Download PDF
Preface
By Mozilla Insights
It’s a long-established fact: today’s data economy is not built on a level playing field. The people and communities whose data form its lifeblood are fighting to retain or regain control over their data and the value created from it. All too often, data is extracted and processed far removed from its source, serving the interests of the organizations that collect it rather than the people it impacts. This is why it’s important to explore new ways to govern data: to shift control, strengthen agency, to share value. Through the Mozilla Foundation’s Data Futures Lab and our work around data governance, we are working to challenge this current paradigm.
Reimagining, reconstituting, and rebalancing data governance requires system-level change, but opportunities to implement new ideas for better data governance often also exist within existing paradigms and legal frameworks. Just as the open source movement challenged copyright laws to introduce open licensing decades ago, builders can similarly defy existing laws and regulations to push the boundaries of how data is governed. Builders can shape new norms by leveraging opportunities present in existing rules. But to do so, they need a firm understanding of current realities. We aim to help them navigate existing legal landscapes so they can help pave the way for better data governance models and policy in the future.
The primary goal of this research is therefore twofold:
- To provide builders with an overview of the current (and changing) legal landscape governing the collection, management, sharing, and use of data in their country;
- to identify opportunities for what we call “alternative data governance” models within existing legal landscapes — specifically, where the regulatory status quo offers pathways to implement new approaches that shift power from data collectors to data subjects — that create meaningful incentives for the benefits of data to be shared between various parties and enable data to serve individual or collective interests.
The guiding question is: What can be built where, and using which levers, from a legal standpoint?
The analysis in this guide will provide builders with a map of laws and regulations relating to data and opportunities for experimentation. It will also provide concrete dos and don’ts for builders experimenting with new approaches to data governance.
Overview
In this report, the authors first provide an overview of the legal landscape relating to data governance and detail organizational models that can support alternative data governance. It also features two case studies: one on crowdsourced data commons and another on quasi-data trusts.
In its overview of the legal landscape, the report discusses the key piece of legislation regulating data governance in India — the Information Technologies Act (IT Act) — and the SPDI rules, which prescribe how sensitive personal data must be managed. It also discusses data localization requirements and provides an overview of ongoing developments, specifically around the handling of non-personal data in India, and the proposed Digital Personal Data Protection and Indian Telecommunication Bills.
In the next section, the report discusses organizational models that can support emerging approaches to data governance. To this end, it covers both corporate structures — that is, private limited and section 8 companies — as well as charitable models — such as registered and cooperative societies.
In the first case study, the report explains what crowdsourced data commons are — initiatives that pool data and govern it collectively toward a common purpose to enhance data access and create new datasets without necessarily centralizing control over said data — and their benefits and limitations. The second case study discusses quasi-data trusts, which are inspired by trust law and are meant to set up an intermediary “steward” of data that manages said data with data subjects’ — that is, individuals and communities from whom data is collected — interest at the forefront.
How to read this guide
Throughout this report, you will find a number of recurring elements that make it easy to find exactly what you’re looking for. The result is a reference that does not need to be read from cover to cover in a linear way; you can simply dip in and out of different sections as needed. The recurring elements are:
- Brief summary boxes of key themes and findings from each section.
- Case studies that dive deep into specific approaches to data governance, compete with additional resources to extend your knowledge.
- Checklists of concrete steps that may help you in your journey.
Additionally, the report contains a glossary with brief explanations of specific concepts and legal texts.
What this guide does not include is legal advice. It rather aims to provide a starting point in your exploration of this topic to help you ask the right questions and identify areas where bespoke advice from lawyers is necessary.
|
In this section: |
|---|
|
Law and regulation relating to data governance is a hotly contested and rapidly developing arena of policymaking. Data governance regulation in India is currently quite outdated and efforts are underway to update it. |
|
The IT Act is the key legislation regulating data collection, use, and transfers. A number of rules accompany the Act and lay down procedures for data collectors to follow. |
|
The so-called SPDI Rules are one such set of rules and prescribe the contents of the privacy policies we frequently encounter. |
|
Just in November and December of 2022, new drafts of key legislation regulating personal data collection and use and the telecommunications industry were introduced. |
|
Sectoral regulations are important to note as well. Regulators, especially those in domains dealing with financial data, tend to employ separate norms to govern data collection and use by entities operating in their respective sectors. |
Data protection and privacy
The Information Technologies Act (IT Act) is the key piece of legislation regulating alternative data governance models in India. The IT Act, enacted in 2000, lays out the nation’s data protection framework.[1] The IT Act comprises a number of accompanying rules, including the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules).[2] The SPDI Rules are applicable to “any company and includes a firm, sole proprietorship, or other association of individuals engaged in commercial or professional activities.”[3] By extension, the SPDI Rules are construed to exclude organizations that are not classified as engaging in professional or commercial activities.
The SPDI Rules apply to you if your alternative data governance model will deal with sensitive personal data or information. This is information relating to (i) passwords, (ii) financial information, (iii) health conditions, (iv) sexual orientation, (v) medical records and history, and (vi) biometric information. Do note that the SPDI Rules do not apply to “any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005, or any other law for the time being in force.”[4]
Before collecting any sensitive personal data, it is necessary to seek the informed consent of those providing the data. India has adopted a notice-and-choice paradigm for seeking consent online.[5] The “notice” is typically presented in the form of a published privacy policy, as mandated under the SPDI Rules.[6] The “choice” is an action signifying acceptance of the terms of the data collection outlined in the privacy policy. The SPDI Rules prescribe that this consent may be given “by any mode of electronic communication.”[7] In practice, consent of data providers is usually solicited by clicking on an “I agree” button prior to the use of the website, or through use of the website.
Privacy policy checklist
- List the personal or sensitive personal data or information collected.
- Describe why the data is collected.
