INTA Comments on India’s Data Accessibility and Use Policy

Published: April 20, 2022

Purnima Thacker

Purnima Thacker Mulla & Mulla & Craigie Blunt & Caroe Mumbai, India Data Protection Committee

INTA has weighed in on personal data policy in India for the first time, submitted through comments to the Ministry of Electronics and Information Technology, on March 16, 2022.

The Government of India continues to take significant steps to formulating a data governance framework. Several pieces of legislation and policies are underway in India, including the Personal Data Protection Bill 2019 (PDP Bill). In December 2021, a joint parliamentary committee that reviewed the PDP Bill presented, but tabled its report before both Houses of the Indian Parliament. As a result, debate continues on the PDP Bill.

At the time of writing this article in early April, media reports suggested that the government is considering a new data governance policy framework following critical comments from stakeholders on its Draft India Data Accessibility & Use Policy 2022. Released in February by the Ministry of Electronics and Information Technology, the policy primarily concerned the management of non-personal data and proposed a data sharing mechanism that would permit the government to license and sell public data to the private sector.

According to INTA, a balanced data access policy is pertinent to brand owners both in India and globally to create a business-friendly environment, without compromising sound consumer data privacy principles. To this end, the Association submitted comments on the policy, highlighting aspects of concern and requesting the inclusion of specific actions to bolster protection of intellectual property (IP).

Key comments include:

Personally identifiable data. Access to accurate data is essential for timely enforcement actions. Oftentimes, critical data includes the personal data of both natural and juristic persons. Data not belonging to a natural person as well as data that identifies juristic persons, like entities conducting online businesses through registered domain names included in databases domain name database or other databases, is not personally identifiable data. This data must therefore be freely processed and published to protect consumers and assist rights holders and law enforcement agencies in legitimate commercial investigations. Expeditious access to such data should be granted when reasonably demonstrated that it is intended for enforcement actions.

Patently false or fictitious data is also not personally identifiable data. This data being freely processed and published will protect consumers and assist rights holders in legitimate investigatory and enforcement actions. A mechanism to instill verification and validation principles is important so data is both subjectively accurate to the data subject and objectively accurate to the rest of the world.

Licensing and sharing. The policy is intended to “harness public sector data for catalyzing large scale social transformation” and would make all non-personal data in possession of the government available for licensing and sharing unless it is categorized as non-shareable. INTA’s standpoint is that the power to prepare and implement such a policy should flow from legislation that governs data protection prior to passing a policy governing its licensing. Currently, no legislation sets any limitations on the kind of data that may be collected or which kinds of data cannot be converted into non-personal datasets. The introduction of the policy, in the absence of a legislation governing data protection, results in individuals/citizens being left without remedy in case of data misuse and thereby, violates privacy rights.

Personal data. The policy is not only applicable to all non-personal data,” but also “information created/generated/collected/archived by the Government of India directly or through authorized agencies by various Ministries/Departments/Organizations/Agencies and Autonomous bodies.” Potentially, this brings even personal data within its ambit, while the rest of the policy refers only to non-personal data. Effectively, the sharing of data, such as health data and data collected for issuance of Aadhar, the national identification numbers, and PAN, the tax account numbers, could be in the purview of the policy. INTA has highlighted the potential unintended consequences for the licensing and the processing of such data for business.

State government discretion. The policy gives state governments the discretion to adopt provisions “as applicable.” INTA noted that the potential for states to respond in varied manners leaves room for discrepancy as to the limitation of the power vested, while the restrictions in terms of sharing or acquiring non-personal data are not specifically identified.

Access to non-personal data. The policy allows “stakeholders including researchers, start-ups, enterprises, individuals and government departments” to access non-personal data available with the government. While such data may be used to promote innovation, it is imperative to have clear guidelines as to what is acceptable and unacceptable including ethical guidelines for such uses, according to INTA.

Close consideration to the aspects raised when drafting new data governance and privacy framework could facilitate trademark enforcement and brand owner compliance while achieving the balance for a robust consumer protection milieu.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest. 

© 2022 International Trademark Association