Legal experts told FE that issues related to privacy of citizens would see litigation if the government tries to put in place any data sharing mechanism before first putting in place a personal data protection policy.
The government’s attempt to bring about a policy for sharing public sector data for government-to-government use and for researchers on a payment basis may face legal hurdles unless personal data protection law precedes it. Legal experts told FE that issues related to privacy of citizens would see litigation if the government tries to put in place any data sharing mechanism before first putting in place a personal data protection policy.
As per a draft policy unveiled by the ministry of electronics and IT (Meity) on February 21, a framework has been proposed for public sector data sharing. The policy will be applicable to all data and information created, generated and collected by the government directly or through ministries, departments and authorised agencies. As per the draft, all data for every government ministry/department shall be open and shareable by default unless it is categorised under the negative list of datasets that won’t be shared.
Further, some data categorised as restricted access by the government will be shared in a controlled environment with only trusted users.
But as the main thrust is to monetise data, several experts have raised concerns around privacy. Apar Gupta, executive director, Internet Freedom Foundation, feels the policy as per its preamble and content is aimed towards economic objectives. “This is in contrast to prior open data frameworks which allowed access to government data for reasons of transparency and accountability. It also poses a risk of the government acting as a data broker in which the government collects more sensitive details of citizens and stores if for longer periods. This will undermine the privacy of citizens and make them susceptible to profiling on the basis of their government data by the private sector.”
Others feel that though the intent of the government is to utilise public data for social transformation, which is good, but issues around cybersecurity and privacy need to be addressed. Pavan Duggal, cyber law expert and Supreme Court lawyer, said the policy is a step in the right direction, but it is likely to face a large number of legal and policy issues and challenges.
“India does not have a cyber security law. India does not have a data protection law and India does not have a privacy law. In this huge vacuum of policy, getting this data access policy will actually be an invitation to disaster. It could have immense ramifications not just from the perspective of people’s fundamental liberties and rights, but could also potentially lead to situations which could prejudicially impact India’s sovereignty, security and integrity,” Duggal said.
He added that merely because the government has collected data, it does not mean it will allow its free dissemination and access as that will be a direct violation of people’s fundamental right to privacy under Article 21 of the Constitution.
The policy in current form will also run into trouble with the IT Act, 2000, rules and regulations. Under the proposed Data Protection Bill, the government has the power to exempt governmental agencies but since that has not been implemented yet, the provisions of IT Act apply to government data as well.
Another problem is around cyber security. “You are facilitating access and common sharing without even addressing the elements of cyber security, so there are high chances of this very governmental data pool being potentially hacked or targeted during the process of sharing. On top of it, you are saying private players can voluntarily contribute without even working across the cyber security parameters of such sharing of voluntary contribution,” Duggal highlighted. He added that there could be numerous legal problems because every state and non-state actor would want to potentially target this huge data pile under the garb of policy because access has been given without having adequate safeguards for protecting data and privacy. “So, ultimately this is a good dream but for implementing this dream you will have to have cogent foundational pillars that are currently missing,” he added.
The draft policy talks about a robust data sharing ecosystem that will be unlocked by maximising access and use of quality public sector data, improving policy-making, evaluation and monitoring, and facilitating the creation of public digital platforms. But earlier instances of misuse of public sector data have been cited by experts in order to ensure that safeguards must be put in place going forward.
“Open data is important to ensure transparency and data sharing. When a new policy is released, this should address the concerns that have arose, like misuse of personal data and the risk of de-anonymisation of anonymised data. The policy fails to address these specific concerns as it provides only a broad framework. With the misuse of data by various government departments in the past, including sale of data by the ministry of road transport and highways, there should be an emphasis on safeguards to prevent such misuse,” Prasanth Sugathan, legal director, SFLC, said.