- Explain how the data collected will be used.
- Disclose with whom and how the data collected will be shared.
- Document practices and procedures in place to ensure the security of the data collected.
- List grievance redressal mechanisms, including the contact information for a grievance redressal officer.
- Present the privacy policy in easily accessible, clear language.
Data localization
Once you have collected the data for your alternative data governance initiative, it is important to identify the location for storing the data collected. The SPDI Rules permit the transfer of sensitive personal data outside India as long as the same level of data protection is adhered to in the country to which data is being transferred.
The sector where your alternative data governance initiative operates is also relevant in determining where to store collected data. In the years after the enactment of the SPDI Rules, sectoral regulators have brought in data localization norms that mandate in-country storage of data. Examples include:
- Insurers are required to digitally store a record of every policy issued and claims made under the issued policies. This information is to be stored in data centers located and maintained in India only.[8]
- Companies are permitted to maintain financial information such as books of account and other relevant papers digitally.[9] The digitally stored financial information is required to remain accessible in India. Such information or its backup is required to be stored on physical servers in India.[10] Companies are also required to share details pointing to the storage location with the Registrar of Companies annually at the time of filing financial statements.[11]
- Entities involved in the payment ecosystem in India must ensure that data relating to payment systems they operate are stored in India.[12] This data includes end-to-end information collected, carried, and processed relating to every financial transaction carried out.[13]
- The Parliament enacted the Public Records Act in 1993 to prohibit the transfer of any “public records” outside India without the prior approval of the Central Government or for an “official purpose.”[14] Among other things, public records include “material produced by a computer or by any other device”[15] belonging to a public entity including government committees and public sector undertakings.
Ongoing developments
Non-personal data
Many alternative data governance initiatives entail collecting data that isn’t sensitive or personal in nature — non-personal data. This is data the SPDI Rules do not address. For example, in one of the case studies we discuss later, the alternative data governance initiative collected data relating to electricity supply at the household level.
In 2019, India’s Ministry of Electronics & Information Technology (MeitY) — seeking to study matters relating to non-personal data — constituted a committee of experts. The committee proposed a framework for governing non-personal data that emphasizes accountable data sharing mechanisms to unlock the economic, social, and public value of using data. This committee published two reports consolidating its findings and recommendations. The Reports of the Committee of Experts on Non-Personal Data (NPD Report V1 and NPD report V2, together “NPD Reports”) describe non-personal data as data that does not contain any personally identifiable information. This includes data regarding, for example, weather conditions, public transport systems, and in some instances, aggregated and anonymized data. The NPD Reports aim to establish legal and institutional frameworks for the exchange of NPD. This policy direction indicates the need to examine institutional mechanisms that can enable such sharing at scale, safeguard the interest of communities whose data is being collected, and enable trusted exchange in NPD.
The Digital Personal Data Protection Bill
The IT Act has been long overdue for a significant revision. In a landmark judgment in August 2017 — Justice K S Puttaswamy (Retd.) and Another v. Union of India and Others[16] — a nine-judge bench of the Supreme Court of India unanimously held that the “right to privacy” is a fundamental right guaranteed under the Constitution, and that privacy is intrinsic to life and personal liberty guaranteed under Article 21 of the Constitution. Following this verdict, legislative attempts to overhaul India’s data protection and privacy framework have accelerated.
The first such attempt — The Personal Data Protection Bill (PDPB) — was introduced in 2019 before the Parliament to comprehensively update India’s data protection regime. The PDPB only dealt with the regulation of personal data. It was referred to a Joint Parliamentary Committee, which published its report on 16 December 2021, along with a draft Data Protection Bill (DPB) to regulate both personal and non-personal data. As there were significant differences between the PDPB and DPB, the PDPB was withdrawn altogether in early August 2022.[17] Soon after, in November 2022, a fourth draft was introduced. Now called the Digital Personal Data Protection Bill, 2022, (DPDP) this draft has reverted to an earlier position of not regulating non-personal data.[18] While the form in which a data protection legislation will be enacted is quite unclear, it is quite clear that the prospective passage of the reintroduced bill will materially influence the creation of alternative data governance models.
Indian Telecommunication Bill
The Telegraph Act, enacted in 1885, continues to be a key legislation governing the operations of telecommunications systems in India. Much like the IT Act, it is widely recognized that the Telegraph Act is not suitable anymore for regulating contemporary technological systems. Recognizing this need, the Department of Telecommunications has recently published a draft bill — Indian Telecommunication Bill, 2022 — to regulate the sector.[19] [20] In its current form, the bill aims to bring in licensing mandates for operating telecommunication services. Telecommunication services are defined very broadly, to include everything involving electronic transmission of messages — from email and social media to video sharing and streaming. Alternative data governance initiatives, then, will be required to obtain a license from the central government before commencing operations. The draft bill will also influence the design of alternative data governance models by requiring compliance with know-your-customer requirements and adherence to government-prescribed operating standards, and building pathways for government interception.
The bill has received criticism from many quarters (including the Parliamentary Standing Committee on Information and Technology)[21] for the negative impact that it could have on innovation and user privacy. Nevertheless, it is important for builders to keep an eye on the shape that the final legislation takes.
|
In this section: |
|---|
|
From corporate structures to charitable models, there are several legal structures that organizations experimenting with alternative data governance can take. |
|
Private limited companies can be incorporated under the Companies Act and seek profits. Section 8 companies, on the other hand, are private companies geared toward charitable purposes. |
|
Among charitable models, registered societies are governed by charters and cannot distribute funds to their members; cooperative societies operate for the benefit of their members; and legal trusts are set up to manage certain assets in the interest of a beneficiary. |
In India, practical implementation models of data collection where the data collectors do not retain control over the data collected — what we call alternative data governance or data stewardship models — are few. We discuss two examples of initiatives at different stages in their alternative data governance plans a little later.
