The Committee of Experts on Non-Personal Data (NPD) Governance Framework, constituted by the Ministry of Electronics and Information Technology released its Report on July 12, 2020. The Report purports to be a framework for governance of NPD, meant to grant access to NPD to industry players and the government for overarching public purposes. In order to increase the competitiveness of local and small enterprises and spur innovation, the Report is aimed at mandatory sharing of data to create economic advantages that are currently precluded due to data monopolies of a few dominant players. Here I examine the government’s eminent domain powers against private entities’ right to IP, that arises in the case of data acquisition
Any data which does not constitute personal data (i.e., data pertaining to characteristics, traits or attributes of identity, that can identify an individual) is defined as non-personal data in the Report. This includes data which never pertained to natural persons (weather or supply chains data), or personal data which has been anonymised via techniques in a manner that prevents the identification of persons to whom such data pertains. It further classifies NPD into Public NPD, Community NPD and Private NPD. Public NPD refers to NPD collected or generated by the government, including data collected or generated in the course of execution of publicly funded works. Community NPD includes anonymised personal data, and NPD about inanimate and animate things or phenomena, whose source pertains to a community of natural persons. A community is loosely defined in the Report as “any group of people that are bound by common interests and purposes, and involved in social and/or economic interactions.” The raw data without derived insights is called community data here, which would include datasets of user information collected by even private players.
Private NPD refers to data the source or subject of which “relates to assets and processes that are privately-owned by such person or entity, and includes those aspects of derived and observed data that result from private effort.” There can be significant overlaps between community and private NPD and if the two are defined as distinct categories then all user information collected by private players (an example of community NPD as per the Report) will not necessarily be community data, as it can pertain to or result out of entirely private assets and processes.
Further, there is some sort of distinction attempted between community data that includes only raw/factual data and private NPD which would include inferred or derived data as a product of the application of algorithms and proprietary knowledge. Interestingly, there is a vague carveout for private data that notes that “Algorithms / proprietary knowledge may not be considered for data sharing.” [5.4 (iii), page 26] This assumes that only private NPD involves a narrower subset of proprietary knowledge or algorithms that can be exempted from data sharing, and that products/insights derived from the application of this proprietary knowledge are not necessarily protected.
These classifications and artificial distinctions, misunderstand some fundamentals about the nature of data and the intellectual property law that protects it. Most of the data collected by private entities, and not disclosed to the public can be said to be protected by trade secrets law in India.
Trade Secrets and Databases
Copyright protection for databases would only extend to protecting the manner in which the data has been selected and arranged if there has been a minimum degree of creativity involved. In the absence of sui generis database protection in India, our Courts do not protect the mere investment of labour into collecting, aggregating and storing data (discussed on the blog here).
However, this only means that community data or private data, as defined by the Report may not be protected by copyright per se. This doesn’t preclude trade secrets protection. The Report doesn’t acknowledge the existence of such protection. It confusingly defines a narrower category of sensitive NPD, which includes data constituting business sensitive or confidential information, relating to national security or anonymised data bearing a risk of reidentification. The only implication of this sensitivity, as per the Report, is that NPD would inherit the sensitivity characteristic of the underlying personal data from which it is derived. Thus, the Report provides no consequences or methods of treating confidential business information differently in its data sharing recommendations. Arguably, in order to mandate sharing of such information, any framework would have to upend the confidentiality, equity, contractual and technological protections under which both factual and derived data is collected, aggregated and stored by private entities currently. However, the Report only provides a weak basis of ownership interests in different kinds of data without so much as acknowledging the protections that already apply, and how these ownership interests will override them.
Multiple stakeholders, in many ways, contribute to the same data-based business model while having diverse and often conflicting interests. Therefore, beneficial ownership of huge open datasets and mandatory sharing of information must account for the possibility of conflicts and provide mechanisms to resolve them. Importantly, only NPD collected by the Government, which is afforded confidential treatment under the law would not fall under public NPD. Other information treated as confidential under law is not exempted from constituting private or community NPD to be shared mandatorily.
