 Hello to everyone. I'm Sochna. I'm a data scientist and an AI ethicist. In the past, I've been a fellow at the Berkman Klein Center. I've been a Mozilla fellow at Data & Society. And my research primarily focuses on auditing machine learning algorithms, auditing AI systems, auditing data practices, and also the responsible design of AI systems in the context of fairness, transparency, accountability, privacy, all of these things. So obviously as part of my work, I'm very interested in the regulatory landscape for all of these things across the world, you know, particularly the global south and how countries in the global south are grappling with these issues. So I know when Zainab asked me to join in, I think I was like, you know, like annotating, angrily annotating, I should say the draft version of the NDP bill. And yeah, we'll see how today's conversation goes. Yeah, Sochna, if you can also share your annotations in some of the comments and people are positively going because like Nishant was pointing out, so Nishant, please go ahead. No, I was just mentioning the same. We're getting all of us here with far more questions here around the same lines that at the end of it, I think we're going to leave with more questions to unknowns in that context. And that shared context also will help because I'm thinking of drafting a response. And some of them will be able to, yeah. Yeah, we'd have to collaborate on, you know, if you're thinking about drafting a formal response that we can submit, I'd love to collaborate on that. And then, you know, maybe I'll also just reach out to my network and see if anybody else would be interested in contributing as well. I think thankfully we have a little more time now that we have an extension until the 13th of September. So, yeah, yeah, I think one possibility, Sochna, is if there are more people like you than you all could put in one response. And then maybe Nishant could put in one, if there are more startup founders like him, they could put in one. I mean, I think we may also have to write one because I don't know what implications it'll have for us as Hasgeek. Anyway, okay, so Nishant, maybe just start first by just like, you know, what drew your attention and the questions you have. And then, yeah, and then we'll take it from there. Sure, absolutely. Hey, everyone. So just to set context, I'm an entrepreneur running a company which sort of works around data systems and the likes. And obviously, there's elements of insights, integrating data and sort of optimizing based on those insights, which is naturally why sort of this came under my radar and sort of started looking at it. Naturally, the crux of it right from the definitions of non personal data, I think the way they have defined as a C and again, please correct me along the way and just sort of summarizing my understanding and open questions. One is the public NPD itself, which they have defined, I think as public data with public authorities and governments, but there's no nature of sharing that has mentioned that as far as I noted. Then there is community NPD, and then there is private NPD, which also has a nature of compulsory sharing by government or voluntary sharing, which has an impact on economy by market rates. I think there are a bunch of open questions that I have. One is in the context of traditionally how I've looked at it and again, please correct along the way, is that this traditionally IP and then there is personal data privacy. Business insights that are generated over a period of time that a business operates in is been traditionally considered as IP. And I mean, as a founder or a startup, we look at growth and talking to investors and others. That is definitely one of the place where most of the things sort of stand out and they have to be built over a period of time. Like if data is the new oil, then most of these companies are refineries in that context, refining that oil in terms of crude oil, making sure it's actually usable and sort of iterating based on that. So that is one sort of large gambit. But the other specific one, I think the overarching sentiment that comes across through the document is the fact that it's intended to help startups in some way, which itself seems false from the ground realities in terms of how things play out. Because one is the economic value of the data itself. And naturally, the bigger the company, the more muscle they have to pull it off, but then there's a fairness of price in terms of can even startups afford it the other way around. And if there is a commoditization and democratized access to data, then what usage of data sort of purposes does it restrict to? That also is unclear. And from a technology standpoint, honestly, I have doubts on the whole anonymization bit itself. Like there's a amount and we all know it enough to understand that beyond a certain point of triangulation and correlation of the data across multiple sources is not really that hard beyond the point where you could be targeted in that context as a unique ID, though obviously it's faceless and English, but still being able to identify it as an identity that has a certain kind of behavior. The next aspect I have question thoughts around is more essentially in the context of software as a service providers or just cloud service providers. It mentions, I think, in one of the sections of technology reference architecture is that both cloud and data businesses agree contractually to comply with the terms of storage, et cetera, and sort of how it is exchanged. But again, beyond that, what does it mean? How does it get sort of affected is massively open-ended. Right from the fact that the qualification of the data business itself, I think is based on the limit of data. And if you think about open-ended question for all the others on the call is, would it cloud business in this context, which is actually just running solutions and sort of infrastructure for all others be considered in the software context as more data and rating business and what kind of data will it have to open up about the kind of workloads that their customers run? So yeah. And then again, three different perspectives, and as a user, myself, when we right now give consent to data, we can consent to data for my own and for the usage of that application. But even if it's aggregated, I think that's also a bigger discussion that needs to happen in that context is if all of that data is being actually anonymized and aggregated to a certain abstraction, have as users, we consented to it, honestly. And by the way, I'm not sure how many of you are aware, but I would just want to say that last year in July, Nithin Gadkari had announced in the parliament that they had sold off Vahan database for about at least 120 different companies at three crores of piece. And so a whole different angle in terms of was that even supposed to be done and in what context and does this apply in the way how it's going to sort of behave? But yeah. So more questions, no answers, a lot of terminologies, but the crux of it, I think three viewpoints that stand out for me in the context is as a user, myself, as a business processing some of the data and the impacts of it. And as a startup, fundamentally, the how it doesn't really help me in any way to actually be competitive, which the bill claims to be helping in the context. Okay, thanks, Nishant. I think these are fairly valid points. So, Advait, if you can make your points, then maybe we can open some of the others before Samir can go next. Advait, just for the benefit of others, maybe you should just reintroduce yourself. Hi, I'm Advait. I'm a reporter with Bloomberg Quint right now. And I've been a reporter for the past four years, obviously covering mainly finance, but I've been looking at fintech, data privacy, data security, at least related to the sector, although I'm, so I would say I'm kind of well versed with the larger issues, the macro issues concerning these things. So I went through the report again. And I think, like the speaker earlier said, there are more questions than answers. And there are some nuances to the report that I may miss out on. So apologies for that. So I think the first thing we need to want, the first issue that I find is that the section on ownership of data is a little bit confusing in that I think the expert committee itself confuses itself and it does not clearly spell out what are the rights that one could have over the data. So under GDPR, you have the right to be forgotten. This expert committee report does not mention that. So when you're asking for consent to take my data, then anonymize it, then put it as part of a larger aggregated database and then sending that data, do I have the right to be pulled out of that database that you're sharing? What are the redressal mechanisms? It doesn't mention redressal mechanism. The other part that was interesting, which the government keeps using the national security public purpose clause for everything. And here there's one line that says the government can notify any database as critical data. So tomorrow if a company does not want to share a certain set of variables, let's say that they've collected. Again, because if you look at payment companies, if we take the top four payment companies, phone pay, Amazon pay, Google pay, and ATM, they would all have very standardized financial data on their merchants and their consumers, but they would also have many other variables on top of that. So they could share the data that they wish to share. But if the government wants to notify certain types of variables that they want to be shared, then the company does not have any fallback to not share that data if the government notifies that. So coming back to ownership, when we're talking about personal, sorry, individual non personal data, whether data principle is you and me versus the community data, what in the financial context, what happens to government programs? So you've had this ECLGS scheme, which is a SME loan scheme that is announced as part of the COVID relief package. What happens under priority sector lending, Kisan credit card, PM Kisan, because technically the customer or the beneficiary of those programs is an individual and they are an individual getting the loans or let's say disbursement from a specific financial services player. Does it count as community data? Does it count as personal data? And when we're talking about the banks, the banks also do a lot of self-help group distribution. Now what I know from the fact is that not all self-help groups get the loans because when they look at the underlying individual borrower kind of credit quality in a self-help group, then sometimes self-help groups get denied. So that's sort of covering the macro points. I think the other sort of issues that I find, there's also a line that says that it's giving the power to the data trustees and data custodians to do value added services on top. So, let's say there is financial data or payments data, aggregated payments data, non-personal that is stored with five or six data trustees and one of these data trustees is not making enough revenue because his clientele is not the leading companies, they can start adding more stuff to it and sort of combining it with other databases that they may have to sell. So, the economic incentive is to sell, to onsell the data as a data trustee and a data custodian. So, I've been talking to fintech companies on how they currently collect data. So a lot of the data that you and I as individuals will have with the fintech company is sort of your transaction history and with the account aggregator system, what's going to happen is they can start pulling your bank statements, your GST data, your insurance, your mutual fund accounts provided you give consent because you want to buy another financial services product. So, when that happens, what ultimately the payment companies are collecting your personal and non-personal data together and when they want to target you with certain loan offers, let's say they are using that data to target you and that's how the ecosystem is currently functioning right now. The only reason why the ecosystem functions is not necessarily because of the technology, it's because of the analytics they're running. The technology side, everyone's got APIs, there are 100 startups out there that you can API function for this part of the value chain, API function for that part of the value chain. So ultimately, your analytics that you're running on your database is what making you distinguish yourself from your competitor. If that underlying data is shared whether in meta form, which my understanding is all companies after a certain critical size because they have to send in compliance reports to the non-personal data authority, if you attend a certain critical size, you will have to share metadata. So, does that violate the companies could possibly have a legal case to say that my data collection, like I said, beyond the basic financial variables, are you collecting more variables? These variables are very important to my business. This makes me differentiate my business from my competitor. Does that fall under the intellectual property rights? Again, the report mentioned intellectual property rights I think once or twice. So, it does not get into that. This is the last part on terms of curing databases. Now, if you had to comply with the Privacy Personal Data Protection Bill and with this sort of the guidelines in this report, you would naturally violate consent because you are, A, you've not taken consent when you collected the data so far in the last five, six years. B, when you're starting to cure them, who's going to cure them? How many engineers are you going to have to cure the database? By curing the database, you will eventually violate consent because you are going to, individual companies are going to determine what is non-personal, what's personal. Again, obviously names, addresses, those would be very, very distinct personal data would be easier to do it. But when we're talking about payment companies or fintech companies, especially SME loans, there's a lot more personal data that could easily be qualified as non-personal data as well. So, I think that those are all my points. The last point would be, if this has to apply to government entities, then does the RBI come underneath? Does the RBI need to comply with these reports or both these legislation guidelines because the RBI is building a public credit registry where it's pulling data from every other financial services player and including government entities like the GSTIN? So, does the RBI need to comply? Will the RBI be a data principle in that sense? Will the RBI also be a data custodian in that sense? Can I purchase RBI data? There's so many questions to ask, of course, but I think, fundamentally, there are certain flaws in the way you're trying to design, essentially, you're trying to design a market system for data purchasing. And as Sameer Nigam of PhonePay said last week, he said the problem is they cannot create a level playing field because the idea behind this report is to get some, you know, some IIT, IIM startup wants to buy Ola's data or Uber's data to create a better right sharing app. In all likelihood, if an IIT, if IIT IIM grad sitting in the dorm, create a better algorithm for ride hailing, Ola and Uber are more likely to be able to purchase their data than the startup gets more. So, and then against Ola and Uber, you're looking at big tech. What if, you know, 10 years from now when Google wants to deploy its auto cars, they will be able to purchase all your, you know, Unicorn data far better because if it's a question about price, then obviously, the guy with the biggest treasure trove will be able to purchase it. That's all my points. Hey, thanks, Adwet. This is quite insightful. Nishant, you have anything that you want to kind of cross communicate with what Adwet said? Because I think your concerns came from an entrepreneur and cloud provider, I mean, not that you are a cloud provider, but Adwet seems to be stressing a lot on fintech. So I don't know if there's anything that you want to respond to. Otherwise, I'll probably ask Suchena and then Prasanna. Oh, actually, there's Anubha also. So let me ask Anubha after Nishant, you have any response? I think those points are absolutely right. And some of those are cross cutting concerns across industry, especially as entrepreneurs and startups, I think what you mentioned in terms of the level playing field from an economic perspective is definitely a concern. Like, does it really help startups the way the document tries to highlight considerable doubts on that? Like, I also put in the document, by the way, not just from the economic value, but registering as a data business. What does it mean providing that regulatory overheads all of those? Right. Anubha, can I ask you to come in? I know that you had asked a bunch of questions about startups and whether they're looking at IPR. Maybe this is a good time to drop there in. Just before you start, I just wanted to put it on the record over here that I mean, by taking notes and all of that, if there's anybody has journalists who are in this room, it will be really nice if you could just cross check once with me. We'd prefer that you are you're welcome to kind of like, you know, use the notes from the session, but please don't quote without, I mean, don't attribute the quotes to individuals over here because they may not want to be attributed over here. So happy to help. But anyway, Anubha, please go on. Thanks, Zainab. No to that. And hello, everyone. I'm Anubha. I'm a researcher at the Center for Internet and Society. So I've been working on issues of copyright and patents for a while. And now with all the data governance debates, it's really interesting to see how there are sort of new regulatory structures and new legal structures and concepts being put out to basically regulate this intangible asset data. And the report is, I mean, I'm not sure what the report takes as its starting point. It doesn't do a good justification at all of, you know, and ignoring this sort of like IPR framework that already exists in terms of copyright, especially, I mean, in India, copyrightability of data sets is a right. And whether, you know, the standard of any average data set of copyrightability, you know, if it meets that criteria is a subjective question, you know, and the fact that the report does not sort of delve at all into this sort of an aspect, it does not clarify whether it's superseding this sort of regime that already exists. There are clear, you know, transactions and practices that startups engage in assuming that, you know, they can treat a certain data set as a piece of intellectual property. And then that, you know, it's excludable and it's, you know, a third party cannot just sort of come in and use it. There are mechanisms that already exist in copyright law to allow public interest use of such data sets provided it's sort of known to folks that it is published. And there are a lot of measures that could have been probably creatively sort of if not co-opted, at least sort of the ideas from, you know, existing like the regimes could have been taken to sort of include into this framework. So at the moment, unfortunately, I don't exactly follow how they're creating sort of new ideas and rights to economic for the economic exploitation of data, when voluntarily licensing and compulsory licensing are ideas that already exist in the law. So that's that's what I have been sort of pondering about. Thanks, Anubha. Suchina, is this a good time that you want to kind of jump in and then maybe we can ask Prasanna followed by Sameer who has a bunch of responses from a technical standpoint. Suchina, it might also help if you have any thoughts about like, you know, where this might lead to in terms of engineering and the cost of compliance is a fairly retricle question. But yeah, I mean, like in terms of re-engineering systems, etc. Anubha, I'm just sort of like trying to keep track over here. But yeah, feel free to like respond to Suchina, if you think at any point you want to like respond. And similarly to the others as well. I know some of you, I don't know some of you. So feel free to like raise your hand and, you know, chip in. Thanks a lot, Zainab. Yeah. So let me, you know, before I forget, kind of the whole bunch of like angry annotations that I was referring to, right? So first of all, I think one of my main concerns is how even though there are three crucial parties identified in this document, right, the data principle, the data custodian and the data trustee, the, you know, there are no ambiguous definitions or clarifications about who owes what whom, right? I'm just trying to like put it as kind of leaving out all of the legal jagged. Like what I'm trying to say is what obligations do data custodians and data trustees have towards data principles. So for instance, let's say, you know, consent should ideally be limited by purpose, right? So that people cannot repurpose data without my consent. So as a, as a data principle, if I gave my consent for a particular purpose, and then the data trustee who is kind of the steward of data for my community, decides to go ahead and repurpose it. Do they owe me, you know, a second chance at giving consent or withdrawing my consent? Do they owe me a notification at least? What happens if there are other data marketplaces that I want to participate in? And also this entire process of creation of a data trustee, right? Who is going to, who is going to consult the data principles on whose behalf these data trustee structures are being created? Whose job is that? You know, do we get to have a say in that? So sort of one set of concerns I had primarily revolved around, does anybody actually owe anything to the data principles here? Because to me, it looks like at this point, there's very little that's honestly owed or that there's very little accountability structure. It's all kind of carefully put off for the indefinite future that some legal frameworks, you know, will be eventually designed. Then the second set of concerns that I have are centered around the potential conflicts of interest between data custodians and data trustees. You know, so the document definitely talks about fiduciary responsibility, duty of care, all of these things for data trustees, which is great. But at the same time, it also actively encourages data trustees to monetize or value act to the data. So I think those two frankly cannot coexist. I mean, I find it very hard to imagine a situation that is completely free of conflict of interest if data trustees were to go ahead and try to monetize, because then they would be data custodians as well. And so then what is the distinction between a custodian and a trustee, right? So potential conflicts of interest around that. And then from a more, you know, from the perspective of startups, particularly, right, what happens, like what's a legal status of private data sharing agreements, or private sale of data, you know, it wasn't clear to me on the first pass on my first pass through the document, whether it's the government's intention to mediate every kind of data transaction or every kind of data sale or exchange through these structures that the government wants to create. Because obviously, if there are mutually beneficial data sharing agreements that private companies want to enter into, they should retain the right to do so, right? So that was a whole other can of worms in my opinion. And then, you know, so the other set of concerns really had to do with, let's see. Yeah, so, you know, the idea of humans in the loop for designing any of the accountability mechanisms for all of this, right? So I think I was particularly concerned about the basic premise that all of these legal contractual obligations can somehow be magically codified, provided somebody defines an adequate policy markup language, right? It's a grand goal to have, but we, you know, code is not going to solve lack of accountability code is only going to exacerbate it. So I think that was sort of the other whole set of concerns I had around, it's great to hear the stuff about a policy markup language, which will take care of like white listing or black listing exceptions as they arise. But at this point, I think humans are still way better at imagining edge cases or corner cases and finding ways to deal with them than, you know, the best design systems at this point. So that's a whole other set of accountability concerns that I have over there. I think that's pretty much it, but I'm pretty sure I've forgotten a couple of points and I'll probably add them to the talk later as they occur to me. And I'm very happy to hear questions or if, you know, something I said wasn't clear, like I'll be happy to amplify. Great. Thanks, Suchena. Let me do one thing, Venkat, why don't you go now and then I have a few specific questions for Prasanna before we take on Sameer. So Venkat, you want to go in and also feel free to respond to any of the other folks. Advait, if you want to chip in, feel free to raise hand and, you know, drop in a question. Yeah. So for the folks who are here and also introduce yourself. Yes. So I work for a company called Scribble Data and we are a data processor in this whole thing. And our interest is actually twofold. One is that all the people that you're talking about, both the data trustees and so on, they're all our customers. So the, our potential customers. So we are bang in the middle of all of this implementation aspects of all of these things that is our, you know, need or that is what is driving my presence here. And the other thing that is driving my presence is the fear. The people that, there are two entities that the government can go to ask for data. One is the custodians themselves or the data trustees. And then the other group of people who have access to all of that detailed data is all of us, right, data processors. So I, I mean, I'm losing sleep or some official calling me asking me for data of my client. And we typically have access to sensitive information because we are doing the data preparation for all of these folks. And so that is my worry. And I want to just respond to one thing that Sushna was talking about the data trustees and the custodians. Actually, there is not a lot of conflict of interest there. I mean, our, we ordered as scribble, we are already in conversations with intermediaries who are doing this like out aggregation data aggregation. And the reason the, there is no conflict of interest is that the reason these entities are emerging is because the banks and other individual custodians, they don't have visibility into multiple of these data sets because Paytm, for example, has only Paytm's data. It doesn't have phone-based data. So a third party has to mediate that. And the second reason seems to be in many cases, the custodians don't have the capacity. For example, a lot of the banks don't have that analytical capacity. So they have a symbiotic relationship with these account aggregators and intermediaries. So my suggestion here is that the market is already evolving. And the, this one combined with the PDP law is mostly about formalizing transactions that are already happening today. And we get called into some of these things because if there is an intermediary that wants to enrich the data and do all the analytics and things like that, they come to us and say, can you build out the mechanics associated with some of these things? And so we do get visibility into some of these things. And this is happening beyond India's geography. We are talking to FinTech companies in India and outside India. Okay. I think Prasanna had a question for Venkat. Prasanna, you want to... Yeah. No, no. I just missed two words, Venkat, while you were speaking. Who did you say were your customers? The, it is typically custodians, but now increasingly we have intermediaries or the data trusts that you are talking about. They don't call themselves data trusts, but essentially they are basically dealing with the data that belongs to the custodians outside the organizational boundaries. For example, the account aggregators is one of those. Good. Good. Thanks. Prasanna, you want to respond over here or both to Nishan's concerns as an entrepreneur or technologist. I think Advait also raised a bunch of issues as did Venkat. Is there something you'd like to add on over here? Yeah. I mean, the one, yeah, many of those concerns relate to the, I mean, some, what I call the core issue is it is, it is refusing to recognize that the custodian by default being the custodian is the owner. So this actually is pulling the rug beneath your foot. I mean, whether you have the right at all is a question, it's a philosophical question, but it is changing the regime in ways that we've never seen before. So therefore, all of these concerns will, I mean, will remain. I mean, all of these are legitimate concerns. I don't have anything to say on those concerns really, but what, I mean, as a lawyer, as I've looked at it, one of the things that struck me was that this is, I mean, let's look at how property law evolved. It evolved with separate cases coming before the courts and then the courts organically evolving the property law. But this is doing the other way around where the grammar is coming first. So we don't know, we don't have specific cases before the courts, but as we are looking to give a policy solution to many of these questions of who has the rights, whether the custodian should have the rights, etc. The closest that I could think of is the example of the skies. So earlier, I mean, before the aircraft was the first aircraft built by Wright Brothers. So the law assumed that the space indefinitely above the ground was owned by the person who ever owned the field, the ground, the land beneath. But the invention of the aircraft itself dictated that the law had to change. And then it was actually changed not by a policy intervention or a legislative intervention, it was actually changed because of a specific case before a court. And then the court had to hold that, no, it's only up to a point. And then what happened immediately was that the court, so all of the skies were effectively nationalized. So this report does not take that approach. In fact, it could have easily gone ahead and said, see all of this data, even though you are custodians, as I said, the banks were custodian of a lot of data that the example was given. So and then they are engaging intermediaries of their choice to add value to the data and give insights, etc. But all of that, that entire framework is valid only when as a custodian, you recognize the rights of the custodian over that data. So this actually pulls the rug from the beneath and said, no, you may be custodian of that data, but by default, you don't become its owner. And the data vests to the state and the state is going to administer the data under this regime, which is by the NPD authority. It could have easily said, all of this is owned by the government of India and government of India can do anything with it. It could have, I mean, that would have been an overnight nationalization of all that data. In fact, that is that did happen in the cup. It seems to have taken a, I mean, I'd say, there are seven, several misgivings with the framework, tactically what it is suggested, but in terms of strategy, I think there are a couple of things that the committee has gotten right. And one is to first establish this taxonomy that, okay, merely because we now say that the custodian does not become a default owner. It doesn't mean that it's overnight owned by the government of India. If it had come before a court, if this issue had to come before a court, for instance, today, a court would have ruled that it would, it was all national trust and the government of India has rights over. And we have, we saw that with Forest Dwellers, I mean, Forest Rights Act, I mean, before the Forest Rights Act came in. This is what happened. So it was a national public trust. Then the Forest Dwellers rights had to come in as an afterthought and then the community rights were recognized later on. So but here we are taking an approach where what is, what we've seen as an afterthought generally, I mean, it's happened with, it happened with Land Acquisition Act as well. It is also another kind of land nationalization, land eminent domain kind of legislation. They are also again, the giving of a hearing to the Gram Sabha and their participation being made, first it was formalized and then made substantive, etc. under the new Land Acquisition Act. All of them were added as afterthoughts that they want to recognize community and the multi tiered power structure in trying to administer non-personal data. I think that is, and that is, that is an attempt to get it right from the word go. But that is where what they've done kind of stops. Yeah, in terms of the goal as to whether GDP maximization should, is even a legitimate goal and whether it will actually evolve, I mean, achieve what they seek to achieve. That is the maximization of GDP, whether, I mean, I don't know, I mean, that's something people in the startup space may want to pitch in on that. See, they consider these two as two complementary entities. So one is data and then two is innovation. They complement each other. They think when we make data or data commoditized using this regime, then innovation can flourish. This is a bold prediction that they make is not rooted in economic theory that is not rooted, I don't know, perhaps in the recent experience of startups and venture capital we've had, whether it is rooted in that, I don't know. But that's the bold prediction that they've made and they've kind of ran away with it. That was my review. If there's any specific questions, I can answer. But I can't really answer to the specific, I mean, the other sort of tactical concerns that have been raised and I'm simply incapable of responding to those. Yeah, I guess maybe some of the responses that you have to write are towards saying, I mean, if this is implemented, then what? But I think this is an interesting point you made that even economic theory is not rooted that innovation is equal to data. I think Venkat might be probably laughing behind the scenes over there. But yeah, I think that this seems to be a very unfounded kind of an assumption, so it may be worth actually like asking more questions around this for somebody's writing a response. Sameer, I've made you wait for quite a bit, but maybe before Sameer comes in, can I just have one sentence to it? Yeah, please, yeah. So, but on the other hand, there are also, there have also been op-eds written saying that see, there is no market failure in data. So why is the regulator stepping in now? So that, I mean, that I'm not sure is legitimate criticism because they don't need to show a regulator need not show market failure. I think that's a bit of a misconception. All they need to show is that the market, data market is less free and less transparent or less ideal than innovation market. So, whether valuation of startups and the venture capital market on innovation, in innovation, whether it is, even if the government is able to demonstrate that that is freer and that operates at a more ideal field than the data market, then that is sufficient grounds for a regulator to step in. Yeah, sorry Sameer and Prasanna, I think I have this question for both of you. Is it even worth mentioning what it will cost in terms of re-engineering all these processes around these regulations and is that cost really worth it in the pursuit of what they might call GDP or economic value? Anyway, Sameer, maybe you can respond to that question and then Prasanna, but you can also go on with the stuff that we discussed earlier. So, that is the billion dollar question across the world because even with privacy, that is the largest question that is sitting around as to whether the previous applications, the legacy ones need to be re-engineered. And I don't think anybody has any answers to that. However, having said that, so I agree with Venkat as well in terms of this NPD bill in the current form actually does a lot of things which are good as well and especially a whole business part of legalizing the purchase and sale of data. So, that itself is a big plus, that at least what is happening under the radar is now what will be happening legally with the data business and everything. You still need to worry about a lot of other things that are coming in for how it is to be implemented and all, but at least it kind of gives some clarity. The second part that I have seen is from an NPD point of view, it really revolves around two types of data. So, one is what we are curating, massaging or organizing from personal data that is collected. And they are saying even these sensitive personal data groups identified as the India PDP will continue to remain sensitive even after being anonymous. So, therefore, the consent carries forward. And there is I think additional concern now that is required if I am going to anonymize and sell it or I am going to curate and share it or sell it. So, whether it is with remuneration or not, it still needs to be tagged there, not just for personal, now for non-personal data as well. So, therefore, if there are any health, the opinions, the beliefs and the social media is going to be disrupted by this because they now have the same privacy controls even if it becomes anonymous data. And this is probably an offshoot of what happened as election opinions and all that came up. So, that they have considered within this because the social media and the profiling and all are impacted essentially now the entire AML industry is the one which is clearly impacted. So, there are things like lending the tech in lending, the healthcare pharma trust, fraud management company, security product companies, all of these will come under it because one of the call outs that they have is that for fraud management or for security alerts and all, you should be in a position to be able to share data so that either country interests or local interests are taken care of. So, threat intelligence companies that require security data can now formally ask and companies can try to sell or give them data which they want to. In terms of the private data, they have said it is not a compulsion and it is really left to the individual company to do it. However, I think they have said that if the company wants to, they will need to register as a data business and they can register there and also move forward. Some of the things from a security point of view also that we have seen as we now need to classify the data both into personal, non-personal and within non-personal further classification. Therefore, each data point now will carry its own weight in terms of threats, risks and all and you need that. One other thing that I have noticed during implementation that technically to consider is the amount of tokenization or tagging that is required to data as it flows through. One of the key questions I have and which I think it will be silent about is if I have personal data converted to anonymized and I have shared further, then if there is a data breach anywhere, do I need to establish an entire link or a chain of custody from the collection point of the data in the last point wherever it was shared to. That is a little silent right now. So, that from an implementation point of view we will have to look at then security around the public forum. So, if I have shared data outside, there are APIs and all which is one of the techniques they have done. They are still silent on how we can secure it, what kind of encryption is required, what will happen at the country level and all and to my knowledge or at least whatever I have seen the cloud provider scenario also comes in from this aspect that because you need to publish data somewhere, if you are not publishing using your own infrastructure, then the other option is you are going to use a cloud or some form with a private public whatever and therefore with the cloud provider you need a contract which takes care of the not just the personal from privacy point of view but the non-personal data as well, which could be anonymized PD or regular PD as well. I think they have also mentioned that one of the types of data which is the community data needs to be submitted in raw format and not the one other thing that I saw is on the algorithm where for the algorithms the bill is silent. They say that we may want to audit and all but they are not very clear in terms of whether the algorithm needs to be shared with authority and I believe algorithm sharing is going to be a very tricky one because a, like we were discussing in between on one of the chats, somebody needs to be there of the same skill set on the other side to be able to evaluate as well and two, if it is an innovation thing then how do you even evaluate it yourself? So that is a tough call. I also felt that somewhere innovation while the bill says that you know it is going to encourage innovation and start up and all that, I felt that somewhere it is going to be more blocking than actually encouraging and the availability of data so easily can open its own standard of wants and therefore from a private point of view, the moment we are collecting data to be able to sell it somewhere will have to be very clean in terms of the whole consent mechanism and how it is going to operate and implement and all. The bill also talks about the open API which the government is trying to propagate. This, I believe standard would be a very major thing. I do not think it is going to be so easily doable. Worldwide we have not seen such an implementation happening anywhere. At the most we have seen an interchange format that are good for certain types of data between similar businesses say maybe within the banks or bank to RBI, RBI to bank that kind of scenario. But otherwise tough, they have also mentioned purposes that you can map. So some of the callouts in that are national security law enforcement which is more of the community portions then you have for mapping security vulnerabilities and challenges. So I think this is a good boost for the whole cybersecurity industry because that is going to be a plus to be able to get that kind of data though in what form is different. And then any law enforcement pandemic mapping is another such example that is put in and a lot of the things here that are mentioned even as examples or the callouts that are coming see be very relevant and prevalent when it comes to the whole pandemic portion of it. Also in terms of some of the questions that were coming up earlier to say that how will the government generally have access to my data and all. I do not think that is the case any where it is saying there is a blanket access that is available. If an access is required it will still I am not a lawyer but I think it will still go through the regular disclosure pattern that is there for all the laws everywhere across the world. Nowhere does government get access to data directly. It can of course use the state surveillance methods and all that but that is a different case. To your data even today I think if the government does a court order you will still be required to turn over your data whether you have a contract with a customer or not. And that kind of thing is not something which is in the purview of this. The bill does not try to change it in any way. Neither have I seen a defining or forcing saying you have to share data or you have to share algorithms and all that. For startups I think mostly when it comes to training models is where there is a benefit where people will be able to ask for training models and all. In terms of the tech portion again I think the whole architecture of the way we are storing, tagging data, taking rights on data. When I say rights in terms of digital rights and not just data user rights this whole architecture will need to be reworked. So even in terms of anonymization I feel that the bill should call out clearly saying if as an entity I have anonymized and sent out data then somebody should not be able to de-anonymize just using my data. To that extent if it can be called out it will be great because I think like I was saying that the moment you have data outside and I have multiple data points I can de-anonymize using data sets from four different entities about an individual. So that portion is cool and we could use sort of a standardized you know a JSON or a markup language and all which could take care of how the data exchange can be included. That's something that I think we should be able to do. I hope I've kind of tried to answer most of the questions but if there is something specific I can still answer more if I have missed. You have had a question, what does submitting in raw format means? The way you have collected without massaging or changing any characteristic of the data. So if I have collected online through a form and it has gone into my data as the first level of online is what is expected to be sent. The moment I profile or massage or break it into different places then that is not raw data for us. I have one or two questions just clarifications. My understanding is that if a business you know says data business I think all businesses are going to be data businesses even my company technically has a lot of data analytics on our readership for instance. But doesn't the committee report kind of make it mandatory that once you've reached a certain stage that at the minimum you have certain critical mass or whether it's in terms of revenue or in terms of the amount of data you collect that you have to share at the minimum metadata. Isn't that the condition and the second question kind of prasanna is what happens when personal data moves or transfers into community data is there any sort of what is your understanding of if my personal data is now part of a community data how does that kind of work out? So prasanna can I answer first or you are answering? No you go ahead first. I will answer. Okay so your first question was Prama ask that if you reach a certain size they will ask for data and you have to share. You have to put a metadata at the minimum and then I guess it's sort of your company's call whether you want to share aggregated non-personal data thereafter. No it's a company's call as far as private data goes if something is classified as critical data or sensitive from a country or sorry so I would put this way if there is something which is critical data as identified by the government and which is the case in the personal data bill as well the PDP as well even there they have called out for critical data and the same definition comes here. So if the country overall has identified certain data as critical then they will mark that accordingly and that is the data that they can ask for you but for us as a organization to be handling that kind of critical data means you are in a systemic critical for the government part you know it's like similar to working for the defense working for military that kind of thing so you would typically come under that bracket anyways. No but let's say a private payment company that there's no public purpose but it's you know consumer good sort of thing if you are collecting X amount of data or if your revenue is above a billion dollars let's say some of these companies are already crossed that you know isn't the committee kind of push for the metadata to be mandatorily shared is my question. No I don't think so there is anywhere written so specifically that is not the case also when it comes to sectoral data there is also the sectoral regulator who will come in as a vertical they may ask for certain data for themselves for benchmarking whatever but as a government I don't think it's a mandatory thing at least I couldn't read it anywhere but Prasanna would be a better person to answer from a law point of view if it is being interpreted like that. Sure thanks. Yeah so I'll come to that for the first question on on personal data and community data I mean so this see there's one other assumption that this report makes is that see this this demarcation between personal and NPD will largely be clear it is it can be adjudicated that's why in fact the NPD authority will then adjudicate whether some particular data is personal or non-personal once it is non-personal the entire regime will apply and that's when it is the question of whether it is private or community arises but whether in real world that adjudication is going to be an easy task I'm not sure right so as you said even the report recognizes one problem that is the de-anonymization problem but there is another fundamental problem as well in trying to delineate whether something is personal non-personal it is to say whether it is personally identifiable personal identifiable is again you know with with technologies that are available as of today what about future technologies whether whether data becomes personally identifiable later on even without anonymization de-anonymization all these problems so that is still a question also I don't think they've particularly engaged with that in detail indeed they seem to have proceeded from the assumption that this demarcation is clear even though there may be some gray in certain areas like de-anonymization and anonymization so long as you make the obligations clear that it can be handled that is the that seems to be the assumption and that assumption carries forward in also in this tier or whether it is community non-community data private data yeah so yeah so therefore it's a long-winded non-answer sorry about that so I think if you have personal data as part of the data even if in community then it deflects itself to the pdp bill not the npd so that is also something that that's correct in fact I think it might have been better for the bill for the report to have defined non-personal data as data under which no rights could be claimed under any other existing that seemed to have been the overall although they don't define it that way that seems to be the I mean the overall tenor in terms of the bill the report appears to indicate that is what they try they try to achieve that is why they say see algorithms proprietary knowledge we won't force you to share this right and they don't say what other obligations you will you will impose on those people who own an algorithm who created an algorithm to solve a particular problem right they don't say I mean it is now I mean we know that it's okay it is it is proprietary under existing law it is recognized as proprietary property either a state secret or as copyright or as patent right it is exist so so so long as you are able to claim property rights under existing law or other rights for example under the personal data bill that should ideally not have come within the purview of this at all so they should have they should have perhaps just refine the definition to say only that data wilderness that nobody knows who owns but it just inheres in the custodians by default right now under no legal regime but that's because of the fact that the custodians seem to have the custody of that data and they seem to exercise all control and we we want to change that to to be able to make it a freer data market to be better monetization etc etc but they've not done that they've still gone ahead and said personal data non-personal data is all personal all data that is not personal data and if you I mean they've again muddied what is to say you know if it is IP you don't have to share and what not correct correct but going back to the question is fixed data sets whether it is personal plus non-personal what happens to those whether they even envisage that that possibility I'm not sure I don't think they even consider mixed data sets for their any of their examples or any of their points I don't think they do so that brings me to one of the points that I had raised is that you know they're saying that for value added services the data trustee of the data custodian can onsell it so then that's sort of acknowledging that the ownership is no more with the principle so whatever rights you have shared are over and then there could be third party sales beyond what was initially stated or you know even fourth party sales for that instance like they could aggregate their own data the data trustee or data custodian can aggregate their own data create their own data set in the non-sell it as a separate you know as a separate business rather than just storage and consent management yeah right so long as it's not personally identifiable they say they don't even recognize any beneficial rights for the principle that was your point yeah yeah yeah that's correct that's correct thank you okay we have Shivangi and Sheikh Idris also Akshay has been posting some questions let me ask Akshay do you want to take this up a little bit or do you think the responses are okay for now the ones in the chat so I just wanted to bring this point out either way so this was basically understanding the implication of the data sharing so while we are debating on whether the algorithm would be shared or not there are cases like say provision of credit where if you have the databases completely shared and even the result as a matter of regulatory filing is shared it would be easy to build a model based on what say another company has done so then sharing of algorithms becomes like a mode point whether you're allowed to or not because a company can always make an algorithm that works according to another company's algorithm so this was just like this is where the intellectual property question also comes in so just wondering what's the implication of that would be because even the analytics itself doesn't remain proprietary if just the data is shared I think Anubha may want to take that yeah yeah also Sujjana Venkat if you have any thoughts on this Anubha you want to go or maybe Anubha is not here yeah I think Anubha is not here Sujjana Venkat any thoughts on this and this also is question of data and innovation I mean actually speaking how much of it is mostly building on top of somebody else's idea I think that's what we see in the fifth element every year somebody is doing something for six months and we don't know if that's going to last for another 18 months or not So Zainab I think you know what I was trying to tell Akshay was that if replicating model performance is what we are looking at here then you know we have already seen lots of instances where you know maybe you don't have access to exactly the same data that your competitor has access to but you are you know as it is you know without any data exchanges anything being in place still able to augment your own data sets with other external third-party data sets and achieve say similar performance on the prediction task even though you are not relying on the exact same underlying data and you may not be even using the exact same model family you could be like using a model from a different family and you could still expect to get similar performance So yeah that's my take on it Mankar any thoughts on this and Mankar are you planning to write a response on behalf of Scribble? Okay Shivangi and Sheikh Idris you're also in the room please take a moment to introduce yourself and also if you have any questions or thoughts on this and maybe we can wrap up with what we plan to do next because some folks are planning to write a response so we should also decide if we want to do another meeting like this and also continue on the document So Shivangi if I can ask you to go first and then check in please Yeah thanks Anna I was hoping to be quiet and just listen to everybody on this session I'm Shivangi Narkarmi I'm the co-founder at Arka my Sameer is my co-founder he's already spoken about many things that we discuss internally on this Just a couple of points that I don't have answers to I just want to throw it out with this community and see if there are any thoughts on this one is and it's been discussed also earlier see this whole so there's there are some boundaries that the PDP build draws right and it says very clearly that anything that is anonymous is outside the purview basically because it is not personal data and therefore the whole thing around npd but we're finding that it is taking then no then npd bill is taking further report is taking further from there and it's still talking of concepts of you know consent which is there even for anonymous data and somewhere I I don't know if there is even a disconnect or whether there should be a connect in terms of saying that you know the fact that something is anonymous itself means that technically it shouldn't be traceable back to the person who owns that data who's for data it is about the data principle but then one also knows that you cannot really have truly anonymous data so where do you sort of draw the line and this has so but if at the same time if you look at it as a continuum then things get even more messy because we're talking really of two very independent pillars over here with you know very different laws to govern it and you know different regulatory authorities and this has also been discussed in many other circles about should we just combine the two I don't have you know I do I just would like to throw it up as a question to ponder over while we're looking at this because it is finally end of the day data and it is very difficult to artificially draw sort of boundaries especially when you're looking at data modeling and using things within the whole AIML realm so I don't know if this makes the sense but this is where