On Wednesday, 27 August, the Indian Council for Research on International Economic Relations (ICRIER) DPI4D Community of Practice hosted a webinar featuring the co-authors of the recent T20 policy brief Towards an Integrated Data Governance Framework for Digital Public Infrastructure. Pria Chetty, Payal Malik, and Thomas Linder brought their legal, competition, and civil society perspectives to discuss how data should be governed within DPI systems to ensure public value creation and equitable outcomes.
The conversation made clear that even when the focus is narrowed to data governance within DPI, issues surrounding data privacy, data access, extractivism and interoperability remain complex and contested. This underlines that the broader challenge of DPI governance cannot be approached through closed or technocratic processes alone. Reliance on access to standardised data for effective DPI implementation, by proxy, means that citizens will be impacted by the exchange and use of their personal information for scalable digital service delivery solutions. When public data is under the control and authority of big players, both positive and negative risks come into play.
In this regard, one key takeaway was that DPI will not automatically serve the public interest. As Pria Chetty cautioned, “something about the data governance frameworks that we currently sit with need to evolve… it doesn’t matter which element we looked at, that was the common thread“. Without meaningful changes, DPI risks reinforcing existing inequalities rather than addressing them.
Data extractivism and monopoly risks
One pressing concern is the growing threat of data extractivism. DPI was initially seen as a way to open markets and level the playing field. However, as Payal Malik reflected, “we were very excited about DPIs… because they were a technological response to private, siloed proprietary infrastructures.” Yet, as private actors become deeply embedded in building and operating DPIs, she warned, “we need to ask: who is controlling the data, and for whose benefit?… are we back to square one where market concentration and data extractivism would become the norm?“
Thomas Linder drew a sharp parallel with platforms like Uber and Airbnb: “They made money on the back of existing infrastructure… and the data then created by these services was withheld from the public. Cities would love to have all of the data these corporations hold in order to do better urban planning, but getting access to that, let alone extracting the kind of value that it actually possesses and feeding that value back to the public, is much harder.“
As Malik summed it up, “DPI cannot be a substitute for governance. Some governance can be embedded in the architecture itself, but regulatory instruments and governance would be required because in the absence of clear governance guardrails, this data can again quickly slip into quasi-private control without transparency, accountability, or equitable return to the public.“
The evolving role of DPAs
The role of Data Protection Authorities (DPAs) within DPI governance was also explored as a potential solution, if reformed. As an independent public body mandated to enforce data protection laws and investigate breaches, DPAs determine organisational compliance. However, speakers addressed the need for them to evolve in order to achieve more equitable outcomes, and Chetty argued that DPAs must move beyond a narrow, reactive focus on breaches.“For DPI, as we navigate the complexity of how we facilitate data exchange… there’s something much more for the Data Protection Authority to do, and that is to offer some counsel in terms of technical expertise“.
This evolution would also require DPAs to strengthen their technical capabilities and adopt a more user-centric approach. As Chetty put it, “Are you allowing participation of users in decisions around their data? Have you built in something that is user-centric?“
Another challenge lies in making data rights meaningful in practice — not just on paper, but in ways that individuals and communities can actually exercise them. Chetty highlighted this point: “There is a need to create awareness around rights and… meaningful accessibility. As you speak about the Global Majority, we’re speaking about language barriers [and] literacy levels that could be low. So when you interrogate the mechanism, is it really meaningfully accessible?“
Rethinking rights and the meaning of data
Speakers also challenged dominant framings of data. Current legal frameworks tend to treat only personally identifiable information as requiring protection. Chetty urged a broader rethink: “What I love to bring into the conversation is a right to data… to move out of the paradigm around the privacy of data and speak about the right to data.” This includes considering data as embodied and tied to bodily integrity, not just a neutral commodity for harvesting. Within these framings are added considerations surrounding the need to respect users’ data, and embed them into processes that user their data.
She says, “For example, our work on embodied data considers how data is an extension of your physical self. I believe that if we’re going to motivate for the right to data, we need to consider this… Legal guidelines are needed surrounding data minimality and data subject participation – if something changes, the user should be entitled to consultation in their data’s decision-making.”
Open data and public value
On open data, Thomas Linder reflected on lessons from past initiatives.“We’ve been talking about open data and open government since the early 2010s… but it hasn’t really worked as well as the plan was in the beginning“. Malik added that governance must go beyond “siloed privacy regimes,” cautioning that without robust guardrails, valuable public data will continue to be monopolised by a few actors.
Chetty made the crucial distinction between data being “technologically open” and “legally open”. She argued that “to really enable public interest, open data cannot be for the few. Public and private sector partners in the DPI ecosystems will have to enable it to be used for purposes that we didn’t initially imagine. And so the framework has to allow for it to be technically and legally open — otherwise, is it really ‘public’ infrastructure?“
Geopolitics and the global debate
Finally, the conversation acknowledged the wider geopolitical context. Chetty reminded participants that governance frameworks cannot be divorced from context, saying,“we need to think about [data] beyond the constructs we’ve been given… and reconsider whether our institutional mandates and policy framing are really suitable“.
The authors concluded that DPI is no substitute for robust, inclusive governance. Realising its potential requires adaptive and participatory frameworks grounded in public interest, particularly from a Global South perspective. South Africa’s G20 presidency has offered an important opportunity to bring Global South perspectives to the forefront of global data governance discussions. But with the presidency passing to the United States next year — and uncertainty around whether a T20 process will continue in 2025 — it will be essential to maintain momentum and ensure these conversations are carried forward.
