This blogpost summarizes the issues highlighted and recommendations given by the Committee of Experts on non-personal data governance framework in their revised report released for public consultations on 27 December, 2020.
Introduction
In September 2019, the Ministry of Electronics and Information Technology ("MeitY") appointed a committee of experts ("Committee") to recommend a framework to regulate non-personal data ("NPD") in India. The Committee had released the first version1 of its report in July 2020, and invited comments from stakeholders. From the previous report ("Old Report"), most stakeholders opposed the mandatory data sharing requirements. Last week, the Committee released a revised version2 of its report ("New Report"). In the New Report, the Committee has limited the scope and the purpose of the NPD subject to mandatory sharing. Only data that is necessary for the creation of 'high value datasets' ("HVD") will be subject to mandatory sharing requirements, for limited 'public good' purposes. Data processors are also excluded from the sharing obligations while proprietary information and trade secrets will not be subject to mandatory sharing obligations. The Committee has also recommended deleting references to NPD from the Personal Data Protection Bill, 2019 ("PDP Bill"), in order to avoid regulatory overlaps.
Here is a detailed comparison of the Old Report and the New Report:
| S. No. | Particulars | New Report | Old Report |
| 1. | Definition of NPD | No change3 | When the data is not 'personal data' (as defined under the PDP Bill), or the data is without any personally identifiable information (PII), it is considered NPD4. |
| 2. | Categorization of NPD | This classification is excluded from the New Report. | The Old classified NPD into sub-categories such as community NPD, public NPD, and private NPD.5 |
| 3. | Re-identification of NPD | In case NPD is re-identified, or converted into personal data, such re-identified data will be regulated under the provisions of the PDP Bill.6 | Recommended creating separate regulations to address issues relating to re-identification.7 |
| 4. | Overlap with the PDP Bill | Suggests deleting Clause 91 of the PDP Bill to ensure that it does not regulate NPD. Envisages mutually exclusive, yet harmonious construction of the PDP Bill and the proposed NPD framework.8 | Recommended that the NPD Authority should seek to work "within the framework" of the PDP Bill, and in consultation with the Data Protection Authority proposed in the PDP Bill.9 |
| 5. | Consent for anonymized data | Data custodians should provide a notice to the user at the time of collecting personal data and also offer them an option to opt out of data anonymization. Also, if consent has been provided and the data has not yet been anonymised, then the revocation of consent could be given effect to.10 | For anonymised personal data, the individual(s) to whom the data pertains must be considered as the data principal of such NPD. Thus, at the time of collecting the data principal's personal data, the entity must take the data principal's consent for: (a) anonymising the data principal's data; and (b) for usage of anonymised data.11 |
| 6. | Definition of 'data businesses' | A data business is any business which collects, processes, stores or manages data, including both personal and non-personal data. A data business could be either a data custodian or a data processor. Threshold parameters like gross revenue, number of consumers/households/devices handled, percentage of revenues from consumer information may be considered for defining a data business. The thresholds suggested in the PDP Bill for "Significant Data Fiduciary" should be harmonized with data thresholds for non-personal data.12 | Entities involved in data collection or processing will be classified as 'data businesses' based on a certain threshold of data collected/processed. Businesses below the threshold can register as a data business voluntarily.13 |
| 7. | Obligations of data businesses | A data business will share meta-data and the underlying data under appropriate regulations. Meta-data will include the names of the data-fields collected by the data business.14 This meta-data will be stored in open-access meta-data directories. Registration requirements of the Old Report have been incorporated in the New Report.15 | Required data businesses (companies, governments, non-government organizations, etc.) to disclose data elements collected, stored and processed, and data-based services offered through a report made in a digital format. If the data collection exceeds a certain threshold, the data business will have to submit meta-data about data user and community from which data is collected, with details such as classification, closest schema, volume etc. This meta-data will be stored digitally in meta-data directories in India.16 Data businesses will have to furnish information during 'initial registration', including business ID, business name, associated brand names, rough data traffic and cumulative data collected in terms of number of users, records and data; nature of data business, kinds of data collection, aggregation, processing, uses, selling, data-based services developed etc. Some of this information will also have to be provided as part of disclosure requirements.17 |
