Karnataka's open data access: At what cost?

On October 19, the Karnataka government notified its Open Data Policy, whose ambitious objectives have triggered concerns.

The policy aims to achieve three overarching goals - management and interoperability of data across government departments; defining processes and standards for enabling proactive, open access to government data for research, innovation and evidence-based governance; and promoting monetisation of anonymised citizen data. The move comes in the context of the Economic Survey of India, 2019, recommendations to monetise citizen data to facilitate the use of data as a "public good".

The policy calls for sharing anonymised citizen data which could pose grave privacy threats through the risk of de-anonymisation. The "data ownership" concept adopted in the policy makes the state government department that processes the data its owner. In practice and policy, the state is considered the fiduciary or custodian of citizen data and should act in their best interests. As advocated by the Personal Data Protection Bill, 2019, and the Non-personal Data Governance Framework (NPD), 2020, the ultimate ownership of data lies with the individuals and communities who help produce it. Lastly, the data monetisation aspect of the policy is problematic for its lack of transparency, potential to prop up private data monopolies and lack of clarity on pricing mechanisms.

Perils of anonymisation

The policy allows for sharing of personal data once it has been anonymised. It, however, does not prescribe the standards that need to be followed for data anonymisation, much like most data governance-related policies in India. With India lacking data protection legislation (for personal and non-personal data), there is a distinct lack of a legal threshold and standards for anonymisation. This could lead to using methods such as pseudonymisation, where personal identifiers are replaced with pseudonyms.

Similar was the stated method of anonymisation used in the contract between the UK National Health Service and various private firms. The UK NHS has come under criticism for the possibility of users being re-identified from their health data owing to the use of pseudonymisation. Indeed, the EU's General Data Protection Regulation (GDPR) recognises this, noting that "personal data which have undergone pseudonymisation… should be considered to be information on an identifiable natural person" and is therefore not outside the purview of the GDPR.

Pseudonymisation aside, other methods of anonymisation are not foolproof either. Earlier this year, private individuals were able to unmask a user by analysing location data acquired from a third-party data vendor, despite the data in the data set being anonymous. It was further proof of the fallibility of anonymisation of data, especially anonymous mobility/location data. This is particularly concerning as the Karnataka policy allows explicitly for the geospatial data to be shared. The threat to privacy is amplified by the absence of penalties in the policy for accidental/willful de-anonymisation carried out using data acquired through the policy. Given that there is no framework for data protection in India, it is difficult for people to seek legal recourse.

Ownership or obscurement?

The Open Data Policy bestows ownership of datasets on the "chief data officer" of respective departments of the Karnataka government. To begin with, adopting an ownership approach to data is problematic and unsuitable. Not only is data not like property and other goods that can be owned or exchanged, but an individual's data on its own does not have as much value as it does when pooled together with data about other people from other sources. Many of the problems around unfair use of data cannot be addressed simply by assigning ownership of data. Instead, what is required is a system of data rights that will address the gamut of harms arising from the sharing and processing of data.

Even within an ownership framework, the approach adopted in the policy goes against the principles set out in the Personal Data Protection Bill, where individuals are de facto owners of the data relating to them. The NPD report states that the individual will own non-personal data derived from an individual's personal data. Rights in non-personal data of a community will be vested in the trustee of that community.

The policy does not provide any legal basis for this assignment of ownership. Such assignment of ownership also has a detrimental impact on the decisional autonomy of the individuals and communities to whom that data relates. It takes away from their ability to decide with whom data relating to them is shared and the purposes that such data could be used.

Additionally, as recognised in the NPD report, government departments are to function as custodians/fiduciaries of data, having a fiduciary responsibility to act in the interests of communities, seeking public value for this data. However, simply making data available does not satisfy this duty as there is no guarantee that the benefits of data analysis will accrue to the public.

A reading of the policy indicates that the purpose of this assignment of ownership is to assign responsibility for the quality and authenticity of data to departments and staff within them. However, if this was indeed the intent, the Karnataka government must change the taxonomy used to disassociate it from notions of ownership.

True costs of monetisation

The policy stands out for proposing the monetisation of aggregated and anonymised citizen data held by state government departments, which is problematic for several reasons.

First, as previously stated, anonymisation is not a foolproof mechanism against re-identification, particularly in the absence of distinct legal thresholds. Second, the monetisation contracts between the Karnataka government and authorised data buyers will be covered under a non-disclosure agreement, which has disconcerting implications for transparency. Citizens have little visibility into the prices at which data is sold, the purposes for which it will be used and the parties involved in the agreement. The role of individuals and communities as producers of data is obscured, making their participation in data sharing decisions impossible. Third, the policy mentions "data stewards" as entities that will fix the prices for data monetisation without clarifying their roles, responsibilities and oversight mechanisms.

More fundamentally, data monetisation presents several institutional challenges in itself. The policy treats data as a mere economic resource or property that can be exploited. Scholars have drawn attention to the unique nature of data that renders it unsuitable to be treated as property. This is compounded by the relational value attributed to data, making it conducive to re-use, which property approaches cannot support. Moreover, intensified commodification of datasets could risk propping up private data monopolies, which might be better able to afford the government datasets than smaller players such as civil society organisations. This facet hinges on the specific pricing formula to be adopted by the Karnataka government, but the policy fails to provide clarity on this. Lastly, the accumulation of datasets in the hands of a few private players could undermine the ability to use data for public interest and innovation in ways that would distribute the value of data equitably and genuinely benefit the communities who produce the datasets.

Pathways to democratic data governance

Any policy framework seeking to share data must respect the interests of individuals and communities who generate this data and their rights over it. Data must be deployed for public welfare in consultation with the citizens who are affected by it. Intermediaries such as data stewards present a promising avenue to mediate public access to data by representing and enabling community participation in data decisions. Barcelona's DECODE project and Korea's Gyeonggi province Data Dividend programme are two valuable examples of citizen-led data stewardship efforts that benefit local communities and businesses alike.

The Karnataka government must rethink its policy in light of such models surfacing democratic approaches to data governance, expanding the scope to enable meaningful citizen participation in decision-making.

(The authors work with Aapti Institute, a Bengaluru-based think tank)

Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH.