1. Home
  2. Featured
  3. DISCUSSION NOTE ON THE DRAFT REPORT ON THE GOVERNANCE OF NON-PERSONAL DATA
DISCUSSION NOTE ON THE DRAFT REPORT ON THE GOVERNANCE OF NON-PERSONAL DATA

DISCUSSION NOTE ON THE DRAFT REPORT ON THE GOVERNANCE OF NON-PERSONAL DATA

0
0

The draft of the Report by the Committee of Experts on Non-Personal Data Governance Framework (“NPD Committee” and “NPD Report”) was published on 12th July. The NPD Committee has sought seek feedback from the public prior to finalising its report. The NPD
Committee was constituted by the Ministry of Electronics & Information Technology (“MEITY”) in September, 2019 to study issues pertaining to non-personal data (“NPD”) and make suggestions to the Union Government on the regulation of NPD.

The NPD Report notes that the potential network effects associated with access to data could create market distortions in favour of a few companies. The NPD Report states that one of the primary drivers of value of such companies has been their ability to collect and analyse user data, and the positive feedback loop this creates.

Primarily, the NPD Report makes a case for regulating NPD in order to:

• establish a modern framework for creation of economic value out of data,
• create certainty and incentives for innovation in India,
• create a data sharing framework for community data, and
• address privacy concerns such as re-identification of anonymised personal data.

To create regulatory framework for NPD, the NPD Report makes a number of recommendations. A few key recommendations are summarised below.

1. Definition of NPD

On the question of defining NPD or data that is absent any personally identifiable information, the NPD Committee has recommended dividing NPD into three categories:

a) Public NPD- data collected or generated by the governments and treated confidential,
b) Community NPD- data whose source or subject pertains to a community of natural persons), and
c) Private NPD- data collected by persons or entities other than governments, and sourced from privately owned assets and processes.

In addition to this, the Committee also proposes that the ‘sensitivity of NPD’, be assessed based on national security, risk of collective harm, business sensitivity, and level of anonymisation. The Committee has acknowledged that anonymisation of personal data does not completely

Draft for discussion Privileged and Confidential

2

negate the possibility of harm to the original data subject. It has recommended that post anonymisation, the data should continue to be treated as the NPD of the data principal. Consent must be sought from the principal for anonymisation and usage of this anonymised data. The Committee also recommends prescribing appropriate standards of anonymisation to minimise risk.

2. Roles Entities Processing NPD

The NPD Report has recommended defining the roles of four kinds of entities in relation to NPD.

a) Data Principal would depend the kind of NPD under consideration, be it Private, Public, or Community. Based on the kind of NPD, it can be an individual, a community or any other entity.
b) Data Custodian is the entity undertaking collection, storage, processing, or use of the NPD in accordance with the best interest of the data principal. This may also be considered the ‘data fiduciary’ subject to certain conditions.
c) Data Trustees are entities through which the data principle or community shall exercise their data rights, and the ‘Data Trusts’ themselves are the institutional structures that shall contain specific rules and protocols for containing and sharing a given set of data.

3. Legal Basis for Ownership of NPD
On the question of ownership of NPD, the NPD Committee recommends that even after personal data is anonymised, the data principal shall remain the same as for the personal data. In the case of community or public NPD, the NPD Committee proposes a beneficial ownership
model, where the benefits of processing data must accrue to the communities that produce the data and not just the processors of the data.
However, such recommendations may have to be examined in the context of the Personal Data Protection Bill, 2019 (“PDP Bill”) once it is passed. In its current form, the PDP Bill allows for the processing of personal data once it has met the appropriate anonymization standards laid down by the Data Protection Authority.

Draft for discussion Privileged and Confidential

4. Undertaking a Data Business
The NPD Committee has recommended the creation of a new category which shall be referred to as ‘data businesses’ and include organisations which derive new economic value from data, by collecting, storing, processing, and managing data. This is a horizontal classification that cuts across multiple pre-existing industry sectors. It has recommended prescribing a certain data-related threshold to be brought under this category. The NPD Committee recommends that, commercial, government and non- government organisations meeting this threshold would have to be registered. The Committee has recommended compliances for data businesses such as disclosure of data elements collected, stored and processed, and data-based services offered. The compliance requirements shall be independent of regulation of the business by another sectoral regulator.

Indian citizens and India-based organizations would also have open access to the meta-data about data collected by different Data Businesses. The NPD Committee is of the view that such access to data would spur innovation in the country.

5. Data Sharing

The NPD Report proposes establishing a data sharing framework by defining a data sharing purpose, mechanism and creating checks and balances.

a. PURPOSE

The NPD Report has outlined 3 purposes for which data sharing may be enabled. These are sovereign, public interest and economic purposes.
i. Sovereign Purpose: NPD may be requested by governments for a number of ‘sovereign’ purposes such as mapping security vulnerabilities and challenges, crime mapping, pandemic mapping, community benefit, and analysing regulation.
ii. Public Interest Purpose: This primarily refers to initiatives where data is used in public interest or to promote the welfare of a community. Such data could include a new class of ‘high value datasets’, which contain health, geospatial and/or transportation data, and may be used for societal benefit. The NPD Report also recommends the need to create ‘data spaces’ to promote intensive data-based research.
iii. Economic Purpose: The NPD Report states that data sharing for economic purposes may help address market imbalances. Hence, it recommends that data may be requested

Draft for discussion Privileged and Confidential

in order to encourage competition and provide a level playing field or encourage innovation.

b. MECHANISM

The NPD Report has recommended that data sharing mechanisms should be prescribed for sharing public, community and private data. This requires the government to improve on existing data initiatives and ensure horizontal application of data sharing principles to all forms of NPD. Broadly, data sharing mechanisms should provide for access to meta-data, the procedure for processing of data requests and the refusal of such requests. Additionally, with respect to private NPD, specific recommendations for data sharing have been made:

• Only raw data pertaining to community data collected by private organisations need be shared without renumeration.
• Sharing shall be on fair, reasonable and non-discriminatory terms of remuneration where the value addition on original community data is non-trivial.
• Where there is significant value addition, the data can be sold on a well-regulated data market at freely determined prices.
• Beyond a threshold level of value addition, it is expected that data usage and sharing would largely be left to the private organisation collecting it.

c. CHECKS AND BALANCES
As per the NPD Report, the proposed data sharing mechanism would be subject checks and balances relating to ensure regulations are appropriately implemented. The NPD Report proposes inter alia, the following checks and balances:
• NPD considered as ‘sensitive’ would need to be stored within India. Critical NPD would have to be stored and processed in India, while other forms could be stored and processed anywhere.
• Cloud service providers and data businesses would be contractually bound to comply with storage and processing conditions by the data regulator.
• Testing and probing tools are continuously run on the data in these secure clouds and reports generated, and automatically submitted by cloud service providers and registered organisations to ensure compliance.

Draft for discussion Privileged and Confidential

5

• An ‘Academic-Industry Advisory Body’ would be able to make suggestions to standards, algorithms, and fund improvements of these data probing tools and systems.
6. Setting Up a Non-Personal Data Authority (“NPDA”) The Committee has also recommended establishment of an NPDA to consider issues in regulation of NPD, unlocking the value of such data, providing support to India’s digital industry, and harmoniously resolving issues around data sharing, competition, re-identification or collective privacy. The NPDA shall have both enabling and enforcing duties. The NPDA shall also have to define certain processes in respect of regulating data businesses. Given that the PDP Bill proposes the creation of a new Data Protection Authority (“DPA”), the role of the NPDA may have to be examined in the context of the role played by the DPA.

Anand Gupta Editor - EQ Int'l Media Network