However, with policy proposals — especially the NPD Reports — indicating a strong desire to foster alternative models of data governance, it is likely that we will see more initiatives in the future. For those of you seeking to build out such models, an obvious starting point is to clearly articulate the purpose(s) and intended benefit(s) of such a model. This exercise is crucial to determine the foundational legal structure on which the model will rest, and is essential to the initiative’s success. Below, we offer a bouquet of structures and describe how amenable each is to initiatives seeking charitable or economic objectives that promote collective decision-making processes.
Corporate structures
Private limited company
An alternative data governance model intended to generate profits can be registered as a private company limited by shares under the Companies Act. A company limited by shares is simply one that can issue shares, has shareholders whose liability is commensurate with their shareholding, and can pay out dividends to its shareholders. Private limited companies have their own legal personality, can enter into licensing arrangements (with data principals), and hold assets (such as a database). Private companies also have extensive governance rules prescribed under the Companies Act that prescribe decision-making and accountability norms for companies. Practically speaking, this means that operational decisions are made by directors, committees appointed by directors, and voting shareholders.
While opting for this structure, builders need to carefully calibrate the dual objectives at play here: profit generation and the intended benefits of adopting alternative data governance. One way in which these objectives can be aligned is by making data principals shareholders in the company. Another way to align these objectives is by tailoring the governance structure to encourage some degree of collective decision-making flow. This can be achieved by appointing some shareholders to the Board of Directors and fostering shareholder participation in internal committees.
Section 8 company
Corporate law in India also envisages a company formed for charitable purposes. Called Section 8 companies, their activities are required to be geared toward “the promotion of commerce, art, science, sports, education, research, social welfare, religion, charity, protection of environment, or any such other object.”[22] The objective(s) of the Section 8 company should be clearly articulated at the time of initial incorporation. Section 8 companies also differ from for-profit companies in that the income or profits of Section 8 companies are required to be used only for charitable purposes, and cannot be used for dividend payouts to shareholders.[23]
Section 8 companies are overseen by the Registrar of Companies, and are required to show the continued fulfillment of their charitable purposes to the Registrar. While the charitable objective of Section 8 companies might often align better with the objectives of creating alternative data governance models, a way to strengthen buy-in into the initiative can be through creating processes to include beneficiaries in decision-making processes. As described in the case of private companies above, this can be through participation in committees appointed by directors. However, this is a limited participatory governance model.
Charitable models
Registered society
Registered societies are formed under the Societies Act,[24] or usually by corresponding legislation at the state level.[25] A society can be formed by seven or more persons coming together for specific purposes outlined in the Societies Act. These are typically for “literary, scientific, or charitable purposes.”[26] A Registrar of Societies regulates the functioning of registered societies. Funds of registered societies cannot flow to their members.
Registered societies are governed by charter documents, rules and regulations, and bylaws that enjoy some degree of flexibility as long as the applicable legislation is adequately imported in these documents. The principles, objectives, and governance modalities of the initiative developing an alternative data governance model will be encoded in these documents. As these documents are binding only for members of the society, one way to ensure the buy-in and trust of beneficiaries is for them to be members of the registered society.
Cooperative society
Cooperatives in India operate for the benefit of their members, and are formed by a group of ten or more people “whose primary objective is the promotion of the economic interests of its members in accordance with cooperative principles.”[27] Cooperatives are governed by the Cooperatives Act,[28] a cognate legislation at the state level, and — in cases of cooperatives with cross-state operations — the Multi-State Cooperatives Act.[29]
A cooperative structure can be quite powerful for an initiative using alternative data governance to ensure economic benefits flow to the data principals, while ensuring collective decision-making in the management of the initiative. What distinguishes cooperative societies from registered societies is that registered societies are restricted from engaging in profit generating activities. Meanwhile, cooperative societies share profits amongst members, in proportion to their contribution to the cooperative’s business as agreed upon and described in the bylaws.[30] At the same time, decision-making in cooperative societies is democratic, with each member having one vote.[31]
Legal trust
Trusts have a legacy of being used as vehicles to codify the rights and responsibilities of different parties in connection to an asset. In India, two types of trusts are recognized — private trusts and public trusts. Private trusts are governed by the Trusts Act and hold property that is transferable to a beneficiary.[32] One or more trustees are appointed to manage the property for purposes stated in a trust deed. Trustees have a fiduciary duty to fulfill the purpose of the trust. However, it is unclear under Indian law whether data rights may be construed as transferable property that may be held in a trust.[33] This ambiguity, while not a bar, presents a risk to an initiative relying on the private trust structure in India.
For alternative data governance initiatives seeking wider public participation and benefit, a public trust may be more suitable as it allows for community participation, which is not possible in a private trust. Public trusts are governed by the general principles of trust law alongside a variety of laws such as the Charitable and Religious Trust Act, 1920, the Religious Endowments Act, 1863, the Charitable Endowments Act, 1890, and the Maharashtra Public Trust Act, 1950.[34] Public trusts don’t require identification of a specific individual beneficiary, and instead are designed for the public at large. For an alternative data governance initiative seeking to adopt this structure, participation in collective governance would be through the appointment of some data principals as trustees.
Public trusts may appear to be well-suited for setting up a data trust, as data trusts are often created to manage data (or the rights to data of multiple data subjects) and they rely on the stewardship of one or more actors. However, as in the case with private trusts, the uncertain treatment of data as property poses a risk to builders. Other charitable models, as described above, may be more amenable for alternative data governance initiatives and have globally been preferred.[35]
Case studies from India
In a paradigm known as crowdsourced data commons, users gather data and combine it with other people’s data to create databases, which in turn enable goods or services to be created based on the data that is controlled as a commons.