| 8. | Data Custodian | The New Report clarifies that both the government and private bodies could act as data custodians. The New Report retains the data custodian's 'duty of care' to a given community.18 | A 'data custodian' is an entity that undertakes collection, storage and processing of data, keeping in mind best interest of the data principal. It is similar to a data fiduciary under the PDP Bill. It has a 'duty of care' to the concerned community to which the NPD pertains; this 'duty of care' will be defined through a defined set of obligations.19 |
| 9. | Community right over NPD | Moving away from an ownership-based approach, the NPD Committee has identified five key principles to ascertain community rights over data: (i) a community's right over resources associated collectively with it; (ii) consent of the community for use of such resources; (iii) benefit sharing with the community; (iv) transparency in recording community resources to prevent misuse and enable easy access of the legitimate kind; and (v) community's participation in governance of community resources. According to the New Report, there is a constitutional basis for a community right over NPD: Article 39 (directive principles) provides that the material resources of the community should be distributed to serve the common good and disallow the concentration of wealth.20 | Adopted the notion of 'beneficial ownership/interest' of data, as many actors may have simultaneous ownership rights and privileges to data, due to the non-rivalrous nature of data. A community's beneficial interest is operationalized through a data trustee. The community can determine and control how such data and intelligence is used, presumably through the data trustee, in order to maximize benefits and minimize harms for the community.21 |
| 10. | Data trustee | Data trustees are defined as an organization, either a Government organization or a non-profit Private organization (Section 8 company / Society / Trust), that is responsible for the creation, maintenance, data-sharing of High-value Datasets ("HVDs") in India. They will play a key role in creation, storage, and maintenance of HVDs. Data trustees will also act as a 'middle-man' in the data exchange process: trustees can request NPD from data custodians to create HVDs while data requesters can seek access to such HVDs from the data trustee. Data trustees will ensure the operation of the 'community right' over NPD. Data trustees will have a data stewardship responsibility and a 'duty of care' to the concerned community. Also, it will have a responsibility to ensure that no harms to persons or groups of persons occur by re-identification of NPD.22 | The data principal or a community will exercise its rights through a data trustee. The NPD legislation will provide guidelines for who can act as an appropriate data trustee for a group/community. Data trustees can recommend to the 'data regulator' for enforcement of 'soft obligations' on data custodians, like transparency and reporting mechanisms, or even stronger ones involving regulation of data practices. Data sharing will be enforced by the data regulator in collaboration with a data trustee.23 |
| 11. | Data sharing purposes | The Committee has proposed a 'public good purpose' as the only ground for mandatory sharing of NPD. This purpose can include datasets useful for policy development, better delivery of public services, supporting societal objectives such as science, healthcare, urban planning etc. Two other purposes for NPD data sharing have been identified: (i) sovereign purpose: data may be requested for purposes of national security, legal purposes, etc. According to the Committee, mechanisms for accessing data for sovereign purposes already exists. Therefore, fresh regulations are not required in this regard; and (ii) business purpose: sharing of NPD for business related purposes will be exempt from the scope of NPD regulation.24 | There are various grounds specified for sharing of data, including national security, law enforcement, community use, policy development and better delivery of public services.25 |
| 12. | Data sharing mechanism | Data trustees will request data from data custodians to create HVDs for 'public good' purposes. Data requesters can avail access to such HVDs from the data trustee. According to the New Report, data trustees should have non-discriminatory access to such data. The New Report discusses the extent of 'granularity' of the NPD that will be contained in the HVDs, depending on the NPD sought: (i) for access to raw/factual data points, the data trustee can only ask for a specific subset of the data fields collected by the data custodian; (ii) for access to aggregated datasets, there is no specific restriction on access; and (iii) data trustees will not be allowed any access to inferred data like insights, trade secrets, algorithms, computational techniques etc.26 | Only raw/factual data will have to be shared by a private organization. Depending on the level of 'value-add' to the NPD, the mechanism of remuneration for the requested NPD will be determined. For example, in case of low value add, the data sharing will be done on FRAND (fair, reasonable and non-discriminatory) basis. In case of high value add, the private organization can determine how it wishes to use the NPD.27 Also, the Old Report recommended the creation of a new class of 'high value' or 'special public interest' datasets, such as health, geospatial and transportation data. |
