BACKGROUND
In September 2019, the Ministry of Electronics and Information Technology (‘MeitY’) formed a Committee of Experts (‘the Committee’) to make recommendations for the Central Government on devising a framework for Regulation of Non-Personal Data (‘NPD’). The Committee on Non-Personal Data Governance Framework, led by Infosys co-founder Mr. Kris Gopalakrishnan released the Initial Report on Regulation of Non-Personal Data (‘the Report’) in July 2020 for public consultation. The Report proposed the introduction of NPD Legislation which would be enforced by an NPD Authority (‘the NPDA’) and laid out essential principles to be included in the NPD Legislation.
The Objectives of the Report include:
- Generating economic benefits for Indian citizens and communities by unlocking the enormous potential of social, public, and economic value from using data;
- Creating incentives for innovation and the development of new products and services, and startups in India;
- Addressing privacy concerns, including re-identification of anonymized personal data, preventing collective harms resulting from the processing of the NPD, and examining the concept of collective privacy.
However, the Report appeared to lack clarity in certain aspects such as community non-personal data, definitions, and other provisions and the purpose sought to be achieved by the framework. Thereafter, based on over 1500 recommendations and submissions from various industry bodies, companies, civil societies, and independent experts, in December 2020, the Committee released a Revised Report which addresses several issues that have been raised concerning the Report and modifies the previous NPD Framework. The Revised Report intends to clarify the concept of NPD and its classification, as well as to distinguish between the governance of Personal Data (‘PD’) and NPD. It also restructures the data-sharing purposes subject to regulation and modifies the data-sharing mechanism.
WHAT IS NON-PERSONAL DATA?
The definition of NPD as given in the Report remains unaltered. A data is considered to be non-personal when the data is not ‘personal data’ as defined under the Personal Data Protection Bill, 2019 (‘PDP Bill’), or the data lacks any Personal Identifiable Information (‘PII’).
The Report had further classified NPD into three categories:
1. Public NPD: NPD collected or generated by the Governments, or any of their agency and includes data collected or generated in the course of executing all publicly funded works. All NPDs collected or generated by the Government that is explicitly accorded confidential treatment under the law, shall not constitute Public NPD. Some examples of NPDs are anonymized data of land records, information regarding public health, etc.
2. Community NPD: NPD which includes anonymized PD and NPD relating to any inanimate or animate thing, or natural, social, or artefactual phenomena, whose source or subject pertains to a community of natural persons, falls under the ambit of Community NPD, provided that such data shall not include Private NPD. Some examples of Community NPD include datasets collected by municipal corporations and public electric utilities, as well as datasets containing user information collected by private businesses like telecommunications, e-commerce, and ride-hailing services, etc.
3. Private NPD: NPD collected or produced by persons other than Governments, the source or subject of which related to assets or processes that are privately owned by such person or entity and includes aspects of derived and observed data resulting from the private effort. For example, inferred or derived data/insights involving application of algorithms, property knowledge, etc.
The Revised Report excluded the explicit classification although it retained the underlying concept of Public, Community, and Private NPD.
INTERPLAY BETWEEN THE PDP BILL AND THE NPD FRAMEWORK
The Report contained various ambiguities regarding how the proposed legislation on NPD and the PDP Bill would govern NPD and PD separately without any overlap. The Revised Report makes additional clarifications aimed at a mutually exclusive yet harmonious construction of the PD and NPD regimes in terms of data regulation, operational standards and criteria and particular adjustments to avoid overlaps.
In this light, the Committee suggests the deletion of Sections 91(2) and 93(x) of the PDP Bill to ensure that it does not regulate NPDs. As per the Committee recommendations, any anonymized data will fall outside the purview of the PDP Bill and will be regulated by the NPD framework. Thereafter, if an anonymized data is re-identified in any manner, it would fall under the purview of the PDP Bill. Further, where the dataset is mixed in the sense that it contains inextricably linked PD and NPD, it would be governed by the PDP Bill. The ‘identifiability of the data‘ would be used to decide whether the PDP Bill or the NPD framework would be applicable to the particular set of data.
HIGHLIGHTS OF THE CHANGES INTRODUCED BY THE REVISED REPORT
Some of the major modifications introduced by the Revised Report vis-à-vis the Report are discussed as follows:
1. Sensitivity of NPD: The Committee in its Initial Report introduced the concept of sensitivity of NPD wherein NPD may inherit characteristics of sensitivity from the underlying category of PD from which it is derived. The Committee noted that even when personal data has been anonymized, it does not eliminate the possibility of harm to the original Data Subject as no anonymization technique provides complete irreversibility.“NPD could be sensitive when it relates to national security or strategic interests, bears the risk of collective harm to a group, comprises business sensitive or confidential information or is anonymized data bearing the risk of re-identification.”
The Revised Report proposes that NPD derived from PD will inherit the sensitivity of the underlying PD for storage requirements as specified in the PDP bill. For example, NPD relating to the health of the people, although anonymized will inherit for the purpose of storage requirement, the sensitivity of the underlying data which is classified as sensitive PD as per Clause 3(36) of the PDP Bill.
