[This post has been authored by Varsha Rajesh, a final year law student at School of Law, Christ University, Bangalore.]
In February 2021, the Department of Science and Technology of the Government of India issued the Guidelines for acquiring and producing geospatial data and geospatial data services including Maps which applies to entities collecting geospatial data, mapping and other allied products and services which are offered by the Government and privately-owned bodies.
These guidelines deregulate the mechanism of geospatial data collection by removing the existing multi-layered licensing procedures applicable to private entities. Under these Guidelines, the Government has recognised the significance of geospatial data in the modern digital ecosystem having a great impact on economic, social and environmental growth, therefore necessitating the ease of acquisition of such data.
Previously, the geospatial mapping and data was regulated under various policies and notifications issued by the Survey of India (“SOI”), Ministry of Finance (“MoF”), Ministry of Defence (“MoD”). These include the National Map Policy in 2005, instructions in relation to preparation and publication of maps and the Geospatial Information Regulation Bill 2016 which failed to materialise. These failed to actively recognise the trends in technology and ease the procedure for acquisition of data for innovation. Hence, the new Guidelines have been introduced to actively promote advances in mapping technologies such as LIDAR, RADAR Interferometry, satellite-based remote sensing, mobile phone sensors and other techniques.
What do the 2021 Guidelines encompass?
These new guidelines have been issued under the National Map Policy 2005, which happens to be the source of mapping guidelines in India. In addition to inculcating emerging trends in technology, it also recognises the role geospatial data plays in India’s emerging economy.
It defines geospatial data as location information are data about the natural or man-made, physical or imaginary features whether above the ground or below, boundaries, points of interest, natural phenomena, mobility data, weather patterns, statistical information, etc.
The main objective of the Guidelines is to deregulate and cater to modern technology powered location services. India is heavily reliant on foreign resources for mapping technologies and services. Therefore, liberalisation of the mapping industry and democratization of existing datasets will spur domestic innovation and enable Indian companies to compete in the global mapping ecosystem by leveraging modern geospatial technologies. This is directly reflective of the aim of the Atmanirbhar Bharat Programme, under which the Guidelines have been introduced.
In pursuance of this, it encourages the collaboration between the Government and private parties to work towards open-linked Geospatial Data and also the freedom to export geospatial data subject to minimal restrictions.
To promote this objective, the new Guidelines have set aside the obsolete licensing requirements and simplified the procedure. All Indian entities have been provided a free hand to collect and process the data. While other entities which are not Indian owned or foreign owned and controlled are “restricted entities” which must obtain a license to serve Indian consumers.
Additionally, a list of negative attributes will be released under the Guidelines which would be subject to regulation or a higher threshold for acquisition. It also proposes the formation of Geospatial Data Promotion and Development Committee to look into these aspects.
Geospatial Data and Data Privacy
The new Guidelines introduce a new concept of “mobility data” in India in the absence of a national law tailored to be applicable to digital aggregators. As of today, there is no certain definition of mobility data across jurisdictions, however, it has been attempted to be defined by the National Association of City Transportation Officials (“NACTO”) and International Municipal Lawyers Association (“IMLA”) as information generated by activity, events, or transactions using digitally-enabled mobility devices or services. This data is frequently recorded as a series of points with latitude and longitude collected at regular intervals by devices such as smartphones, shared micro mobility vehicles (shared bikes, e-bikes, scooters etc), on-board vehicle computers, or app-based navigation systems (e.g. Waze, Google Maps etc).
European Directive 2002/58/EC, in which Article 2(c) defines “location data” as “any data processed in an electronic communication network indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications services.” The General Data Protection Regulation (“GDPR”) also includes location data as a form of personal data.
In India, the closest the laws have come to regulating this aspect is by bringing vehicular aggregators under its purview. According to Motor Vehicle (Amendment) Act, 2019, vehicular aggregators are digital intermediary or market place for a passenger to connect with a driver for the purpose of transportation. However, the law remained oblivious of aspects of data classification and collection. These new Guidelines shed light on this aspect however, does not entirely consolidate data privacy and protection of mobility data, which is presently rampantly collected across different forms of digital applications in addition to vehicular aggregators.
In the absence of a general data protection law providing for privacy and protection of personal data, it becomes important to examine the privacy of users in the advent of geospatial data deregulation. From an industry standpoint, the deregulation is welcome since it forgoes the cumbersome licensing procedures, however, the absence of which may create an invasion of individual privacy since accountability and a comprehensive list of such data collectors and processors will not be maintained.
Location data is not protected under the existing data protection regime which is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act 2000. However, it can be considered to be personal data as per the Personal Data Protection Bill, 2019 (“PDPB”) since mobility data can be attributable to the identity of a person. If the Bill is passed in the near future, then geospatial data will be adequately regulated, however, in the midst it continues to remain unregulated and the lawful basis of collection, storage and processing such data remains obscure since the Guidelines and the National Map Policy have not been implemented under a definite legislation. Hence, jurisprudentially, it may be considered as having no proper legal backing.
Even if the PDPB were to be prospectively enacted, the validity of the Guidelines remains to be seen owing to inconsistencies. For instance, Clauses 12 and 13 of the Bill discuss necessary grounds of processing data. This provides a higher threshold than the free hand provided to the Government and Indian Entities under Clause 8(ii) of the Geospatial Guidelines. Since the object of both laws are different however, the Bill having an overarching consequence, it is likely that the leniency under the Guidelines may be curbed once the latter is enacted. Furthermore, in terms of geospatial data privacy and the PDPB there are several other considerations which must be taken into account including obligations and restrictions of processing, rights of data principle, consent etc. which has been excluded from the ambit of the Guidelines.
The importance of protection of geospatial data was colossally realised during Strava’s global heatmap incident which revealed the location of military bases in remote locations. Although this unravelled the security risks of geospatial data posed to Governments and strategic operations, the same could be said about individual privacy. Furthermore, collection of individual data from several sources may enable the creation of patterns and data profiling which can be misused or used for profit without direct consent of a data principle.
Another concern regarding this is the property rights of individuals over their mobility data. It is widely accepted based on the ratio of Justice K.S Puttaswamy v. Union of India that personal data of a person is the owned by the person. although it is arguable that the data processor applies requisite skill and labour to collect, process and disseminate such personal data into meaningful databases, they cannot make a rightful claim on such data because the data protection regimes across jurisdictions including the PDPB is clear on the individual having the first claim on their personal data. Hence, when the Geospatial Guidelines provide the right to freely sell and export such data it become pertinent to examine the distribution of rights from personal data property rights standpoint. Therefore, in the future the application of the Guidelines may witness a significant interplay between intellectual property and data protection laws.
In the age of digitization, it is important to adopt a holistic approach to every industry application and its implications on data protection. Geospatial applications are no longer restricted to mapping activities and delineation of restricted areas, there are several modern ramifications with the introduction of technologies and stringent data protection regimes which favour individuals. Hence, while the de-regulation is welcome and will benefit consumers, it also becomes equally important to fortify the legal regime and align it with the PDPB or any other prospective data protection laws to ensure balance of rights.