In the same way that trusts have historically been used to manage and make choices about other types of assets — such as local land trusts that manage land on behalf of communities — data trusts are a way to manage and make decisions about data.
|
In this section: |
|---|
|
With the crowdsourced data commons approach, data is pooled and collectively governed by a community toward a common purpose. |
|
Organizers can enhance access to data and contribute to the creation of new datasets without (necessarily) centralizing control. |
|
Crowdsourced data commons require defining technical standards for the pooled data as well as processes and structures for community governance. |
In India, two alternative data governance approaches have been notable. Both seek to achieve public interest goals by generating open datasets, but they have adopted different legal forms. We will first discuss the one that uses crowdsourced data commons.
What is a crowdsourced data commons?
In a paradigm known as crowdsourced data commons, users gather data and combine it with other people’s data to create databases, which in turn enable goods or services to be created based on the data that is controlled as a commons. Crowdsourced data commons are a participative approach to building datasets with inputs from a large number of people. The purpose and variables of data collected are uniform and standardized for the public interest.[36]
Who is it for?
Crowdsourced data commons are initiatives aimed at democratizing data access and control through sharing data as a common pool resource. In this model, the access and contribution to data can be open or be limited to a particular community with a shared purpose. Therefore, communities or innovators trying to work on a specific issue with fixed data points and a large number of participants may use the crowdsourced data commons model. In order to accomplish a common goal (open access to essential data, such as cartographical data, medical research, or tracking pollution), initiatives typically gather together a group of individuals to collect data that either did not previously exist or has been unavailable.[37] The data is often open, but this isn’t always the case, particularly when sensitive information, like health data, is involved.[38] The community may organize and establish the rules and regulations informally or through a legal entity, such as a foundation.
What are the limitations?
Crowdsourced data commons only work when the number of contributors is large. The model may not be the best fit for purposes that require rigorous sampling and data structure, as the nuances of data may not be reliable due to the open nature of data contributions. It also requires a well-tested platform to handle the high levels of data input. Finally, accountability mechanisms are difficult to enforce when the responsibilities of individuals are not assigned with clarity. Therefore, specific parties, often the ones leading or organizing the initiative, have to dedicate resources to ensure that necessary actions and operations like the timely collection of data, management of dashboard or database, and accessibility are being undertaken in the absence of action by other parties.
Starting a crowdsourced data common
- Find a common source of data toward a common purpose.
- Define data points to be collected.
- Define standards for data points.
- Develop a dashboard or database where the community can provide data.
- Transfer know-how to the community for data collection.
- Develop how the process, structure, and model will be governed and assign responsibilities to the relevant parties.
- Introduce privacy and anonymization standards (using the checklist above).
- Allow easy access to datasets for community members and data providers.
- Establish a grievance system for both data providers and community members.
Example: The Electricity Supply Monitoring Initiative
The Electricity Supply Monitoring Initiative (ESMI) was launched in 2015 by the Prayas Energy Group (PEG). Based in Pune, India, PEG is a research and analysis organization that is part of a non-governmental charitable trust called PRAYAS (Initiatives in Health, Energy, Learning, and Parenthood).[39] The organization represents consumers in the market and has uncovered data gaps about electricity supply quality and frequent blackouts. This led to the creation of ESMI, whose goal was to compare the recommended electric load-sharing protocol with ground realities in order to assess the performance of utility companies. The initiative was conceived in 2007, and it was launched to the public in 2015.[40]
How ESMI works
With support from a 2013 Google Impact Challenge award, Prayas coordinated with local partners to install electricity supply monitors at more than 400 sites throughout India. These plug-and-play devices use a voltage monitor to collect data directly from consumers and a processing unit to aid in data storage and communication over the cellular network. It all goes into a comprehensive ESMI database that tracks voltage levels and supply disruptions, and feedback on the quality of the electricity supply is shared with consumers and regulators. ESMI has acquired nearly 10 million location hours of voltage data since the start of the project.[41]
The project first encountered difficulties with data collection methods and the cultural and geographic nuances of many regions.[42] The approval associated with data collection, recognition of political concerns, and data location tracing were crucial in addressing those issues. Challenges in data collection included infrastructure, locating willing public participants, and the secure collection and storage of data.[43]
The ESMI life cycle emphasizes the need for the necessary technological capabilities, legitimacy, and data quality to meet the public’s desire for data sharing for a clearly stated objective. Additionally, it was crucial that the data be made available to civil society, activists, and scholars so that it could be used to further activism and generate awareness, scholarship, and public accountability of electricity companies.
Although the ESMI was an open data effort, several of the elements mentioned above — such as the data requestor’s knowledge, their vision, and their intended recipients — may be very important for data managers evaluating data requests, as the project somewhat behaves and is arranged like a hybrid open data arrangement. Additionally, it is a strong illustration of data equality because the intended beneficiaries were able to use the data for purposes of public interest, creating further opportunities for engagement, action, and expansion.[44] As more data is collected, the public’s interest in such data can only be guaranteed by ensuring public access to high-quality data that takes into account both validity and relevance.
The data model used by ESMI is open access data with some added elements, where ESMI also acts as a moderator much like in a data trust between data collection and the publicly available data. ESMI ensures that data that is going out to the public does not disclose any private information about the participants of the project. The public can contribute data by opting into the initiative, and can access it via Harvard Dataverse and Prayas’ website, WatchYourPower.org.[45]
The data can be accessed by innovators, public interest groups, activists, policymakers, and the companies being held accountable, and many have used it to foster public dialogue about India’s electrical supply quality.[46] And regulators, ministries, and even customers have used it as leverage to push for change, both by working directly with electricity companies and via legal activism initiated by civil society organizations as collective action.[47],[48] The lack of a novel data governance model here is testimony to how simpler data models can easily fit into the existing legal framework.
|
In this section: |
|---|
|
Legal trusts have historically been a vehicle to manage assets on behalf of certain individuals or communities based on a fiduciary duty toward these beneficiaries. |
|
Data trusts could be used to serve as an intermediary “steward” of people’s and communities’ data, representing their interests toward others. |
|
However, it is still unclear whether trusts can be set up around data rights under Indian law. Trust-like models may be able to serve the same function. |
What are data trusts?
