In 1776, when Adam Smith — arguably the most ardent champion of market economics — argued in favour of the invisible hand, there was no telephone, no broadband and no digital data coursing through cables or air waves. Privacy, therefore, was perhaps not on his mind when he claimed that well-functioning markets lead to socially optimal outcomes. Unfortunately, the markets have not exactly delivered on that exalted promise. But what has worked in favour of markets is that the alternative has, by and large, proven to be far worse. Not many, including those driven by ideology, have endorsed the extremes of only government or only markets as being solutions to the resource allocation problem that confronts economies. It has always been some combination of the two. The United States, for example, relies on the primacy of markets with limited government intervention and recent activity by the Federal Trade Commission (FTC) demonstrates the shortcomings of such an approach; Europe, on the other hand, distrusts markets with the government intervening actively in the economy. Others such as India, not only use government intervention but also State-Owned Enterprises (SoE) for the production of goods and services in certain sectors; China, Russia, North Korea, and Cuba have a heavier dose of SoEs.
Applying these principles, it is difficult to predict whether data, in all its manifestations, leads to better-functioning markets. Several economists, including Hal Varian, the chief economist of Google, are swayed by the efficiency hypothesis while others liken data to oil that has been subject to capture by powerful business interests. The oil extraction business is, and has always been, a natural monopoly, while data is arguably a manufactured monopoly. So the metaphor of data being the new oil is as much applicable for the profits it generates, as it is for the market abuses it can incite.
Truth be told, the history of after-the-fact reigning in of monopolies in democratic societies does not make for inspired reading. Structural, conduct and behavioural remedies have all been tried with varying degrees of failure. How will we fare with data, given that regulation in this domain is even more tricky due to privacy being recognised as a fundamental right?
Against this background, the work of the Digital Personal Data Protection Bill, which cleared Parliament on Wednesday, is tough. It aims to strike a delicate three-way balance between innovation (improving market functioning) and personal data protection (preventing abuse), between ex-ante rules and ex-post enforcement, and between India’s share in the global data market pie and mitigating concerns about data abuse on Indian soil. This is not an easy task.
The two most significant features of the law are the establishment of the data protection board (DPB) and the overriding powers that the government has assigned to itself. How the law plays out in practice will depend largely on the performance of DPB, especially with respect to credibility, legitimacy, and independence. It’s too early to make any judgments. The act justifiably provides for ex-ante regulation, particularly of entities with significant market power, or what the legislation describes as “significant data fiduciaries”. These will naturally be subject to more exacting rules relating to consent and purpose limitations. Who is a significant data fiduciary (SDF) will be decided by DPB once it is up and running. For now, however, the act suggests that the government and its agencies will be given wide-ranging exemptions, even though by any definition, it would qualify as an SDF in India. Exemptions have been given to the government on the basis of national security, relations with foreign governments, and maintenance of public order. Interestingly, the act also permits the central government to exempt any private entity from being classified as an SDF.
The passage of the bill is important, but it doesn’t — at least by itself — provide any insight on how the market for data will evolve in India. DPB and the government retain extensive powers, and it is how these powers are exercised that will determine market evolution. The legislation itself ensures India’s entry into the club of nations that have a digital data protection law, and a regulator to boot, but it does not guarantee that India will be bestowed a safe haven status. This is crucial because we are negotiating free trade agreements (FTA) with the United Kingdom (UK) and Europe. The act is a necessary, but not sufficient condition for getting a safe haven status, which will be critical if India wants to retain its extensive outsourcing businesses.
Hence, the future of the data market, and large sections of industry, will depend on effective regulation. Unfortunately, governments in India have tended to capture regulatory institutions over time. The number of members of DPB has been left open to be defined by the government, and only one of the members will be an expert in law. For others, it is sufficient to have experience in governance and administration, meaning that civil servants will most likely be appointed. The duration of the appointments is limited to two years, which is surprising given that it is going to be extremely complex and hard to govern data, not only because it is pervasive and spans sectors such as finance, health and e-commerce among others, but because the learning curve is very steep. Even though members are eligible for reappointment along with the chairperson, the short period might create perverse incentives and prevent the exercise of independence. Of course, these are conjectures; DPB might cover itself in glory, but the history of other regulatory institutions in India does not inspire confidence. I hope to be proved wrong.
Rajat Kathuria is dean, school of humanities and social sciences at Shiv Nadar Institute of Eminence and Professor of Economics. The views expressed are personal
