India: Liberalisation of maps and geospatial data in India: Highlights and concerns
The Government of India, through the Department of Science and Technology ('DST'), recently issued its 'Guidelines for acquiring and producing geospatial data and geospatial data services including Maps' ('the Guidelines') which apply to all geospatial data1, maps2, and other products and services offered by government bodies, individuals, and private organisations. In what is a highly significant step forward in regulating maps in India, the Government has considerably liberalised the collection, use, and processing of geospatial data. Aniruddha Majumdar, Aaron Kamath, and Huzefa Tavawalla, from Nishith Desai Associates, provide some context on the earlier regulations and look at the liberalisation of geospatial data under the Guidelines, alongside the impact of the restrictions it imposes on certain types of data and entities.
The use cases of geospatial data in the digital era are virtually infinite. From navigation and cab aggregators to fitness tracking and smart cars, maps and associated data form an integral part of digital, as well as other sectors at numerous stages. Despite this, in India the earlier regime on maps was not particularly enabling.
Prior to the Guidelines, there were numerous notifications and guidelines issued by various ministries/departments of the Government, including the Ministry of Defence, Survey of India ('SOI'), the Ministry of Finance, and the Ministry of External Affairs regulating mapping data, most of which were either unclear or archaic, or both. The prevalence and nature of digitised map data was largely ignored under all these provisions, and many stakeholders who sought to comply would have been practically unable to do so.
In this context, one would perhaps appreciate the Guidelines better. The Government expressly recognises the futility of regulating something which is readily available and, therefore, has completely turned the regime around. Under the Guidelines, unless there are express provisions to that effect, there is no restriction, or requirement of any approval, clearance, license, etc. on the 'collection, generation, preparation, dissemination, storage, publication, updating and/or digitisation of Geospatial Data and Maps within the territory of India3.' Further, the Guidelines also state that all previous office memoranda, instructions, etc., issued by any department of the Government to the extent they have provisions contrary to the Guidelines stand superseded, and that the Guidelines would be the single point of reference on the subject.
Not only this, but the Guidelines also require SOI to simplify and modernise their procedures for sharing maps, and to abolish the various forms of licenses that existed in the prior regime. However, for political maps of India, SOI-issued maps and their boundary data will be used as standards, and will be freely accessible. It is amply clear, therefore, that the Guidelines have streamlined and simplified the laws applicable to the processing of geospatial data to a considerable extent.
The Guidelines state that the DST will issue a negative list of attributes that the acquisition and use of which shall be regulated. However, it is proposed that the restrictions under this list will be minimised and it will contain only sensitive attributes.
Further, the Guidelines place certain restrictions on the creation, owning, and processing of certain geospatial data, most of which are imposed on entities which are not Indian Entities4 ('Foreign Entities'). This is achieved by first categorising geospatial data on the basis of certain threshold values5 beyond which restrictions are applicable.
Restriction on finer data
While Indian Entities are permitted to create, own, share, and otherwise process data, including data finer than the threshold values ('Finer Data'), such data must be stored and processed on Indian clouds or on servers physically located in Indian territory. Foreign Entities cannot create and/or own such data and are only permitted to license such data from Indian Entities, and only for the purposes of serving their customers in India. Not only this, but the sharing of data should be such that it is available only through APIs and does not pass through the Foreign Entity or its servers. Prima facie, this appears to be a rather cumbersome requirement with little clarity on whether implementation would be practical. Since the exact intent behind this provision is not clear, it is difficult to assess what is ultimately meant by 'pass through.'
Restrictions on certain surveys
Foreign Entities are also restricted from conducting 'Terrestrial Mobile Mapping survey, Street View survey and surveying in Indian territorial waters,' regardless of the accuracy of such data. Again, what activities precisely amount to surveying has not been specified. A survey could refer to a dedicated exercise of collecting geospatial data, or if interpreted broadly, it would include even incidental collection of such data. If the Guidelines were meant to cover the latter, this provision could single-handedly undo the liberalisation undertaken through the Guidelines.
Impact of the restrictions on Finer Data and surveys
Numerous businesses collect real-time mapping data either through their apps (such as food delivery apps and fitness trackers), or through other instruments (such as those integrated into so-called smart cars). Further, multiple car manufacturers and technology service providers are in the process of launching smart and/or autonomous vehicles. The navigation system built into such vehicles forms a crucial component and requires enormous amounts of geospatial data in order to be developed and to function. Since the geospatial data collected is unique to each country in which these vehicles operate, the physical deployment of smart and autonomous vehicles in India is a necessary precursor for them to function in the Indian market. Such geospatial data could be collected through various components, including dedicated sensors, radars, and cameras, which could all be manufactured and operated by Foreign Entities. If Finer Data is being collected, each component manufacturer, the car manufacturer, the entities providing data aggregation and analytics, would all require to comply with the entity localisation/ownership requirements. Otherwise, the Finer Data cannot 'pass through' the entities or their servers. This could be an impediment for Indian Entities which are heavily dependent on availing services from Foreign Entities both based in India and outside. Further, this could also disincentivise investments into India by Foreign Entities into all sectors which involve the collection and/or processing of Finer Data.
Similarly, if data collected by a smartphone which is being carried in a vehicle is included within the scope of 'Terrestrial Mobile Mapping Survey,' all businesses which rely on location data to provide relevant services (including those which operate apps on cab-hailing, internet search, local news, restaurant aggregators, and even music streaming), would either have to ensure that they convert into Indian Entities, or shut shop. Nevertheless, given that whatever is not restricted specifically is permitted, one could take the view that Foreign Entities could potentially buy such data from Indian Entities and use it subsequently, given that only surveys are restricted and not the ownership, sharing or other uses of such data. Again, in the absence of specific statement of intent, this would require further clarity from the DST and/or other relevant Government authorities.