In the same way that trusts have historically been used to manage and make choices about other types of assets — such as local land trusts that manage land on behalf of communities — data trusts are a way to manage and make decisions about data. The independent individual, organization, or entity stewarding the data assumes a fiduciary role when using data trusts. A fiduciary duty in this context entails stewarding data with impartiality, caution, transparency, and undivided commitment. In law, a fiduciary duty is thought to be the greatest level of obligation that one person may owe to another.
In order to unlock the benefits of data for individuals or communities, various alternative data governance approaches extend powers to an intermediary “steward” who manages data (rights) on behalf of beneficiaries within a consent-based structure and toward a defined goal. Such governance approaches would usually be based on a legal framework and can be of participatory nature, based on fiduciary relationships, or they can be contractual or based on codes of practice. The incentives for data stewards can vary.[49] Alternative strategies are employed to accomplish specific goals.[50]
Who is it for?
Numerous studies and analyses have pointed out that data trusts can unlock the value of data for individuals, communities, and society.[51] A data trust is a steward that manages someone’s data on their behalf. It is inspired by the concept of a legal trust, which is a centralized autonomous entity that holds assets for the primary benefit of the assets’ beneficiary.[52] Data trusts may manage data decision-making in a similar way that trusts have traditionally been used to supervise and make decisions about other forms of assets, such as land trusts that manage property on behalf of local communities.[53] Therefore, initiatives that aim at improving innovation, privacy, research, and consumer empowerment can use the data trust model to achieve their objectives.
What are the limitations?
Stakeholder relationships are defined by a data trust. To that purpose, a data trust’s beneficiaries must be specifically identified; if they are defined too broadly, they will be unable to fulfill their fiduciary duties. A community is also not a static, uniform entity that only exists along one axis of identification. This makes it difficult to define data trustees for communities and to understand how a community and a data trustee interact. It is important to note that given the limitations of legal trusts in India, particularly the gray nature of data’s treatment as property, a hybrid form of data trust is needed that involves contractual mechanisms to work alongside the trust arrangements. Finally, because a data trustee would act solely in the best interests of the data principals or subjects, data trustees could develop into a real profession where nonprofits specialize in comprehending the circumstances in which data should be collected, the risks involved, and the methods by which data can be shared.[54] As a result, only an entity that is aware of the risks and duties would be permitted to take on the role of a data trustee and this liability.
Example: Open Transit Data Delhi
The pilot of the Data Trust for Urban Mobility — which resulted in Open Transit Data Delhi — stands out as an example of a data trust-like model in India, which is slightly different from the traditional data trust pilots that are happening elsewhere in the world.[55] The pilot emerged from a collaboration between Vidhi Centre for Legal Policy (a legal research think tank), Cyril Amarchand Mangaldas (a law firm), IIIT Delhi (an educational institute), and Omidyar Network India (a philanthropic investment firm).[56] Mobility data has been of particular interest to actors in the open data ecosystem in India as major cities struggle with overcrowded streets alongside the rise of new mobility methods and platforms working to solve mobility challenges.[57] This pilot is different because it involves contractual agreements without creating an actual trust, but lays the groundwork for a possible trust to be created in the future.
How Data Trust for Urban Mobility works
Data Trust for Urban Mobility Data was created with the intention of enabling easy, secure, and widespread access to public transit ticketing, real-time location, and schedules; enhancing passenger experiences; and bolstering public knowledge of urban transportation.[58] Vehicle traffic data, footfall, and public transit data were all collected to explore patterns, trends, and bottlenecks. To manage the data sets, the pilot began with a charter that specified the objectives and duties of the pilot.
The pilot then integrated a technology platform with an institutional structure in the form of stakeholder representation by creating a representative mechanism for collective decision-making that can develop policies for the governance of data and clear contractual conditions that define the parameters of data obligations, duties, and guarantees for safe and lawful data use for the stakeholders participating in the pilot.[59] Apart from this, the pilot recommends setting up committees consisting of different stakeholder groups to reach decisions regarding governance to help ensure that the data trust continues to serve the community as intended by the community. Finally, transparency requirements and a grievance resolution mechanism are advised for a successful data trust.
The pilot data has been used by the Government of Delhi to improve sustainable mobility in New Delhi.[60] The pilot revealed that data trust-like models could, when properly implemented, be a cost-effective way to collect, store, and share data for the benefit of communities. They can enhance coordination and collaboration by harmonizing data standards, which in turn reduces siloization of data. The trust-like data governance approach also establishes accountability mechanisms that enable security, and uses fiduciary duties, transparency, and community voice to reduce reliance on an individual level and instead build and rely on systemic and institutional systems.
Setting up a trust-like model for data
- Register a nonprofit company under Company Act, with the listed purpose of performing the functions of a trust.
- Draft a Memorandum of Association and create a Board of Directors bound to a fiduciary duty to the beneficiary community.
- Have the Board create guidelines for data sharing, use, and access. The Board should also set up stakeholder committees to govern data.
- Develop a data collection and hosting platform in compliance with Board guidelines.
- Share the data collection, standards, and hosting guidelines with data principals, data users, and the community.
- Establish a grievance redressal system for stakeholders.
Further reading
Aapti Institute. “Stewardship Navigator.” The Data Economy Lab. Accessed August 29, 2022. Aapti Institute. “Stewardship Navigator.” The Data Economy Lab. Accessed August 29, 2022. https://tool.thedataeconomylab.com/.
