The Ministry of Electronics and Information Technology on July 12, 2020 released recommendations on regulation of non-personal data (“NPD Framework” or “Recommendations”). The draft report released by the Committee Experts on Non-Personal Data Governance Framework, (“Committee”) suggests a separate legislation for the management of non-personal data. Non-personal data, as distinguished from personal data is data that is not related to an identified or identifiable natural person or is personal data that has been anonymized. The draft report creates three classes of data upon which different rights and obligations will subsist. These include:
- Public Non-Personal Data- data collected or generated by the governments
- Private Non-Personal Data – collected or produced by private persons and entities
- Community Non-Personal Data – data about any group of people that have common interests or identities (Chapter 4)
The draft report builds on the foundation of the principle that data generates value and creates data economies that seek to exploit this value. It encourages regulation of data with a focus on dominant players in the digital world that mine data on a large scale and create market imbalances. Correcting this imbalance then requires creating a data sharing network where non-personal data is available to all interest parties to use for public service, innovation and economic benefits. The Committee while recognizing the public interest of sharing non-personal data, also acknowledges the potential harms of privacy violations in case the data is un-anonymized, as well as safety concerns of improper handling of collective data of stigmatized communities (Chapter 3). One harm however, that the committee does not take account of in its suggestions for the creation of a data-sharing network is the rights of database creators. The mandatory sharing of some classes of non-private data makes scope for compensation. However, database creators do have database protection rights that should prevent such expropriation.
In this essay, we explore the implications of recommendations regarding mandatory sharing of databases in the draft report considering the database protection regime in India. In Part I, we explain and analyze the recommendations of the committee which regulate and mandate compulsory sharing of databases. We explore the existing database protection regime in India examining applicable domestic legislation, which are the Copyright Act and the Information Technology Act. We find that there is limited database protection in India against mandatory sharing, which is for original databases through intellectual property rights. In Part II, we explore whether the mandatory sharing of such protected databases should be allowed considering the protections Agreement on Trade-Related Aspects of Intellectual Property Rights. We argue that the mandatory sharing of databases under the NPD framework needs to be reconsidered in light of our analysis of applicable domestic and international law. We further make a case for sui-generis database protection rights in India, which will allow both economic incentive and growth in terms of database creation and research and development through database sharing. In view of the recommendations for a non-personal data law, it is necessary that we recognize the competing interests in the database economy and through limited database protection rights and defined categories for mandatory sharing, to truly get the most out of the potential of databases.
Mandatory Sharing of Databases in the NPD Recommendations
Data sharing mechanisms are suggested by the Committee for controlled access to non-personal data by individuals and organizations under a legal framework. This would be for specific purposes and with appropriate safeguards. These purposes are defined to include a ‘sovereign’ purpose, which is connected to national security and legal purposes, a ‘core public interest’ where it is used for community benefits, ‘public policy and innovation’ and, an ‘economic’ purpose which would be for fair and competitive market conditions. (Chapter 7) The mechanism for data sharing will be created and managed by the Non-Personal Data Authority, which is the data regulator for Non-Personal Data in the draft report. (Chapter 8)
In order to open certain sectors with dominant players or for public interest, under the Committee recommendations, mandatory data sharing is required. This is only for private non-personal data possesses raw/factual data pertaining to a community. In case of private non-personal data, the draft report has created distinctions based on value-added to the database. Raw/factual data related to a community needs to be shared at no renumeration. Non-trivial value-adding will be mandated to be shared on FRAND based remuneration. Subsequent value-adding in databases will have be sold in a regulated market where market forces determine the price. A very high level of value- added in a database is the only kind of database that doesn’t have to be mandatorily sold, and the private entity collecting has the freedom of economic privilege with that data. (Chapter 7)
For community non-personal data that is being shared, the Data Trustee oversees implementation of safeguards. The Data Trustee exercises data rights of communities or data principal groups on their behalf- unlike personal data, since data principals cannot directly exercise control over community data, the Data Trustees exercise it on their behalf. In case of public non-personal data, the draft report does not put any mandate as such on the government. There is only an encouragement to improve on existing Open Government Data Initiatives to ensure availability of Public Non-Personal Data. (Chapter 4, 7)
As is patently clear, the fulfilment of a purpose requirement for the mandatory sharing of databases does not provide any buffer to database creators as these are very vague and all encompassing. The safeguards provided are also quite dubious, given that Data Trustees are either corresponding government entities or a community body. These will be the closest and most appropriate representative body for the community concerned. The safeguards provided then are by state bodies, who are to prevent misuse of community non-personal data by other state bodies. The community involvement and ownership of such data through these representatives remains an open question.
Further, the recommendations allow governments and data trustee to directly access “important community data” from private entities and the placing of such data in data infrastructure and data trusts for availability to “relevant parties”. This is particularly concerning because of the historical issues with safety of information in government infrastructure. While the risks of anonymized and non-personal data are not as much as that of personal data, the risk of un-anonymization of this data and misuse of this data to target certain communities are important to consider.