Yet another concern with the Guidelines is its silence regarding its retrospective applicability, especially in relation to data which has been obtained through the relevant approvals and clearances under the prior regime. If such data includes Finer Data, it is unclear if it is permitted for a Foreign Entity to continue usage of such Finer Data basis past approvals.
Under the Guidelines, there is no data which requires clearance from any Government authority except the negative list of attributes. While the intent under the Guidelines seems to be that Foreign Entities would have to comply with the restrictions on Finer Data, since these entities would have already received security clearances in the past, the validity of such clearances should continue. However, this position is unclear and would require further clarification from the relevant Government authorities.
Concerns regarding data protection laws
Foreign and Indian Entities alike would also be subject to the Indian laws regarding collection and processing of personal data. Currently, data protections laws are largely restricted to regulations on sensitive personal data and information6. However, a more comprehensive law on personal data protection has been proposed before the Indian Parliament7, and developments in this space would determine compliance requirements for such collection of personal data. For example, if an autonomous vehicle captures images or collects data about drivers and/or passengers in nearby vehicles, depending on the nature and processing of data, such data may be considered to be personal data under the proposed law, and hence could trigger compliance requirements. These requirements could include obtaining prior consent and notifying such person regarding the collection and processing of data, which would be impractical for data being collected incidentally through autonomous vehicles or other forms of technology. Therefore, the final legislation on personal data protection could have a significant impact on the geospatial data sector.
The Government of India has also constituted a committee of experts to provide its recommendations on the governance of non-personal data ('NPD'). A draft report of the committee, inter alia, deals with various types of NPD that may be collected, the nature of public and private rights therein, and even proposes data sharing between public and private entities, which is mandatory in certain cases. The report also categorises businesses that collect data and meet certain thresholds as 'Data Businesses' which may be required to register with the relevant authority, and also recognises categories of data as 'High Value Datasets.' Given that the law would deal with all kinds of NPD, the collection and processing of geospatial data could also be under the purview of the final framework on NPD, and the impact of such a framework would have to be evaluated further.
Collection of geospatial data by both private and government entities is not free of concerns. There are various threats, including on the privacy of individuals along with national security concerns. Tracking a person's movements on a daily basis can not only identify the person but also expose their entire diary for the day, for all days through the year, and this is just one of the numerous realities that widespread collection of location data throws up. Therefore, the case for regulating such data cannot be denied. On the other hand, the number of services today that depend on geospatial data as an essential raw material clearly reflects the growth and demand of this sector. Hence, there is an increasing need to balance both sides of the coin, and the Government has expressly recognised this in the Guidelines.
Though the Guidelines largely liberalise the regime on map and geospatial data, they still contain certain restrictions which could restrict the potential of this space from being fully realised. Notably, there was no consultation process which was undertaken before the issuance of the Guidelines, and this is perhaps one of the reasons behind the multiple ambiguities which continue to exist. Until further clarifications come, some stakeholders would tread with caution, however, overall there is fair reason for one to have a positive outlook towards the introduction of this new law.
Aniruddha Majumdar Member of the Disruptive Technologies Practice Group
Aaron Kamath Leader of the Technology Law and Regulatory Practice Group
Huzefa Tavawalla Head of the Disruptive Technologies Practice Group and Bangalore Office
Nishith Desai Associates, Bangalore
1. 'Geospatial data' has been defined as, 'Positional data with or without attribute data tagged, whether in the form of images, videos, vector, voxel and/or raster datasets or any other type of geospatial dataset in digitised or non-digitised form or web-services;' 'Positional data' has been defined as, 'Latitude, longitude and elevation/depth of a point or its x, y & z co-ordinates in the territory of the Republic of India;' and 'Attribute data' has been defined as, 'Any data that when associated with Positional Data gives any additional meaning to it.'
2. 'Map' has been defined as, 'Symbolic representation of real-world objects, regions or themes on a given scale which was generally published in paper form but now also available as web-map-service.'
3. Paragraph 8(ii)(1) of the Guidelines.
4. Paragraph 7(f) of the Guidelines defines an 'Indian Entity' as 'Any Indian citizen, Government entities, Societies registered under applicable statutes, statutory bodies, Autonomous Institutions of the Government, or any Indian company or Indian LLP owned by resident Indian citizens or any Indian company or Indian LLP controlled by resident Indian citizens (as defined in the Explanation to Rule 23 of the Foreign Exchange Management (Non-Debt Instrument) Rules, 2019).' As a corollary, Foreign Entities would include Indian companies which are not owned and controlled by resident Indian citizens. However, the definition of Indian Entity does not expressly exclude branch offices and liaison offices and this would need to be evaluated further.
5. Paragraph 8(iv)(a) of the Guidelines provide for the following threshold values:
- 'On-site spatial accuracy shall be one meter for horizontal or Planimetry and three meters for vertical or Elevation.
- Gravity anomaly shall be 1 milli-gal.
- Vertical accuracy of Bathymetric data in Territorial Waters shall be 10 meters for up to 500 meters from the shore-line and 100 meters beyond that.'
While the threshold values above relate to three aspects (i.e. spatial, bathymetric and gravity anomaly), numerous provisions in the Guidelines only make references to spatial accuracy. However, we have assumed for the purposes of this article that all references to accuracy, value, spatial accuracy, etc. refer to all threshold values but this assumption will need to be evaluated further, inter alia based on future clarifications from the DST, if any.
6. Sensitive and personal data or information is governed by the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('SPDI Rules').
7. An analysis of the latest publicly available draft of the proposed law is available at: http://www.nishithdesai.com/fileadmin/user_upload/pdfs/Research_Papers/Privacy-and-Data-India_s-Turn-to-Bat-on-the-World-Stage.pdf