ANA Law Group. “India Law Practice.” Global Practice Guide on Data Protection and Cybersecurity. 2019. https://www.anaassociates.com/wp-content/uploads/2019/06/Data-Protection-Cyber-Security-India-ANA-Law-Group-April-2019.pdf.
Bawa, Zainab. “A Primer on the Non-Personal Data (NPD) Framework Proposed for India – India’s Non-Personal Data (NPD) Framework.” HasGeek - Privacy Mode. Accessed August 29, 2022. https://hasgeek.com/PrivacyMode/non-personal-data/sub/a-primer-on-the-non-personal-data-npd-framework-pr-UuE3RakP8Je7j3mQXDMHS1.
Bishnu, Indranath, and Aakulu, Supriya. “Data Protection in the Indian Insurance Sector – Regulatory Framework Part I.” Cyril Amarchand Mangaldas. May 13, 2019. https://corporate.cyrilamarchandblogs.com/2019/05/data-protection-indian-insurance-sector-regulatory-framework-part-1/.
Bishnu, Indranath, and Anirud Sudarsan. “Policyholder - Data Sharing in India - Time for Consent - Based Regime?” Cyril Amarchand Mangaldas. August 18, 2022. https://corporate.cyrilamarchandblogs.com/2022/08/policyholder-data-sharing-in-india-time-for-consent-based-regime/.
Chattapadhyay, Sumandro. “Opening Government Data Through Mediation: Exploring the Roles, Practices and Strategies of Data Intermediary Organisations in India.” SSRN Scholarly Paper. Rochester, NY, December 31, 2014. https://doi.org/10.2139/ssrn.2549734.
Institute of Company Secretaries of India. “FAQs on Section 8 Companies.” The Companies Act, 2013 Series. Institute of Company Secretaries of India. 2016. https://www.icsi.edu/media/webmodules/publications/FAQs_on_Section_8_Companies.pdf.
Kulkarni, Shweta. “Prayas (Energy Group) Electricity Supply Monitoring Initiative (ESMI).” Applied Research Programme on Energy and Economic Growth, n.d. https://www.energyeconomicgrowth.org/sites/default/files/2020-02/Shweta%20Kulkarni_presentation.pdf.
McDonald, Sean. “Reclaiming Data Trusts.” Centre for International Governance Innovation. March 5, 2019. https://www.cigionline.org/articles/reclaiming-data-trusts/.
Ministry Of Corporate Affairs. “Management and Board Governance.” Accessed August 30, 2022. https://www.mca.gov.in/MinistryV2/management+and+board+governance.html.
Mukul, Pranav, and Soumyarendra Barik. “What Is the Draft Telecom Bill, and What Changes It Aims to Bring.” Indian Express, September 23, 2022. https://indianexpress.com/article/explained/explained-sci-tech/what-draft-telecom-bill-what-changes-aims-to-bring-8166260/.
Reserve Bank of India. “Frequently Asked Questions — Storage of Payment System Data.” April 06, 2018. https://m.rbi.org.in/scripts/FAQView.aspx?Id=130.
ANA Law Group. “India Law Practice.” Global Practice Guide on Data Protection and Cybersecurity. 2019. https://www.anaassociates.com/wp-content/uploads/2019/06/Data-Protection-Cyber-Security-India-ANA-Law-Group-April-2019.pdf.
Bawa, Zainab. “A Primer on the Non-Personal Data (NPD) Framework Proposed for India – India’s Non-Personal Data (NPD) Framework.” HasGeek - Privacy Mode. Accessed August 29, 2022. https://hasgeek.com/PrivacyMode/non-personal-data/sub/a-primer-on-the-non-personal-data-npd-framework-pr-UuE3RakP8Je7j3mQXDMHS1.
Bishnu, Indranath, and Aakulu, Supriya. “Data Protection in the Indian Insurance Sector – Regulatory Framework Part I.” Cyril Amarchand Mangaldas. May 13, 2019. https://corporate.cyrilamarchandblogs.com/2019/05/data-protection-indian-insurance-sector-regulatory-framework-part-1/.
Bishnu, Indranath, and Anirud Sudarsan. “Policyholder - Data Sharing in India - Time for Consent - Based Regime?” Cyril Amarchand Mangaldas. August 18, 2022. https://corporate.cyrilamarchandblogs.com/2022/08/policyholder-data-sharing-in-india-time-for-consent-based-regime/.
Chattapadhyay, Sumandro. “Opening Government Data Through Mediation: Exploring the Roles, Practices and Strategies of Data Intermediary Organisations in India.” SSRN Scholarly Paper. Rochester, NY, December 31, 2014. https://doi.org/10.2139/ssrn.2549734.
Institute of Company Secretaries of India. “FAQs on Section 8 Companies.” The Companies Act, 2013 Series. Institute of Company Secretaries of India. 2016. https://www.icsi.edu/media/webmodules/publications/FAQs_on_Section_8_Companies.pdf.
Kulkarni, Shweta. “Prayas (Energy Group) Electricity Supply Monitoring Initiative (ESMI).” Applied Research Programme on Energy and Economic Growth, n.d. https://www.energyeconomicgrowth.org/sites/default/files/2020-02/Shweta%20Kulkarni_presentation.pdf.
McDonald, Sean. “Reclaiming Data Trusts.” Centre for International Governance Innovation. March 5, 2019. https://www.cigionline.org/articles/reclaiming-data-trusts/.
Ministry Of Corporate Affairs. “Management and Board Governance.” Accessed August 30, 2022. https://www.mca.gov.in/MinistryV2/management+and+board+governance.html.
Mukul, Pranav, and Soumyarendra Barik. “What Is the Draft Telecom Bill, and What Changes It Aims to Bring.” Indian Express, September 23, 2022. https://indianexpress.com/article/explained/explained-sci-tech/what-draft-telecom-bill-what-changes-aims-to-bring-8166260/.
