India, being the second most populated country in the world, has a large data market which is relatively unregulated. The lack of appropriate legislation has encouraged crimes such as data theft, data misappropriation, cyber-squatting, etc. The increased usage of smartphones coupled with the easy availability of the internet has made it extremely necessary to have a robust system of data governance. After tabling the Personal Data Protection Bill (“PDP Bill”) in 2019, the Ministry of Electronics and Information Technology (“MeitY”) is furthering its commitment to regulate the processing of data in India by addressing the issues associated with Non-Personal Data (“NPD”). In this regard, an NPD Committee was constituted by MeitY which has, in July 2020, released a draft “Report” on “Non-Personal Data Governance Framework” (“Report”). The Report envisages the protection and governance of NPD and aims to tackle the challenges associated with processing and usage of NPD in India. The NPD Committee has tabled certain concepts and recommendations, which have been highlighted below.
Definition of Non-Personal Data
The Report defines NPD as any data which does not constitute Personally Identifiable Information (“PII“) of an individual. PII or “Personal Data” under the PDP Bill, 2019 means any data relating to a natural person which makes such person directly or indirectly identifiable. Thus, any data which does not contain PII comes under the ambit of NPD. Further, NPD also includes anonymized data of an individual or aggregated data of a specific event which is transformed in such a way that the event is no longer identifiable. The Report has categorised NPD in the following manner:
The Report classifies data into 3 main categories:
While the Report is yet to define Critical NPD, it has laid down a special emphasis on Sensitive NPD and the need for a regulatory framework surrounding it. Sensitive NPD means NPD relating to national security or strategic interests, business and confidential trade secrets and anonymized data which bears the risk of re-identification. Further, any NPD arising from anonymized Sensitive Personal Data as defined by the PDP Bill will also be termed as Sensitive NPD.
Ownership of Data
In the case of Private NPD, the ownership rights belong to the entity to whom the data belongs. Public NPD will belong to the Government and the public authorities collecting such information. In the case of Community NPD, many data principals may have overlapping rights and privileges, making it difficult to address the authenticity of ownership of data. To avoid this, the NPD Committee has adopted the concept “beneficial ownership/ interest” to ensure that the interests of the general public are safeguarded. In such a case, there shall be a legitimate trustee who will protect data on behalf of the community, where there is an overlapping of interest. The trustee will be the representative body of that community and will work on behalf of the community to take decisions which are beneficial to them. The community can also work through the trustee in determining the control and usage of their NPD.
To ensure access to NPD in a systematic manner, the NPD Committee has also proposed setting up of “Data Businesses” to undertake the task of collecting, processing storing, or otherwise managing data. Data Businesses collecting information beyond certain threshold level will be required to compulsorily register their business as a Data Business and will be a subject to any institutional authority set up for regulation and governance. Such entities will also be required to submit the meta-data of the community from where the data is collected as well as the user which uses this data. This meta-data will be stored in the meta-data directory of India.
Similar to the PDP Bill, consent is necessary for the collection and processing of NPD. Since the data which has been anonymized can be re-identified and de-anonymized, the data principal requires a better framework for the protection of his NPD. Therefore, the NPD Committee has recommended that an individual shall provide consent for anonymization of the data and its usage. The Committee also has recommended that there should be appropriate standards of anonymization of data to prevent and minimize the risk of data re-identification.
Sharing of NPD
Sharing of NPD is to be done under a regulated mechanism and shall not be done to fulfil individual needs. The Report has suggested the purposes (as detailed hereinbelow) under which the Government, researchers, entities as well as citizens can request access to NPD:
- Sovereign Purposes: Data can be shared and requested for sovereign purposes such as national security, law enforcement, legal, regulatory and compliance purposes.
- Core Public Interest Purposes: Data can be shared when there is a bonafide need to have a proper know-how for policy-making, benefits of public, improvements in the delivery of public services, research and innovation.
- Economic Purposes: To encourage fair competition and promote welfare of the people, data can be shared with different entities and start-ups to mould their services in such a way that they cater directly to the needs of the consumers while fostering innovation and modern technological know-how.
- Governments/ data trustees may also seek mandatory sharing of important data for a sector for specific purposes, which would also be managed and provided by such data trusts. It may also consist of both mandatorily and voluntarily shared data.
- Private Data: With respect to sharing “Private NPD”, only such raw/ factual data pertaining to a community, that is collected by a private organization may need to be shared, subject to the well-defined grounds at no remuneration. As the processing value-add over the raw data increases, appropriate mechanisms may be leveraged for data sharing. Algorithms/ proprietary knowledge may not be considered for data sharing.
Non-Personal Data Regulatory Authority
The Report also envisages the introduction of the Non-Personal Data Regulatory Authority (“NPD Regulatory Authority”) to regulate and guide the NPD ecosystem within India. Government and private undertakings collecting data from individuals will have to comply with the provisions set up by this NPD Regulatory Authority. The NPD Regulatory Authority will play two important roles for better governance of NPD within India:
- Enabling Role: The NPD Regulatory Authority shall ensure that any NPD which is collected is shared for economic welfare, regulatory and competition purposes only and not for the fulfilment of any individual needs.
- Enforcing Role: It shall be the duty of the NPD Regulatory Authority to ensure that all the stakeholders follow the guidelines and rules laid and provide data appropriately when data requests are made. The NPD Regulatory Authority will also be responsible for evaluating the risks associated with the re-identification of anonymised personal data.
The NPD Regulatory Authority shall also address the market failures within the Indian NPD ecosystem and supervise access of the NPD by any enterprise, which will help enable fair competition in the Indian digital sphere.
Introduction of a robust legislation for the protection of Personal Data and Non-Personal Data is the need of the hour, especially for a country like India. Globally, legislation with regards to Non-Personal Data is still a nascent concept, more so in the developing economies.
On a comparison with European Union’s (“EU”) legislation on Non-Personal Data, similarities and dissimilarities can be seen. There is free movement of Non-Personal Data throughout EU – whether something like that in India is possible, is yet to be seen. It is believed that processing of Non-Personal Data in India will boost the data economy through facilitating exchange of data by enabling companies to store non-personal information. Such regulations will be useful to business undertakings which use data analytics and artificial intelligence to run their business operations. Both the EU Legislation and the Report encourage free, yet regulated dissemination of Non-Personal Data.
The provisions of the PDP Bill state that the Central Government may direct any data fiduciary or a data processor to provide any anonymised Personal Data or other Non-Personal Data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government. To further this, the NPD Committee has stated under the Report that sharing Non-Personal Data collected by both Government and private organizations with citizens is likely to lead to increased transparency, better quality services, improved efficiencies, and more innovation. The NPD Committee also recognizes that Non-Personal Data is an emerging concept that will need to be examined and defined in detail in the future.
Protection of Non-Personal Data and its use under regulated conditions will help foster fair competition and economic growth in the country. Moreover, there will also be restrictions on usage of Sensitive Non-Personal Data and punishments for unauthorized access of any kind. The NPD Committee strongly recommends that the proposed Report on Non-Personal Data Governance Framework becomes the basis of a new legislation for regulating Non-Personal Data in India. It will be interesting to see regulations based on this Report and how it marries with the Information Technology laws in India and globally.
– Archana Balasubramanian, Partner with Charulata, Associate