| 13. | NPD Authority | The New Report notes that the NPD Authority's powers and functions should be reconciled with existing bodies like the Competition Commission of India and the proposed DPA in the PDP Bill. The NPD Authority may not have the power to address market failures28, and look at issues of personal harm29. However, the NPD Authority will focus on unlocking the value of NPD through data sharing mechanisms30. The NPD Authority's enabling role and enforcement role has been expanded upon in the New Report: (i) enabling role: ensure unlocking economic benefit from non-personal data for India and its people/communities; create a data sharing framework; and manages the meta-data directory of data businesses in India; and (ii) enforcement role: establish rights over Indian non-personal data in a digital world; address privacy, re-identification of anonymized personal data, prevent misuse of data; and in case of data sharing for HVD, the NPD Authority will adjudicate only when a data custodian refuses to share data with the data trustee. | The NPD Authority will have an enabling and an enforcing role. The Authority will have the power to address market failures in terms of lack of information about the quantum and nature of actual NPD assets held by an entity, or harms arising from processing activities, including re-identification or discrimination. It will also ensure a 'level playing field' with fair and effective competition in digital and data markets.31 |
| 14. | Data trusts | Data trusts have not been included in the New Report. | Data trusts were defined as institutional structures for sharing a given dataset as per specified rules and protocols, pertaining to a particular sector, and can contain data from multiple sources/custodians to facilitate data sharing.32 |
Additions to the New Report:
1. Guiding principles for NPD regulation: While even the Old Report alluded to a separate legislation to govern NPD in India, the New Report lists the following guiding principles on which the regulation will be based: (i) India has rights over data of India, its people and organisations; (ii) benefits of data must accrue to India and its people; (iii) innovation, new models and algorithms for the world. (iv) misuse, reidentification and harms must be prevented; (v) regulations should be simple, digital and unambiguous; (vi) data should be freely available for innovation and entrepreneurship in India.33
2. Exclusion of business-to-business data sharing: According to the Committee, sharing of NPD for business related purposes should be exempt from the scope of NPD regulation, as such sharing already exists. Outside of a defined 'public good purpose', mandatory commercial data sharing is not considered within the scope of the Committee's recommendations.34
3. Exemptions to data sharing: The following categories of NPD are not subject to mandatory data sharing requirements: (i) when data sharing would involve access to private companies' trade secrets or other proprietary information regarding their employees / internal processes and productivity data; and (ii) when data sharing is likely to violate privacy of individuals, groups, or communities.35
4. Exemption to data processors: A data processor means a company that processes NPD on behalf of a data custodian. Data processors include enterprise software, Software-as-a-Service providers, cloud service providers, Global Capability Centres (GCCs), IT and ITeS companies. They cannot be forced to share the NPD belonging to the data custodians.36 However, this exemption does not apply where the data processor collects, stores and processes NPD as part of its business operations, and not on behalf of another data controller/fiduciary.
5. High Value Datasets: An HVD is a dataset that can be shared for 'public good' purposes and is also beneficial to the community at large. According to the New Report, an HVD should: (i) be useful for policy making and improving public service and citizen engagement; (ii) help create new and high-quality jobs; (iii) help create new businesses -startups and SMEs (iv) help in research and education; (v) help in creating new innovations, newer value-added services or applications; (vi) help in achieving a wide range of social and economic objectives including poverty alleviation, financial inclusion, agriculture development, skill-development, healthcare, urban planning, environmental planning, energy, diversity and inclusion.
