Amidst the clamour of "data is the new oil" and "data is the new currency", the Indian government is now looking to regulate the collection, storage, access and usage of personal as well as non-personal data. There are concerns that the Indian government as well as authorities all over the world are struggling to resolve. In September 2019, the Ministry of Electronics and Information Technology (MeitY) formed a committee of experts led by the co-founder of Infosys – Kris Gopalakrishnan ("Committee"), to make specific suggestions on regulation of non-personal data. In its draft report released on July 12, 2020, the Committee has made crucial recommendations that can have a considerable impact on India's data protection regime.
The Committee has recommended that a separate legislation be formulated to govern non-personal data and a new regulatory authority be formed for monitoring the collection, storage and use of non-personal data. The Committee has also addressed a persistent question – what is non-personal data? Listed below are some of the key recommendations given by the Committee:
- Given the need to regulate data, it has been recommended that a clear definition of Non-Personal Data and key roles in the non-personal Data ecosystem must be articulated. The Committee has defined three categories of non-personal Data – (i) Public non-personal data; (ii) Community non-personal data; and (iii) Private non-personal data.
- It has been recommended that the data principal should also provide consent for anonymization and usage of this anonymized data while providing consent for collection and usage of his/her personal data.
- In order to develop and enable a robust non-personal data ecosystem, a set of roles/stakeholders and data infrastructure needs to be defined. The following non-personal data roles have been prescribed – (i) Data principal; (ii) Data custodian; (iii) Data trustees; and (iv) Data trusts. Unlike personal data where the data principal is the natural person to whom the personal data relates, in case of non-personal data, it is determined by the category of non-personal data.
- The Committee has recommended creation of a new taxonomy of business called 'Data Business' that collects, processes, stores or otherwise manages data and meet certain threshold criteria. These data businesses will provide, within India, open access to meta-data and regulated access to the underlying data.
- It has been recommended that access to non-personal data should be allowed for limited purposes. These are: (i) Sovereign purpose – for national security, legal purpose etc.; (ii) Core public interest purpose – for community benefits or public goods, research and innovation, policy making, for better delivery of public-services etc.; and (iii) Economic purpose – in order to encourage competition and provide a level playing field or encourage innovation through startup activities (economic welfare purpose), or for a fair monetary consideration as part of a well-regulated data market.
- Establishing a non-personal data authority with two major roles to play – (i) Enabling role, where it will ensure that data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes and thus spurring innovation in the country; and (ii) Enforcing rule, where it will ensure that all stakeholders follow the rules and regulations laid, provide data appropriately when data requests are made, undertaking ex-ante evaluations of the risk of re-identification of anonymized personal data and so on.
The stir around regulation of non-personal data in India started as early as in 2017. The Telecom Regulatory Authority of India attempted to understand the economic value of data through a consultation paper on privacy and ownership of data gathered by the telecom companies. The consultation paper introduced the concept of a "data sandbox" which would be a repository of anonymized data sets contributed by entities in order to enable others to develop new products. The Justice B.N SriKrishna committee also discussed a similar concept called "community data" in the draft data protection bill report.
Why is there a need to regulate non-persona data?
Firstly, the threat to positive market proliferation is substantial. Niti Aayog in its paper on "National Strategy for Artificial Intelligence" pointed out that there is an evident concentration of data in the hands of a few big players which acts as an entry barrier for new companies and startups. Few big data companies have achieved unprecedented economies of scale complemented by network effects. This seriously harms competitiveness in the market and is very dangerous for consumers in the long run.
Secondly, the regulation of data closely influences international trade practices. WTO members, India being one, are restricted from discriminating among products and services from other member countries except in cases where exemptions are applicable. In an extension to this, member states have also refrained from imposing custom duties on electronic transmissions. A regulation regarding the regulation of non-personal data from the sixth largest consumer market of the world is likely to kick off conversations on international data transfer regimes in the WTO.
Thirdly, privacy concerns have arisen considering the threat of re-identification of anonymized data which does not come under the purview of the Personal Data Protection bill. This threat increases manifold when a single entity has access to diverse compiled data sets making re-identification easier and more threatening for the data subjects whose identities and other aspects can be revealed and used for malicious purposes.
Lastly, national security, sovereignty and integrity is a constant and a colossal threat. The existing regimes for data security collect massive amounts of data, both personal and non-personal. The threat is twofold in this case. There is an external threat from foreign powers and non-state actors which severely challenge the safety and security of our borders and our citizens. On the other hand, there is an internal threat from overarching power given in the hands of the government to control and collect such information of its citizens. There is a need to balance both the interests keeping the principles of proportionality, necessity and justice in mind.
The Economic Survey of India 2018-2019 extensively dealt with the question of data declaring it to have characteristics of public good. It called for a robust data mechanism based on integration of different data sets which could empower all stakeholders, minimize exclusion and make targeted delivery of services more efficient. The importance of having a system in place that gives access to non-personal data on more equitable terms cannot be over-emphasized. It could challenge the dominance of big players, fuel innovation and accelerate growth. However, not all non-personal data can be treated in a similar manner. The risks of re-identification, large scale misuse of data and the bad track record of India in maintaining data security are too huge to turn a blind eye to. However, much is left to speculations and inferences till the separate legislation is formulated. Till then, what we know is that the data market in India is en route to being heavily and closely regulated and supervised through a slew of laws including e-commerce policy, data protection bill and now the draft on non-personal data.
Originally published July 15, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.