Reserve Bank of India. “Frequently Asked Questions — Storage of Payment System Data.” April 06, 2018. https://m.rbi.org.in/scripts/FAQView.aspx?Id=130.
Glossary
DPB: Data Protection Bill, 2021
Cooperatives Act: Co-operative Societies Act, 1912
Constitution: Constitution of India
DPDP Bill: Digital Personal Data Protection Bill
ESMI: Electricity Supply Monitoring Initiative
IIITD: Indraprastha Institute of Information Technology Delhi
Multi-State Cooperatives Act: Multi-State Cooperative Societies Act, 2002
NPD: Non-personal data
NPD Report V1: Report of the Committee of Experts on Non-Personal Data
NPD Report V2: Report of the Committee of Experts on Non-Personal Data
PDPB: Personal Data Protection Bill, 2019
PEG: Prayas (Energy Group)
SPDI Rules: The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (2011).
Societies Act: Societies Registration Act, 1860
Trusts Act: Indian Trusts Act, 1882
Bibliography
Adarsh, Vasumita S. “Start-up Altizon Systems Helps NGO Monitor Power Supply.” The Economic Times, March 31, 2015. https://economictimes.indiatimes.com/industry/energy/power/start-up-altizon-systems-helps-ngo-monitor-power-supply/articleshow/46752216.cms?from=mdr.
Agrawal, Aditi. “What Are Data Trusts? How Do They Work?” Medianama, August 13, 2020. https://www.medianama.com/2020/08/223-nama-data-trusts/.
Blasimme, Alessandro, Effy Vayena, and Ernst Hafen. “Democratizing Health Research Through Data Cooperatives.” Philosophy &Amp; Technology 31, no. 3 (June 19, 2018): 473–79. https://doi.org/10.1007/s13347-018-0320-8.
Canares, Michael P, Anirudh Dinesh, Andrew Young, and Stefaan Verhulst. “India’s ESMI.” Open Data For Developing Economies Case Studies - India, July 2017. http://odimpact.org.
Carballa Smichowski, Bruno. “Alternative Data Governance Models: Moving Beyond One-Size-Fits-All Solutions.” Intereconomics 54, no. 4 (July 2019): 222–27. https://doi.org/10.1007/s10272-019-0828-x.
Center of Excellence in Urban Transport. “8th Mobilogue: Role of Open Data in Urban Mobility.” (Thread). Twitter, February 11, 2022. https://mobile.twitter.com/CoEUT_CEPT/status/1492110813359792128.
Committee of Experts. “Report on Non-Personal Data Governance Framework.” Ministry of Electronics & Information Technology, July 2020. https://static.mygov.in/rest/s3fs-public/mygov_159453381955063671.pdf.
Committee of Experts under the Chairmanship of Justice B.N. Srikrishna. “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians,” July 27, 2018. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report-comp.pdf.
The Co-operative Societies Act, Pub. L. No. 2 of 1912 (1912). https://legislative.gov.in/sites/default/files/A1912-02.pdf.
“Delhi Govt Ties up with Indraprastha Institute of Information Technology to Improve Urban Transportation.” The Indian Express (blog), July 14, 2022. https://indianexpress.com/article/cities/delhi/delhi-govt-indraprastha-institute-information-technology-urban-transportation-8028159/.
Department of Telecommunications. “Consultation Paper on ‘Need for a New Legal Framework Governing Telecommunication in India.’” July 23, 2022. https://dot.gov.in/sites/default/files/Consultation%20Paper%20final%2023072022-1.pdf?download=1.
Dodge, Martin, and Rob Kitchin. “Crowdsourced Cartography: Mapping Experience and Knowledge.” Environment and Planning A: Economy and Space 45, no. 1 (January 2013): 19–36. https://doi.org/10.1068/a44484.
Dugoua, Eugenie, Ryan Kennedy, Myriam Shiran, and Johannes Urpelainen. “Assessing Reliability of Electricity Grid Services from Space: The Case of Uttar Pradesh, India.” Energy for Sustainable Development 68 (June 2022): 441–48. https://doi.org/10.1016/j.esd.2022.04.004.
ET Contributors. “Protect Data without Stifling Enterprise.” Economic Times, August 5, 2022. https://economictimes.indiatimes.com/opinion/et-editorial/protect-data-without-stifling-enterprise/articleshow/93355615.cms.
Government of India. Indian Telecommunication Bill, 2022 (2022). https://dot.gov.in/relatedlinks/indian-telecommunication-bill-2022.
Government of India. The Information Technology Act (2000). https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf.
Jack Hardinges, “What Is a Data Trust?,” ODI (blog)., July 10, 2018., https://theodi.org/article/what-is-a-data-trust/.
Heda, Shubhangi and Setu Bandh Upadhyay. “Dimensional Analysis of Future of Non-Personal Data Sharing: Examining Approaches and Governance Mechanisms.” (Policy Research). CUTS International. July 2021. https://cuts-ccier.org/pdf/report-dimensional-analysis-of-future-of-npd-sharing.pdf.
IIITD. “Open Transit Data Delhi.” Open Transit Data Dashboard. 2020. https://opendata.iiitd.edu.in/.
Indian Trusts Act, Pub. L. No. 2 of 1882 (1882). https://legislative.gov.in/sites/default/files/A1882-02.pdf.
Insurance Regulatory and Development Authority of India. Insurance Regulatory and Development Authority of India (Maintenance of Insurance Records) Regulations (2015). https://www.irdai.gov.in/ADMINCMS/cms/Uploadedfiles/Regulations/Consolidated/IRDAI%20(Maintenance%20of%20Insurance%20Records)%C2%A0Regulations%202015.pdf.
