Listen to this story
Recently, IRCTC—the ticketing arm of Indian Railways—floated a tender to hire a consultant to monetise its passenger and freight customer data and generate revenue of around INR 1000 crores.
However, the news did not fit well with the members of civil society as many took to social media to criticise the decision, raising privacy concerns.
Given the inopportune timing of the tender and the recent scrapping of the Data Protection Bill, it makes one wonder how serious is the government of India regarding data protection.
Even though it looks like the tender will be withdrawn, this is not the first time that Railways was toying with the idea of monetising its data.
In fact, the Government of India, over time, has shown its desire to monetise public data. Earlier this year, the Ministry of Electronics and Information Technology (MEITY) released a policy proposal titled as, ‘Draft India Data Accessibility & Use Policy, 2022’, which stated the government could monetise detailed datasets that have undergone value addition.
“The step of the government in the monetisation of data is this stage is complex and lacks planning for the protection of citizen’s data.
“The withdrawal of the Data Protection Bill from the Parliament has further raised the question of every individual’s protection of fundamental rights, i.e., right to privacy as declared by the Hon’ble Apex Court a few years ago under the purview of Art.21 of the Indian Constitution,” said Salman Waris, Partner Head of TMT & IP Practice at TechLegis Advocates & Solicitors.
Data breach country wise
Lack of a framework
One of the major concerns associated with the monetisation of public data is the absence of any regulation or legislation to regulate the government’s actions and ensure protection of users’ data.
The Personal Data Protection Bill 2019, which also received major criticism from different stakeholders, was recently scrapped.
Even though the government said a new version of the Personal Data Protection Bill will be reintroduced after making the necessary changes, it could possibly be years away.
Further, there are no specific provisions prohibiting the government from granting the private sector commercial access to certain public databases either.
“Till the re-introduction of the Bill in the Parliament, its enactment and enforcement, the user’s data is at risk in the hands of the government as the users did not give their explicit consent to the government to use their data for the purpose of monetisation and generation of revenue eventually,” said Salman Waris.
The Economic Survey 2018–19 said that data must be treated as sovereign wealth. The survey also talks about how the government could consider giving the data to private players, provided privacy is not compromised. However, for it to work, India needs to have a ‘robust data infrastructure‘, something which is currently non-existent.
Some of the data owned by government departments and agencies, take IRCTC for example, consist of personal data. As per the IRCTC’s tender document, the data to be studied will include information captured by the transporter’s various public facing applications such as name, age, mobile number, gender, address, email addresses, class of journey, payment mode, login or password and other details.
There needs to be a clear structure which defines what kind of data can be monetised and what kind of data should not be monetised. For example, last year, the Government of Karnataka (GoK) announced its Open Data Policy (ODP). Through this policy, the GoK wants to create personal and non-personal datasets to drive innovation and research.
The policy talks about classifying all personal and non-personal data through an inter-departmental decision-making process into three categories: shareable, sensitive and restricted data.
However, how reliable is the inter-departmental decision-making process suggested by the GoK?
In this regard, Prateek Waghre, Policy Director at Internet Freedom Foundation, said that when it comes to anonymising data, one thing to note is that it’s not impossible to reverse that process.
Salman Waris, too, has similar thoughts. He said that research has shown that there is no fully secure method of data anonymisation and that data can be re-identified, implying that data of minors can be re-identified or misused.
After establishing a robust data infrastructure and enacting a new Data Protection Bill, the government may contemplate the idea of monetisation of public data. However, challenges and concerns will remain. The risk is always going to be there, Prateek Waghre said.
“Firstly, it’s important to define what type of data we’re talking about and how that’s being used. If it’s something that is completely non-personal such as data related to climate or some geospatial information, then there are fewer downsides to potentially trying to monetise that type of information. When it gets linked to individuals, however, that’s where a large part of the concern comes up.
“In some cases, yes, you can say that. There is maybe a need to recoup costs. But I would still say that as far as possible, it should be limited to data that is not linked to an individual in any way,” said Prateek Waghre.
Salman Waris believes the government may monetise the data in general in order to generate revenue but only after considering certain measures of protection for the citizens.
Integration of data is the primary measure that the government can adopt in order to reduce or minimise the risk of user’s data and privacy being misused, he said.
“The government can deliver a better experience to the citizens by bringing disparate datasets scattered across various ministries together. If the information embedded in these datasets is utilised together, data offers potential to reduce targeting error in welfare schemes,” he added.
Further, it is critical to take into consideration the privacy implications and inherent fairness of the data being used.
“The access of the data may be provided to the private sector as well by the government, however, at certain conditions of keeping safeguards towards such data of the users. This grant of access to data should be restricted to commercial use only by the private sector.
“Thus, monetisation of data is beneficial from both the point of view of the government and citizens, but only if the above-mentioned safety measures are taken into consideration by the Government of India.
“Otherwise, the step shall only turn out to be a disaster ending up with risking the personal information of citizens at risk of the cyber bullies,” Salman Waris concluded.