2. Consent for Anonymized Data: The Committee in its Initial Report had recommended that at the time of collecting the data of the Data Principal (individuals to whom anonymized personal data pertains), the entity must take the Data Principal’s consent with respect to anonymizing the Data Principle’s data and for the usage of the anonymized data. The Revised Report has diluted the explicit consent requirement of the Report. In the Revised Report, the Committee recommends that at the time of collecting PD, the Data Collectors will notify the Data Principal as well as offer the Data Principal to opt-out of data anonymization prospectively. Further, if consent has been provided and the data has not yet been anonymized, then the consent can be revoked.
3. Data Businesses: The Committee in its Initial Report introduced the concept of Data Businesses which is retained and further clarified in the Revised Report. In the Report, the Committee, having observed that organizations are deriving new or additional economic value from data by collecting, storing, processing, and managing the same, suggested that a new category of business called ‘Data Business’, meeting certain threshold criteria should be created. The Committee further suggested that there should be a process for registration of business and the requirement for the same shall be applicable to commercial organizations, Governments, and other Non-Governmental Organizations (‘NGOs’) that collect, process or manage data. The registration as a Data Business may be voluntary below the threshold. In addition, such Data Businesses should be made accountable to declare what they do with the data, what data they collect, the process, use, manner and purposes of collecting the data.
The Revised Report clarifies that any organization (Government or private) which collects, processes, and stores PD or NPD is a Data Business, that includes either a Data Custodian or a Data Processor. It further clarifies the threshold parameters for defining Data Business such as gross revenues, the number of consumers/households/devices handled, percentage of revenues from consumer information, etc. It further suggests that the thresholds for NPD should be harmonized with those suggested for Significant Data Fiduciary, in the PDP Bill.
4. Data Custodian: The Committee in its Initial Report defined a Data Custodian as an entity that undertakes collection, storage and processing of data keeping in mind the Data Principal’s best interest. It recognized that a Data Custodian is similar to that of a Data Fiduciary under the PDP Bill and has a duty of care towards the concerned community to which the NPD pertains which shall be defined through a defined set of obligations. The Revised Report clarifies that both the Government and private bodies come under Data Custodian. Further, the Committee exempts the obligation of Data Processors to share any NPD processed by them on behalf of the Data Custodian. Data Processor refers to a company (such as cloud service provider, SaaS provider IT, etc.) that processes NPDs on behalf of the Data Custodian.
5. Data Trustee: The Committee in the Report recommended that the community or Data Principal group will exercise its rights through a Community Data Trustee. The NPD framework will provide guidelines regarding who can act as an appropriate Data Trustee. In the Revised Report, the Committee defined Data Trustees as an organization, either Government or a non-profit Private Organization ( a company, trust or society as per Section 8 of the Companies Act, 2013) responsible for the creation, storage, maintenance and data sharing of High-Value Data Sets (‘HVDs’) in India. The report also provides certain Guidelines relating to the management of an HVD and data sharing by a Data Trustee.
Herein, the Data Trustees are Data Businesses. Data Trustees will request NPDs from Data Custodians to create HVDs, the access to which can be requested by Data Requestors (registered public or private organizations) from the Data Trustees in exchange for a nominal fee. The Data Trustees will be responsible for data stewardship and have a ‘duty of care’ to the concerned community. It will also be responsible for ensuring that the re-identification of NPD does not harm individuals or group(s) of individuals.
6. NPDA: The Committee in the Report recommended for creation of a NPDA. The NPDA will be vested with two roles namely: i) enabling role (in order to ensure that the data is shared for a sovereign, social and economic welfare, regulatory and competition purposes) and, ii) enforcing role (in order to ensure that all the stakeholders follow the Rule and Regulations laid down, provide data appropriately on a request, undertake ex-ante evaluations of the risk of re-identification of anonymized data, etc.). The NPDA will have the power to address market failures such as a lack of information regarding an entity’s actual NPD assets or problems resulting from processing activities, such as re-identification or discrimination. It will also provide a “level playing field” in the digital and data sectors, with fair and effective competition. In the Revised Report, the Committee further proposes that the NPDA will work in consultation with the Data Protection Authority under the PDP Bill, the Competition Commission of India and other Regulators so that issues regarding data sharing, re-identification, competition etc., are harmoniously dealt with.
The Revised Report has also expanded the enabling and enforcement role of the NPDA. While its enabling role comprises ensuring unlocking of economic benefits from NPD for the people and communities in India, creating a data-sharing framework and managing the meta-data directory of Indian Data Businesses, its enforcement role entails establishing rights over Indian NPDs in the digital world, addressing issues relating to privacy, re-identification of PD, preventing misuse of data and adjudicate when a Data Custodian refuses to share NPD with a Data Trustee for the creation of an HVD.
7. High-Value Data Set: The Committee in its Revised Report introduced a new concept of HVD. HVD is a dataset that can be shared for purposes of public good and for the benefit of the community at large. The Committee specifically lays down the various purposes that an HVD serves such as: it helps in the creation of new businesses, new and high-quality jobs, new innovations, useful for policymaking, helps in achieving a wide range of socio-economic objectives such as healthcare, poverty alleviation, urban planning, etc.