Property Rights in NPD
Private players collect data in order to gain a competitive advantage in the market and this data constitutes these entities’ trade secrets, which are protected from appropriation by others regardless of the originality or creativity of their content. Compelling the sharing of such data, including both trade secrets and technical knowhow (also protected by IP) that enables insights to be derived from these secrets can impede private investment and innovation in these databases, as noted by the National Association of Software and Service Companies (NASSCOM).
The Supreme Court has recognised the right to IP such as copyright to be covered under the principles of property ownership for the purposes of Article 19(1)(g) and Article 300A of the Constitution. Indian law on protection of confidential information is not codified but has evolved through case law. Indian judgments have evidently held that confidential information such as customer lists do not constitute property. As a result, crimes against property in the Indian Penal Code cannot be invoked for confidential information. In fact, most countries have not recognised trade secrets as property. Further, Indian courts do not even require the information disclosed in confidence to be of commercial significance, in order to protect it as confidential information. Indian cases have often cited English precedents to recognise an equitable duty of confidence, adopting the same tests as English Law. Similarly, like English law, Indian courts have noted that the duty of confidentiality extends to third parties, even in the absence of privity of contract. In other words, confidential information is protected under Indian law under contract and an equitable duty of confidence. However, since trade secret law requires the data to be confidential or secret, not all NPD may fall into this category, particularly the NPD that can be said to be derived from public goods, assets and processes. For instance, data collected by smart cars on public roads could be collected by the cars of many manufacturers and hence, will not necessarily be confidential since it is open to independent discovery by others. Interestingly, courts in many jurisdictions have also rejected arguments of information being protected as a ‘product’ obtained by using a process patent since data lacks the technicity required for patent protection.
Data, IP and Eminent Domain
The fact that confidential information is not recognised or protected as property in India could preclude the state from exercising its eminent domain powers to acquire this data, making the legal basis for data sharing in the Report suspect.
The power of eminent domain is broadly the sovereign’s power to take property for the purpose of public welfare, without the owner’s consent. Amendments to the Land Acquisition Act now mandatorily require the payment of fair compensation to land owners subjected to the State’s eminent domain powers. However, Article 300A of the Constitution, which provides that persons cannot be deprived of property except by the authority of the law, is silent on the issue of compensation. Economist Ram Singh discusses in the context of eminent domain powers that most jurisdictions allow the affected owners a choice to either accept the takings along with compensation or challenge them seeking an action for restitution of the properties in a constitutional or administrative court. The NPD framework doesn’t mandate payment of compensation in all cases of mandatory data sharing.
Further, in the Report’s context of beneficial ownership of data for very broadly defined ‘public purposes’ by the Government as a trustee, it is important to be cognizant of the distinction between government interest/purpose and social interest/public purpose, keeping in mind the fact that real-world governments often pursue their own interests, which may be categorically distinct from those of the public. It is realistic to presume that government interest is not synonymous with public interest because governments, particularly in multi-party democracies are likely to emphasise on vote maximisation by pandering to swing voters and their interests. Thus, there is a need for greater accountability to protect against misuse and one cannot rely on assumptions of benevolence by the government in the context of eminent domain powers.
The NPD framework in its essence is also violative of India’s obligations under Article 39 of the TRIPS which mandates the protection of secrecy of commercially valuable information from disclosure without the consent of the person who maintains such secrecy.
Instead of overhauling existing common law, equity and contractual protections to create a generalised (and ill suited) NPD framework for all sectors of the digital economy, it may make more sense to create frameworks for enabling negotiations on fairer terms (recognised partially by the Report w.r.t private NPD on page 37) to facilitate data sharing in voluntary data marketplaces. Prohibiting unfair contractual clauses and even revising competition law and policy can create fairer access regimes in this regard. Otherwise, datasets created for different purposes and shared with the government for entirely unrelated purposes in a scenario where private players are reluctant to invest and innovate due to mandatory sharing of data, can only have limited value.