While private data that doesn’t have a very high level of added value is the only kind of database that does not have to mandatorily be shared, there is no such mandatory sharing for public non personal databases created by the government. This is further complicated by the fact that the distinction of “value-add” is again vague and the protection given to “very high level of value-add” can very easily be nullified. While algorithms and proprietary information have been specifically removed from the data-sharing mechanism, the mandatory data sharing of databases created by private entities with little to no safeguards or qualifications brings up questions of expropriation of intellectual property rights of database creators. For this, we will first answer the question of whether database creators have intellectual property rights in the Indian legal framework.
Database Protection Regime under Indian Law
Database Protection under the IT Act
The database protection granted under Section 43 of the Information Technology Act (“IT Act”) is very narrow and grants protection against copying or theft of databases without consent. Section 65 of the Information Technology Act broadly provides against tampering of computer source documents. Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 imposes a restriction on accessing data without the prior permission of the information provider.
The IT Act houses a non-obstante clause in Section 81, which allows the provisions of the IT Act to have an overriding effect with any inconsistent provision with other law in force. However, if the mandatory sharing of databases is done under by the state under the NPD framework, the laws under the IT Act will not save database creators, as this would not constitute theft, copying or tampering. The database protection right in India in the IT Act will not apply to the mandatory sharing mechanism under the NPD framework.
Database Protection under the Copyright Act
The Indian Copyright Law is The Copyright Act, 1957 (“Copyright Act”). For copyright to subsist in a work, it must fall under the categories listed out in the sub-clauses of Section 13. Sub clause (a) of the Section 13 covers “original literary works”. Section 2(o) of the Copyright Act brings in “computer programmes, tables and compilations including computer databases” under the ambit of literary works. However, Section 13(1), is qualified by the word “original”. Thus, the originality of these computer databases would be a criterion in granting copyright. However, the term originality has not been defined under the Copyright Act and has undergone significant changes in its interpretation over the years.
Pre- EBC v DB Modak
In 2005, the Delhi High Court in Himalaya Drug Company v. Sumit found a copyright to subsist in a database of Herbs selected and maintained by the plaintiffs as it had expended “considerable time, labour, skill and money in preparing this data base”. Later in 2006, the Delhi High Court in Burlington Home Shopping Pvt. Ltd. v. Rajnish Chibber found that copyright existed in the plaintiff’s database containing email addresses on which the plaintiff ran their Mail order business. The court found copyright to subsist in the database as it was “developed by any one by devoting time, money labour and skill though the sources may be commonly situated”.(Para 12) Commonly, known as the “sweat of the brow” doctrine, the court recognized originality to persist in a work based on the “money, skill, labor and capital invested in creating the work. However, this doctrine is no longer recognized in understanding “originality”.
EBC v DB Modak
The term “originality” underwent substantial revision in the 2007 Supreme Court case of EBC v. D.B. Modak. The plaintiffs here maintained and owned the SCC database, and the respondents had in their own CD-ROMs replicated the entire database verbatim and sold it commercially. The court here did not find a copyright in the EBC’s database of the Supreme Court Cases. The court held that a copyright cannot be granted because there is skill and labor involved in creating the work and a minimum level of creativity would be required. (Para 59)
Applying the “minimum level of creativity test”, the court held that copyright subsisted in works like segregating the case into para numbers, indicating the position of the judges such as concurring, dissenting as it would require knowledge, skill and sound judgement which had a flavor of a minimum level of creativity. (Para 41) This would be in addition to the High Court judgement holding that head notes would also be protected. However, mere addition of cross citations given in the original text, names of cases, margin headings to quoted extracts from statute/rules when they are missing from the original judgement, capitalization and italicization did not have a copyright in them as they did not meet the minimum level of creativity. (Para 39)
The court found that copyright subsists only in some modifications to the original text of the judgements made by EBC. These indicates a threshold of a minimum level of creativity. The effect of this ruling is that all databases would not be copyrightable. The amount of skill and labor involved in creating them and a minimum level of creativity is required before copyright can be recognized in the work.
It is pertinent to note that due to the originality test under Indian copyright law, databases get classified into original and unoriginal databases. Compilations of data by themselves are not protected, neither is the data within these databases unless there is proof of originality. Only original databases are protected under Indian copyright law.
There is a compulsory licensing regime under Section 31 the Copyright Act for copyrighted works that are restricted from the public. However, neither will the copyright protection save database creators from mandatory sharing of databases, nor will such a mechanism have to comply with Section 31 of the Copyright Act. The NPD Recommendations when made into law will constitute lex speciallis, and will arguably override the provisions of the Copyright Act. The NPD framework, by mandating the sharing of all kinds of non-private databases, whether original or unoriginal effectively nullifies the existing copyright given to databases. This in addition to severely harming database creators, also infringes provisions of the TRIPs.
In Part II of the essay, we analyze the applicability and effect of NPD Recommendations to the requirements under the TRIPs. Having analyzed of intellectual property ramifications of the NPD Recommendations under both domestic and international law, we argue that the NPD Recommendations ignores internationally recognized database rights. India should consider, like the EU and USA, enacting a limited sui-generis database protection regime. A re-working of the NPD Recommendations which balances concerns of intellectual property and competition is crucial for achieving the goal of economic and social development.
The authors would like to express their gratitude to Professor Ishupal Singh Kang for his continued guidance and support for the respective piece.
Part II of the essay can be found here.