A draft Personal Data Protection Bill, 2019 ("Draft Privacy Bill") is presently being considered by the Indian Parliament. The ownership and use of non-personal data is the second prong of the Indian Government's approach to 'data sovereignty'. In September 2019, the Ministry of Electronics and Information Technology ("MeitY") constituted a committee of experts ("Committee") to study and provide it suggestions on regulating non-personal data ("NPD").
NPD is any data that lacks any personally identifiable information or is data that has been anonymised. The Committee released its Report by the Committee of Experts on Non-Personal Data Governance Framework ("Report") on July 12, 2020. The Committee recognized that management of NPD is necessary to incentivize innovation, create value from data sharing, address privacy concerns and prevent harms.
The report can be viewed here: https://static.mygov.in/rest/s3fs-public/mygov_159453381955063671.pdf.
Key Recommendations in the Report
- Defining NPD - The report identifies three categories of NPD - public, community and private. Public NPD includes data collected or generated by government agencies, community NPD includes anonymized data, and private NPD includes data related to privately owned assets of a person or entity or derives as a result of private effort. Sensitive NPD has been defined as data relating to national interest, business interests or confidential information and anonymized data which bears the risk of re-identification.
- New Regulation and Authority - Separate regulatory authority to be established to (i) ensure NPD is shared for spurring innovation in the country; and (ii) enforce rules and regulations laid down, undertake risk evaluations, etc. The Committee has also recommended the formulation of a new law for regulation and management of NPD.
- Regulation of Data Business - An organization that collects and provides services using NPD becomes a 'data business'. Such entities have to disclose that they are a data business to the non-personal data regulator. The requirement for registration will be triggered by a threshold decided by regulators.
- Stakeholders - The Report has identified the following as stakeholders that it proposes to regulate:
(i) data principal (the person to whom the NPD relates); (ii) data custodian (the person who collects/ stores, processes and/or uses the NPD); (iii) data trustees (rights based group/community of data principals); and (iv) data trusts (institutional structures, comprising specific rules and protocols for maintaining and sharing a given set of data). Unlike personal data where the data principal is the natural person to whom the personal data relates, in case of non-personal data, it is determined by the category of non-personal data.
- Consent for anonymized data - The Committee recommends that a data principal should consent to the anonymization of their personal data and its usage, when consenting to its processing.
- Data Ownership: 'Legal basis for establishing rights' over NPD includes: (i) data sovereignty - some data sets can be considered a national resource and, therefore, owned by the state; (ii) beneficial ownership / interest - in case of community NPD, rights over the NPD would vest in a trustee, and the
community would be the beneficial owner, in whose interest such NPD ought to be utilized; and (iii) origin from personal data - NPD derived from personal data will be owned by the individual whose personal data is underlying the NPD.
- Data storage - The principles for storage of personal data stated in the PDP Bill are suggested for NPD as well. Sensitive NPD may be transferred outside India but shall continue to be stored locally. Critical NPD (which is to be defined and notified by the government) can only be stored and processed in India. General NPD may be stored and processed anywhere in the world.
- Data sharing - NPD may be requested by government agencies, citizens, start-ups, companies, NGOs, research institutes and universities for (i) sovereign purposes (ii) core interest public purposes (iii) economic purposes. The Committee proposes the development of a data sharing mechanism for various purposes, and the different categories of NPD.
How it may affect you
A regulation introduced on the basis of the Report would impact Indian and foreign organization doing business in India. This will affect the way in which you can access and use NPD going forward, given that there is no regulation in place currently. You may need to undertake several additional compliances, like registering with and observe rules set-forth by regulator, submitting digital compliance reports, etc. You may also need to localize certain sensitive NPD. Finally, you may face demand from law enforcement bodies to share data.
The Report is currently open for public consultation until August 13, 2020. We will continue to track this and keep you posted on future developments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.