I'm kind of mulling over with no answers yeah I think like Nishan questions and answers presently you wanted to say something yeah on yeah this this question I think this is an important question yeah so why consent even for this that's yeah they seem to have realized this problem in in real world they know they're going to have first of all two authorities deciding and adjudicating whether particular data set is the domain of the PDP bill or the NPD bill there are two authorities two authorities may take different views on it number one and number two there could be adjudication errors we've seen I mean in our adjudication there's an appeals process I mean what the NPD authority may take of you this is non-puzzle data it needs to be shared and whatnot and all that and then it might be overturned in an appeal so when when when that kind of adjudication error happens so how do you roll back certain things that have been done those are important so therefore they they seem to have hedged their bets and said if you are going to do any kind of value addition any kind of even de-anonymization processing etc for that you should have gotten consent earlier when you collected it while it was still raw personal data so that that seems to have that they think maybe they think that would be the panacea for all the evils that will come out of these problems but that is also something to be I mean seen over time I'm not sure if that is going to be sufficient in dealing with some of these adjudication errors but that seems to be the motivation in the sense that if we could get it wrong in which case it's better that we have consent that we've already taken and and just to add quickly to that the in in reality data sets are a combination of personal and non-personal in a lot of cases so you can't really separate them out now because they're so tightly integrated how do you therefore you know govern them separately right so often for example when we work with companies helping them implement we realize that finally it's in one one container I'm using the word container very loosely not from the technology point of view then you know the typical advice is so that you minimally sort of disrupt things is to then give the whole data set personal plus non-personal the same risk level and treat it accordingly because you know it's better to be careful now then suddenly you realize that you know you don't have that freedom anymore because you're looking for at it from two prisms and not just one how do you really solve problems on the ground you know yeah yeah no I agree I don't think there are too many answers to that in this in this report it doesn't seem to consider mixer data sets at all in fact doesn't even also it also doesn't consider the possibility that the the data sets will be intentionally mixed because it is much more difficult to enforce rights under the PDP bill than it is under here if these two regimes come because we as we know I mean people who are going to be enforcing their rights are going to be individuals in the PDP bill who are much more powerless in the legal system than then businesses who will be looking to enforce their rights yeah right so I mean then there will there is all the more incentive to keep a lot of these things mixed so that you want to bring it in the purview of the PDP bill where you exercise more control in the name of the principle correct federal system standpoint prasanna and some of the others who may have more information on this what is the role of the bodies other than a national government or something into this because it seems like it's also more centralization of economy unless of course I have missed some point over here yes and yeah this is um yeah I mean our constitution is a largely center-oriented constitution and anything you don't know anything that comes up afresh is effectively the centers domain so that's why I mean if we had to litigate this before the for example we also need to look at okay there is no NPT regime what would happen many of these questions will go through the courts and court will and all the courts will decisively rule for the national government to exercise as much powers and as many rights over this as possible so I mean an analysis should also take that into account if this does not happen and if we have to litigate many of these rights over the next 20 30 years it's going to be perhaps worse for the national government playing an even bigger role than what is envisaged under under this regime okay maybe I can ask Sheikh Idrisan Chital if you have any concerns if you just wish to be quiet that's also okay not like you don't have to speak yeah I just need to understand thanks it's a good discussion this is Sheikh apparently I had the data engineering at zeta in the past I've been adding data engineering at Future Group and Ola and in Mobi just wanted to understand how it is different from the data sellers right if you look at Ziotap, Axiom, Truefactor we were always buying data at least the anonymized data and the insights and this business was always there and without this companies like ad network can never work right how this bill will impact the current data aggregators and providers is what I want to understand from the panel so now Sameer Adwit if you if you want to take this question or Shivangi if you have any idea I mean if we don't know we don't I'm not I'm not sure about the existing data companies I don't cover them so I'm not too sure about that yeah I mean the existing data companies even if they are there the law will anyway come as not as a retro fact we'll still be forward-looking this is nothing you can do on the back data okay and that's how GDPR, PDP everybody is working in the same fashion from New Zealand Prasanna you have any responses to shake it this do you mind repeating that question so with this non-personal data bill right I want to understand the impact on the existing data aggregators and data provider companies which sell data or at least which sells the data inside so yeah they are the ones they're the ones they're going to be most affected it is that's what these are the ones I said they are trying to pull the rug under the feet they they say they don't even recognize that these are businesses that are that legitimately exercise their business they seem to that's what they said they say they in fact in so many words they say it now defaults to existing custodians of data and they do it as they like they they they engage the intermediaries they engage the aggregators of their choice and all of that we want to stop all that that is where the government wants to step in and say we will exercise control over that so those are the ones they are the ones they're going to be most affected by this yeah of course the custodians the original collectors yes but also because the collectors are no longer able to engage people their choice yeah so that all of that is going to be affected got that thanks okay she was here she's not here all right so I think this document is sorry shake do you want to have you have any other yeah just one quick thing right based on my experience the data discovery itself has been problem I worked with Venkat in the past right it takes ages to just discover the data the data lies everywhere on laptops your excel shades the cloud and nobody is aware of either the metadata or the or the criticality of the data itself considering the number of startups in India I think it's impractical to enforce this bill one and two I don't know how good we are at enforcement of this bill and what penalties the government will come up with because if you look at current cyber crime cyber law right or look at the loopholes in the law there are always worker only I can list my entity outside of India I can play around with my cloud because now it's very easy for me to my data outside of India outside of say at least AWS Mumbai people are using AWS so I just want to understand because we have I think lawyers as well here is this enforcement going to be like strict like what is your opinion on that well we actually need to look at the bill for that in fact I was just typing out an answer because I don't want to keep hogging time here but the bill the report seems to to consider or I mean treat data discovery as though it is like an order of one problem you know in computer science terms okay but yeah I mean that that's an important point I think they just say it exists there and it is it is a trivial problem that's how it treats it maybe maybe the bill will give a better sort of flesh and blood to it let's see I have a more of a political economy question you know a lot of companies seem to be using Azure, AWS, Google Cloud aren't these guys going to have immense control over it and does this committee report give them sort of economic powers over the data that they store or are they just pure storage companies only and that they wouldn't be able to create or become data custodians or you know going beyond just storage? Well this is also an interesting question actually that will need to be looked at in every case depending on the terms of service the the test that the report seems to prescribe is control who has maximum control of that data and that would typically be those people who have access I mean the sense who have actually commissioned the AWS resources or the Azure resources and are able to put in and take out data but if the terms of service indicates that Amazon has even bigger control then you know that as to who the custodian is may shift in the sense and and on who's the rights and obligations in your under the law may also shift that's