Jindal, Trishi and Aniruddh Nigam. “Data Stewardship for Non-Personal Data in India: A Position Paper on Data Trusts.” Vidhi Centre for Legal Policy. November 20, 2020. https://vidhilegalpolicy.in/research/data-stewardship-for-non-personal-data-in-india/.
Justice K S Puttaswamy (Retd.) and Another v. Union of India, 10(1) SCC (Supreme Court of India 2018). https://indiankanoon.org/doc/127517806/.
Kar, Ayushi. “The Withdrawal of the PDP Bill and the Road Ahead.” The Hindu Businessline. August 8, 2022. https://www.thehindubusinessline.com/blexplainer/the-withdrawal-of-the-pdp-bill-and-the-road-ahead/article65747464.ece.
Kennedy, Ryan. “Connecting People To The Grid In India Isn’t Enough.” Forbes. February 27, 2019. https://www.forbes.com/sites/uhenergy/2019/02/27/connecting-people-to-the-grid-in-india-isnt-enough/.
Khanna, Pretika. “Delhi Government Launches Platform to Provide Real Time Data of Buses in the Capital.” Mint, November 23, 2018. https://www.livemint.com/Politics/XRn3IG3K3wcyqPPXjExbkK/Delhi-government-launches-platform-to-provide-real-time-data.html.
Kolekar, Amit. “Succession Planning: Understanding Public Trusts and Their Management.” Moneycontrol, February 2018. https://www.moneycontrol.com/news/opinion/succession-planning-understanding-public-trusts-and-their-management-2517287.html.
Manohar, Siddharth, Astha Kapoor, and Aditi Ramesh, “Understanding Data Stewardship: Taxonomy and Use Cases” (Aapti institute, 2020). https://thedataeconomylab.com/wp-content/uploads/2020/06/Understanding-Data-Stewardship-Aapti-Institute.pdf.
Ministry of Communications and Information Technology. Clarification on Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 (2011). https://www.meity.gov.in/writereaddata/files/PressNote_25811.pdf.
Ministry of Communications and Information Technology. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (2011). https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf.
Ministry of Corporate Affairs. Companies (Accounts) Rules (2014). https://www.mca.gov.in/Ministry/pdf/NCARules_Chapter9.pdf.
Ministry of Corporate Affairs. Companies Act (2022). https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf.
Ministry of Corporate Affairs. “Report of the Expert Group on Societies Registration Act, 1860.” Government of India, June 2012. https://www.mca.gov.in/Ministry/pdf/final_report_Expert_Group_15_sept_2012_sub.pdf.
Ministry of Electronics and Information Technology. Personal Data Protection Bill, Pub. L. No. 373 of 2019 (2019). http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.
Mozilla Foundation. “Data Futures Lab Glossary.” Mozilla Foundation, March 26, 2021. https://foundation.mozilla.org/de/data-futures-lab/data-for-empowerment/data-futures-lab-glossary/.
Open Data Institute, “R&D: Can Data Trusts Increase or Help Data Sharing?,” 2020, https://theodi.org/project/data-trusts/.
Parliament of India. Multi-State Cooperative Societies Act, Pub. L. No. 39 of 2002 (2002). https://mscs.dac.gov.in/Guidelines/GuidelineAct2002.pdf.
Parliament of Republic of India. The Public Records Act (1993). http://nationalarchives.nic.in/content/public-records-act-1993-0.
“Prayas.” Accessed August 28, 2022. https://www.prayaspune.org/.
Prayas. “Minute-Wise Voltage Data Collected in Electricity Supply Monitoring Initiative.,” (Harvard Dataverse, 2019), https://doi.org/10.7910/DVN/CLLZZM.
Prayas Energy. “About the Initiative.” August 7, 2019. https://energy.prayaspune.org/our-work/article-and-blog/about-the-initiative.
Prayas Energy. “Electricity Supply Monitoring Initiative.” July 30, 2019. https://energy.prayaspune.org/our-work/article-and-blog/electricity-supply-monitoring-initiative.
Prayas Energy. “Electricity Supply Monitoring Initiative (ESMI) - Prayas (Energy Group).” 2019. https://www.prayaspune.org/peg/resources/electricity-supply-monitoring-initiative-esmi.html.
PTI. “Parliamentary Panel Members Raise Apprehensions about Some Provisions of Draft Telecom Bill.” ThePrint (blog), October 28, 2022. https://theprint.in/india/parliamentary-panel-members-raise-apprehensions-about-some-provisions-of-draft-telecom-bill/1186115/.
Reserve Bank of India. Storage of Payment System Data (2018). https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244.
Societies Registration Act, Pub. L. No. 21 of 1860 (1860). https://www.mca.gov.in/Ministry/actsbills/pdf/Societies_Registration_Act_1860.pdf.
Vidhi Centre for Legal Policy. “Panel Discussion on ‘Data Trusts for the Public Good,’” December 17, 2020. https://vidhilegalpolicy.in/events/panel-discussion-on-data-trusts-for-the-public-good.
Acknowledgements
We would like to thank Stefan Baack, Solana Larsen, and Kasia Odrozek, who have provided valuable feedback on this work. We also thank Kristina Shu and Nancy Tran from Mozilla Foundation’s design team for their support in designing this report. Ran Zheng created the illustrations you’ll find throughout these pages. Thanks are further due to J. Bob Alotta, Champika Fernando, Mehan Jayasuriya, EM Lewis-Jong, Jackie Lu, Anouk Ruhaak, Udbhav Tiwari, and Richard Whitt for informing the direction of this project.
This work was led by Mozilla’s Insights team. Eeva Moore led design and engagement work, Kenrya Rankin edited the research, and Neha Ravella provided project management support. Maximilian Gahntz was the project lead.
Disclaimer
The content of this report does not constitute legal advice. Please seek the advice of a qualified attorney.