A Data Trustee, in consultation with the NPDA, may create or classify an HVD. Thereafter, the NPDA will issue detailed guidelines to decide whether an HVD identified by the Data Trustee meets the criteria in terms of objectives, size, data set, actors participating, and other factors.
The Committee also prescribes certain Guidelines on NPD data sharing for HVDs. It further proposes that NPD will not be included for sharing when the data sharing involves access to private companies’ trade secrets or other proprietary information concerning their employees, internal process and productivity data, or when it is likely to violate the privacy of individuals, groups or businesses. However, it does not provide any concrete framework to overcome the challenges which would arise if such data is shared.
In the Revised Report, NPDs are classified into three categories of granularity namely i) raw data ii) aggregate data and, iii) inferred data. As per the Committee, complete raw data sets will not be collected from both public and private sources for the creation of HDVs and only specific subsets may be collected. While inferred data from private entities will not be collected for the creation of HVDs, data from public organizations may be collected unless the dataset has a national security consequence. There will be no such restriction on the collection of aggregate data.
8. Establishing Community Rights over NPD: The Committee in the Report had introduced a nebulous concept of Community Data and did not adequately provide for community rights. The Committee, in the Report adopted the notion of ‘beneficial ownership/interest’ as there would be several persons/entities that may exercise simultaneous ownership rights and privileges to certain NPD, catering to its non-rivalrous nature. As a result, the Committee proposed that the data rights and beneficial interests of a community or a Data Principal group will be operationalized through a Community Data Trustee. However, in its Revised Report, the Committee abandoned the ownership concept and identified five key principles to ascertain the rights of a community over data namely:
i) a community’s rights over resources associated collectively with it;
ii) community’s consent for use of such resources;
iii) sharing of benefits with the community;
iv) transparency in recording the resources of the community to prevent misuse and enables easy access of legitimate kind;
v) participation of the community in the governance of community resources.
The Committee in its Revised Report also proposes that the Community through a non-profit organization should be able to raise a complaint with a regulatory authority regarding any harm emerging from sharing NPD about their community.
9. Data Sharing and its Purpose: Although the Committee retained the definition of ‘data sharing’ provided in the Report, it recommends certain changes with respect to the purpose of data sharing. In the initial report, the Committee has proposed three purposes for sharing data:
i) sovereign data which may be requested for security, legal, law enforcement and other regulatory purposes;
ii) core public interest purposes such as data requested for research and innovations, policy development, etc.; and,
iii) economic welfare purposes.
In the Revised Report the Committee recognized ‘public good purposes’ as a mandatory ground for sharing data which includes sharing of an HVD for public good and benefits the society at large. Data may be requested for community uses, research, and innovation, for policymaking, social purpose, etc. Although the Committee recognized data requests for sovereign purposes, it suggested that the NPDA will not adjudicate the validity of data requests for the same as existing Regulations are governing the same.
The Revised Report further clarified that data sharing between business entities for business-related purposes will not fall within the scope of the NPD framework. The Revised Report proposes that a registered Data Business will share meta-data (data providing information about other data) and underlying data under suitable regulations possessed by them on open access NPDA managed directories. Organizations registered in India will have open access to this directory, and Data Trustees will be able to use the meta-data to request relevant subsets of data in order to create HVDs for the public good. It should be noted that Data Businesses bear the cost and resources for collecting, processing and managing NPDs as they derive value from such data. Requiring them to provide open access to this information could undermine private incentives to produce NPDs and defeat competitive advantages. Further, although the Committee recommends that the data requested should be specific and directed towards the targeted purpose, the NPD framework should come out with guidelines regarding the same.
10. Technology Architecture: The Committee in the Report had recommended technology-related guiding principles that can be used for creating and the functioning of shared data directories/databases and for rules and regulations related to data sharing in a digital format. The Revised Report retains the suggestions and recommends that the same can be used to ensure the effective creation and sharing of HVDs as well.
AMLEGALS REMARKS :
Although the Revised Report provided more clarity and a better understanding of various provisions which were not clear in the Report, many stakeholders still question the requirement of separate legislation. While some suggest that a common regime will lead to ease of compliance, better protection against privacy and reduction in regulatory cost which would, in turn, provide an impetus to economic growth, while others feel that the PDP Bill should be prioritized over the NPD framework.
Further, recent reports also suggest that the Joint Parliament Committee is planning to expand the scope of the PDP Bill to extend it to the protection of NPD as well, which runs contrary to the Committee’s recommendations. Moreover, even the Revised Report is not completely lucid in respect of some aspects relating to mandatory data-sharing, the term ‘community’, etc. Thus, it is only a matter of time to see how these issues are dealt with by the legislators in the days to come.
– Team AMLEGALS, assisted by Ms. Sanjana Ganguly (Intern)
For any query or feedback, please feel free to connect with aditi.tiwari@amlegals.com or mridusha.guha@amlegals.com
Leave a Reply