and are susceptible to regulatory capture.