similar to see the some of the problems that we have with the intermediary liability under the IT Act so long as the intermediary has rights to modify content you know some high courts have held that they are no longer an intermediary they have no immunity so some of the Google's terms of service for instance they can modify content therefore if there is a definitely post on a Google site or a Google page thing and Google is also so Google can't take the defense that it's only an intermediary so so then some of the high courts have held that that way okay so so yeah so the terms of service may determine that but in the real world I would think that the control test in if we apply the control test actually the person who have actually commissioned the resources and are using the resources they will be the holders of the rights and obligations okay Sheetal you want to chip in what got you here or like if you have any questions that you want to get answered then we can probably like try and wrap up with a few next steps in five minutes I think Sheetal is still on mute okay so I think Nishant is still interested in writing he's going to be writing a response and some of us here may also probably write responses so one one suggestion and I'll open it up to the others also is that we could try and do like sync up sometime end of next week to just like look through the notes and see if there are any things that we want to add on because I think Nishant's also kind of put in a lot of stuff I was thinking maybe I'll try to see if it's useful to get some of these cloud providers to come in and see if they've thought about these questions and if they have anything to add on or if they want to do a submission themselves since they might be a group that could be sort of relevant over here but that's just these are just a couple of thoughts that I have. Suchina Venkat, Sameer, anyone else has any thoughts otherwise we can like regroup again like sometime next Thursday or Friday okay Prasanna says he's going to write one but yeah it's okay all right sure. Suchina Venkat, Sameer, feel free to chip in, Adwet anything that you think we should try and cover or bring in some folks to kind of throw a little bit more light on but I suppose yeah the more responses the better it will be. Maybe maybe get some of these fintech guys and one or two of them okay some of these guys who work with large data sets so one is on the payment side and of course the lending side because there's a lot of all data scoring stuff that's taking place and some of these companies are very shady some of them are some of them are known and I'm sure everyone's that that half post article on credit with yeah so that's a great case study on how data is sort of collected by all data companies and I think credit with yeah has like 30 banks in the network now so that would be a good aspect to look at. And you have any thoughts on like the questions that Nishant raised in terms of like you know any folks that you know could sort of interact with some of his concerns so I mean I'm not sure that's your area actually. Sorry could you remind me what. So Nishant's sort of concerns came in from an entrepreneurial point of view and the fact that he runs a sort of a software company which is mostly in the area of SaaS cloud etc. If you think there are any folks that we should pull in as resources to kind of like that he could talk to or if I mean this again very open question. Kind of I don't know yet but maybe some investors would have some points to make. Yeah maybe. It's all about IP right. Yeah. So Sameer Righam from PhonePay made some very good point he said you know obviously level playing field is not going to be possible because Google, Google controls search engines, Amazon controls e-commerce. So if like I said at the start you know if you're trying to get startups to access their data it's most likely Google and Amazon or you know let's say the larger payment companies are not going to share their data but if someone comes up with a good technology platform and they want to get access to data bilaterally maybe the company would force the startup to share and then who's going to be an advantage of that the bigger company. So I think the capital thing is going to I think that for me from a political economy standpoint the capital question is obviously in favor of the larger tech companies or any company which has a treasure trove as opposed to a small startup that you know would not have so much data anyway to share. Yeah. No that makes sense. Anything else Banker, Tsuchna, Akshay? I think we should probably regroup in a couple of weeks and see. Yeah. Yeah. Yeah. I think we'll plan for late next week or the week following that but I think this document now has a lot of stuff. I think Prasanna has added to it Nishant and I have been adding a few more Tsuchna has been adding more so I think we'll try to kind of keep leaning upon that and add to it. Also setup just as a suggestion maybe we can document sections of questions around legal questions around implementation which is around the data role part of it and all then that will kind of help us bring the right experts in each area as well. Yeah. Yeah I think that makes sense and also Nishant has added a section where he says that he wants help on I think he said issues to highlight in the responses. He's put a few questions around economic value, usage of data purposes, triangulation and registering as a data business. So I think he specifically wants to have responses on that front so that it's easier for him to kind of like draft his response. Zainab, I was just wondering if you could get something to speak from the perspective of data valuation and yeah there's a lot of talk in the document about this structure of a data exchange essentially and data custodians and data trustees being able to monetize the data right and then the granting of data requests sometimes on a free basis and sometimes on a monetized basis. Yeah I was also actually thinking who is going to put this value on the data and I mean the other question is who in India has actually worked on all of this I don't know Prasanna do you know of any folks because I think most of the work is currently still very theoretical on trustees and exchanges and aggregators and all unless I'm mistaken. And also Zainab just wanted to add that there is no talk about any of that monetization percolating back down to the data principles right. No there is actually no theoretical framework for that as well in fact many of the theoretical frameworks seem to even those that are considered crazy you know are trying to say okay so it is labor. Any data that is generated by principle even for these large internet businesses need to be considered labor but none of them are actually looking at even considering them as capital. For example are we by our content are we creating capital for Facebook I mean it's I mean it is a philosophical question it's a theoretical question that somebody great thinker has to explore and lay it out for us. And to add to Prasanna's point right so if a particular data set has been sitting around unutilized all this while and then somebody wants to come along and monetize it by augmenting with other data sets right. How are we going to value that data set because it existed until now but you know there was no value to it because nobody was using it. I think you know quite a while ago there was a good article that Facebook should start paying us for the data users we could check that. One idea is that you can talk to somebody's account aggregator companies are about seven of them because their model is sort of already here right so data trustee data AA system uses APIs to share data between banks and finance companies you can ask them also if they're keen to participate but I know that they're pretty shut off from at least they don't talk to people that often. Okay yeah I was also going to ask Rohan Jagidar because they have written a piece on account aggregation and seem to me like they might probably have something to contribute here but they don't seem to have looked at the NPD at all so I don't I mean yeah so that's also open. Okay yeah so then we look for someone on this data valuation and this account aggregation side and see if there's or they would need to sort of share. Shakey this is there anybody that you think you'd like to kind of you know bring in and then maybe we'll just close the session here. Yeah definitely we would need to bring someone from the data aggregator side so yeah I'll I'll share the details I know a couple of senior folks and these companies from Truefactor. Yeah okay great so I think that that would be helpful because then that could also help to if not answer but at least try to clarify some of these questions yeah that would be helpful. Great if there are no further comments I think we could close here yeah it's 7 30 on Monday so yeah that's it thanks a lot for participating this was quite helpful and let's keep going on this in the conversations. Tomorrow a day after I think Shivangi and Venkat and Shrinidhi and Raju they're doing a session that's on product design and the personal data protection bill but yeah I mean there could be questions that could sort of be asked around here as well and see if those could be tackled or in the following session there's one on privacy by design and modeling for this. Yeah that's about it thanks a lot everyone and this was a very interesting session. Thanks Agwet for coming in on such short notice. Suchina Prasanna, Shivangi, Sameer and all of you here. This was really useful. Thanks for setting this up. Bye.