6. Classification/creation of HVDs: A data trustee may create/classify an HVD in consultation with the NPD Authority. Each HVD has to be managed by a single data trustee within a 'data infrastructure'.37 The proposed NPD Authority will release detailed guidelines to determine whether a dataset identified by the data trustee qualifies (in terms of dataset, objectives, size, actors involved etc.) as an HVD that meets the 'public good' criterion. Once categorized as an HVD, NPD can be requested by any private or public entity from the data trustee. Individuals cannot request any NPD from a data business.38
7. Sharing of datasets to create HVDs: The NPD Committee the committee describes what kind of data can be requested for building a HVD, it has identified the granularity of high-value data. As per the New Report, complete raw/factual/transactional level datasets will not be collected from both public and private sources for creating HDVs. Only specific subsets of data may be collected. Private inferred data of private companies will not be collected for creation of HDVs.39 There will be no restriction on collection of aggregate data.
8. Intellectual property rights: The Committee noted that data sharing may be mandated only for designated high value data-sets, where the fields for data to be shared are also pre-determined (which are expected to be a subset of the fields in the original database, for example, the meta-data that a hospital collects about a patient may include the following fields: patient name, age, weight, and symptoms). According to the Committee, extraction of pre-set fields from a dataset would not violate the database design copyright. Similarly, trade-secret protection will only be allowed if the act of compiling or processing any NPD leads to an inherently non-public and secret compilation of data. However, the Committee noted that trade-secret protection is unlikely to cover a proprietary right over data to prevent the eminent domain of this data.40
9. Proposed innovation advisory body: The NPD Authority will establish a body to discuss and make recommendations on aspects like data sharing, data governance, privacy protection, data stewardship etc. This body will include members from the government, industry and academia. This body will comprise of highly accomplished experts from academia, government, industry and society.41
Stakeholders can comment on the New Report till 27 January 2021, though it is unclear if the report will be revised again based on stakeholders' comments through the MyGov portal.42 The Committee has recommended that the proposed framework in its New Report should be used by the government to come up with a new legislation to regulate non-personal data.
Footnotes
1. https://static.mygov.in/rest/s3fs-public/mygov_159453381955063671.pdf ("Old Report").
2. https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf ("New Report")
3. Paragraph 4.1. of the New Report.
4. Paragraph 4.1. of the Old Report.
5. Ibid.
6. Paragraph 5.1 of the New Report.
7. Paragraph 3.7.(vii) of the Old Report.
8. Paragraph 5.3 of the New Report.
9. Paragraph 8.2(viii) of the Old Report.
10. Paragraph 5.4 of the New Report.
11. Paragraph 4.6 of the Old Report.
12. Paragraph 6 of the New Report.
13. Paragraph 6.1 of the Old Report.
14. Paragraph 6.3 of the New Report.
15. Paragraph 6 of the New Report.
16. Paragraph 6.2 of the Old Report.
17. Paragraph 6.2 of the Old Report.
18. Paragraph 7.4 of the New Report.
19. Paragraph 4.8 of the Old Report.
20. Paragraph 9.8 of the New Report.
21. Paragraph 5.1 of the Old Report.
22. Paragraph 7.7. of the New Report.
23. Paragraph 4.9 of the Old Report.
24. Paragraph 8 of the New Report.
25. Paragraph 4.9 of the Old Report.
26. Paragraph 8.10 of the New Report.
27. Paragraph 7.4 of the Old Report.
28. Paragraph 7.10 of the New Report.
29. Para 5.2 of the New Report.
30. Para 7.12 of the New Report.
31.Paragraph 8.2 of the Old Report.
32. Paragraph 4.10 of the Old Report.
33. Paragraph 3.4. of the New Report.
34. Paragraph 8.6 of the New Report.
35. Paragraph 8.6 of the New Report.
36.Paragraph 7.5 of the New Report.
37.Paragraph 7.6 of the New Report.
38. Paragraph 7.8 of the New Report.
39. Paragraph 8.9 of thr Report.
40.Paragraph 9 of the NEw Report.
41. Paragraph 8.15 of the New Report.
42. https://secure.mygov.in/group-issue/share-your-inputs-draft-non-personal-data-governance-framework/?field_hashtags_tid=&sort_by=created&sort_order=DESC&page=0%2C2
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
