[This piece was authored by Kshitiz Jain and Satvik Mishra, students at the Rajiv Gandhi National University of Law.]

Introduction

In September 2019, the Ministry of Electronics and Information Technology constituted a committee led by Kris Gopalakrishnan (“Committee“) to prepare a report on the Non-Personal Data (“NPD“) Governance Framework. The Committee proposed its first report in July 2020, which faced extensive criticism from experts for having overlooked proprietors’ rights over their collected data. Consequently, the Committee proposed a revised report (“Report“) in December 2020, which includes a brief analysis of proprietorship of High-Value Datasets by the virtue of trade secret and copyright protection in India. However, the latter Report substantially retained the regulatory framework given under the former report.

This article analyses the recommendations regarding NPD Governance, as given in the revised report, in consonance with the protection of trade secrets and copyright provisions in India. It also highlights the parts of the Report that are not compliant with the existing intellectual property rights (“IPR“) regime in India and need immediate revision.

Third-party liability and mandatory data sharing

The Report defines High-Value Dataset (“HVD“) as one that is beneficial to the community at large, and is created, maintained, and shared by either a government organization or a non-profit private organization called a data trustee. The sharing of such non-personal datasets is particularly allowed for three purposes – (i) sovereign purpose, (ii) public good, and (iii) business purposes. The Committee recommended a mandatory sharing of collected data with the data trustees for sovereign purposes and for the public good. However, the Report has only vaguely defined these purposes and fails to put forth a process of scrutiny for any fake and unsubstantial data requests for commercial benefits of third parties.

Currently, India does not have a codified law for trade secret protection. However, India is a signatory to the TRIPS Agreement, and Article 39 of this agreement obligates protection of the secrecy of commercially valuable information. The Committee correctly noted that trade secret protection in India derives from contracts and equity. Further, the Committee acknowledged the need for and existence of such protection for any data that is confidential or has been collected through investment or skills. However, the Report mistakenly concluded that trade secret protection usually lies within a relationship of confidence, and such rights are not effectively sustained against third parties. Third-party liability, subject to their knowledge and intent, is found to be crucial for protecting valuable commercial secrets and preventing dishonest commercial practices. Further, the Report observed that trade secret protection cannot be provided for data that is freely available in public. However, any distinct combination of freely available data elements, so combined for competitive gains, is entitled to trade secret protection. Moreover, the Report mandated proprietors to provide access to data trustees of these datasets to create and manage HVDs. Nevertheless, the Report overlooks the accountability of NGOs or any other organisation (including any third party) with regard to transparency and certainty in utilising such data for the public good and not for commercial profits.

Conflicts with the Copyright Act

The Report errs in propounding the protection of proprietors’ rights over their compiled data under copyright provisions. As per the Copyright Act, 1957, the definition of literary work consists of a database having an original compilation of different sorts of Data. This ensures the protection of databases even if there is a minute degree of creativity involved in their creation. The Report concludes that sharing of HVDs doesn’t violate database copyright as it merely has the involvement of labour in collecting and storing data, and the fields of such data storage are pre-set, making it raw data. However, the Report fails to recognise that a subset of a data base does not necessarily constitute raw data and, in fact,  may itself be an original compilation made from other data present in the database. The same has been affirmed in Article 10(2) of the TRIPS Agreement, which gives that while providing copyright protection to a compilation of data, similar protection is to be provided to any material or data within such compilation, individually. Many data businesses thrive on data collected in such databases and are the sole decision-makers regarding the number of subsets such data would be sorted into and how. The compilation created in the form of such subsets provides competitive advantages and is the intellectual property of the companies that have database design copyright protection accorded to them.

Additionally, the Act provides for compulsory licensing to prevent the creation of a monopoly by the owners in case of a market crash. The Intellectual Property Appellate Board (IPAB) is vested with the powers to grant compulsory licenses after considering the relevant facts of each case, separately. Such methodology ensures that such licenses are granted only in case of absolute necessity. If any of the parties is not satisfied by IPAB’s decision, such party has the option to appeal to a High Court or to the Supreme Court. Even though there is a need to fine-tune a few of these provisions, in cases involving data, such a mechanism under the Act seems to be better than the approach recommended in the report which does not provide for any such options.

Conclusion

The Report emphasizes the fact that the Indian Penal Code or any other legislation in India does not provide any IPR protection for collected data as the combinations of such data are not recognised as property and, consequently, any violation shall not amount to a ‘crime against property’. However, the Supreme Court had a contradictory opinion, wherein it observed that Intellectual Property Rights fall under the ambit of the fundamental right to freedom of trade enshrined in Article 19(1)(g). Moreover, the Report has yet again overlooked the liability of third parties for the violation of IPRs of the data proprietors who may, in turn, gain wrongfully from such data breach. Hence, it is concluded that the revised Report too, has fallen short of providing appropriate protection for proprietors over their compiled data.

Further, the Report also lacks in clearly defining HVDs and the sovereign and public good purposes for their mandatory sharing. If the Committee fails in propounding a clear demarcation for these purposes and setting up a scrutiny process for fair data requests, it is more likely to create even bigger problems than those it has fixed. It is also pertinent to note that this is not the first time where a government document has discussed about sharing data for the public good. The European Union’s Data Governance Act also makes similar recommendations, albeit, while keeping compliance with the framework voluntary on the part of the data provider. The instant Report does not provide any opportunity to the data proprietor to decide and grant excessive powers to data trustees, including any non-profit organisations. Moreover, the Report does not mention the objective of such absolute powers or even consider the expected abuse of these powers to gain a competitive advantage or to violate a citizen’s fundamental rights. Thus, there lies an urgent need to revise power allocation for the sharing of data and to prevent the accumulation of market power with data holding corporate houses.