On July 12, 2020, a committee of experts ("NPD Committee") constituted by the Ministry of Electronic and Information Technology, Government of India ("MeitY") released its report on "Non-Personal Data Governance Framework" ("Report") for public comments. The NPD Committee was constituted by the MeitY under the chairmanship of Mr. Kris Gopalakrishnan to study issues relating to non-personal data ("NPD") and to formulate a framework to govern NPD in India. After taking into consideration comments received from the public, the Committee released a revised version of the Report in December, 2020 ("Revised Report"). We have summarized below the key changes made to the Report.
- Categorization of NPD: Under the Report, the NPD Committee classified NPD into three categories i.e. Public NPD, Private NPD and Community NPD.
While the definition of NPD1 continues to remain the same, this classification of NPD has been removed from the Revised Report. The Revised Report, however, provides illustrative examples of NPD collected by public and private entities in public and private domains, using public and private data collecting mechanisms.
- Interface between the PDP Bill2 and the Report: Under the Report, the NPD Committee took note of the fact that there would be an overlap between the PDP Bill and the Report and accordingly recommended the NPD Authority (discussed below) to work within the framework of the PDP Bill and in consultation with the Data Protection Authority (as defined under the PDP Bill) to tackle such an overlap.
However, the Revised Report recommends deletion of Sections 91(2) and 93(x) of the PDP Bill (which attempts to establish within the PDP Bill a regulatory framework for NPD), to ensure that the two frameworks are mutually exclusive, yet work harmoniously with each other.
- Consent: Under the Report, the NPD Committee proposed a consent framework for anonymization of data. As per the Report, when an entity obtains an individual's consent for the collection of his/her personal data, the entity should also obtain specific consent for anonymization of such data and the use of such anonymized data.
The Revised Report recommends data collectors to (i) provide a notice; and (ii) offer the data principal an option to opt out of data anonymization, at the time of collecting personal data. Further, the Revised Report also recommends that in the event consent has been provided but the data has not yet been anonymized, then revocation of consent could be given effect to.
- Definition of Data Business: Under the Report, any business collecting data beyond a certain threshold would be classified as a Data Business. Further the Report also recommended all public and private entities that exceeded certain data-related thresholds would be required to mandatorily register themselves as 'Data Businesses'.
The Revised Report has defined a Data Business to mean any organization (Government or private organization) that collects, processes, stores, or otherwise manages data. Further, the Revised Report clarifies that a Data Business could be a Data Custodian or Data Processor. The Revised Report has also made certain suggestions in relation to classification and registration of Data Businesses:
- A Data Business above a certain threshold must be registered in India.
- Certain threshold parameters (such as gross revenue, number of consumers/households/devices handled, percentage of revenues from consumer information) should be considered while defining Data Business.
- The thresholds suggested in the PDP Bill for 'Significant Data Fiduciary'3 should be harmonized with data thresholds suggested for NPD.
- Data Custodians: The Report defined a Data Custodian as a person that undertakes collection, storage, processing, use of data. The Report also clarified that the Data Custodian would be akin to a 'Data Fiduciary' (under the PDP Bill), and would be expected to act in the 'best interest' of the Data Principal/group/community and would have a 'duty of care' to the concerned person while handling NPD.
The Revised Report has clarified that a Data Custodian may either be a private organization or the Government.
- Data Processor: The Revised Report has defined a Data Processor to mean a company that processes NPD on behalf of a Data Custodian. The Revised Report has also clarified that the Data Processor will not be treated as a Data Custodian under the NPD governance framework for the data that it processes on behalf of the Data Custodian and accordingly, in this regard, Data Processors will not be expected to share NPD.
- Data Trustees: The Report defined Data Trustee as a person who exercises rights on behalf of a Data Principal group/community. The Report also provided that the proposed NPD Act will contain detailed guidelines on the eligibility criteria for Data Trustees. Further, the Report suggested that the Data Trustees could recommend soft obligations on data custodians in relation to transparency and reporting mechanisms.
The Revised Report has defined a Data Trustee as an organization, either a Government organization or a non-profit private organization (Section 8 company / Society / Trust), that is responsible for the creation, maintenance and data-sharing of 'High-Value Data sets' ("HVD") (discussed below) in India. Data Trustees have a responsibility towards responsible 'data stewardship' and a 'duty of care' to the concerned community in relation to handling NPD related to it. Further, the Revised Report also imposes the following obligations on a Data Trustee:
- A Data Trustee has to ensure that the HVD are used only in the interests of the community.
- A Data Trustee has a responsibility to ensure that no harm to persons / groups of persons occur by their re-identification of NPD.
- A Data Trustee is obligated to establish grievance redressal mechanisms so that the community can raise grievances.
- Data Trusts: The Report contained a concept of Data Trusts. As per the Report, Data Trusts are institutional structures comprising of specific rules and protocols for holding and sharing a given set of data. Data Trusts can store data from multiple sources, custodians etc., that is relevant to a particular sector or required to provide a set of digital or data services.
The concept of Data Trust has been removed from the Revised Report.
- Ownership of Data: In the Report, the NPD Committee adopted the notion of 'beneficial ownership/interest' since there would be several persons/entities that may exercise ownership rights and privileges to certain NPD. Accordingly, based on this concept, all public NPD which is derived from public efforts, was considered to be a national resource will be owned by the state. For all community NPD, the ownership would vest with the Data Trustee, with the community being the beneficial owner.
The Revised Report has done away with the ownership concept and instead has introduced five key principles to determine a community's right over data:
- a community's right over resources associated collectively with it;
- consent of the community for use of such resources;
- benefit sharing with the community;
- transparency in recording community resources to prevent misuse and enable easy access of the legitimate kind; and
- community's participation in governance of community resources.
- Concept of HVD: The Revised Report has introduced a concept of HVD. HVD is a dataset that is for the public-good and benefits the community at large. As per the Revised Report, HVD must:
- Be useful for policy making and improving public service and citizen engagement;
- Help in creating new and high quality jobs;
- Help in creating new start-ups and SME businesses;
- Help in research and education;
- Help in creating new innovations and newer value add services;
- Help in achieving social and economic objectives such as poverty alleviation, financial inclusions, agricultural development, skill-development, health care, urban planning, energy, environmental planning and diversity and inclusion.
The Revised Report also suggests a process for creating HVD. Data Trustees may create HVD in consultation with the NPD Authority. The NPD Authority will release detailed guidelines to determine whether a dataset identified by the Data Trustee qualifies (in terms of dataset, objectives, size, actors involved etc.) as HVD. On completion of categorization of HVD, public and private organizations in India may request Data Trustees for access to such HVD. However, individual persons cannot make such requests. Further, the Data Trustee may also charge a nominal fee (towards data infrastructure and data processing) from the requester of HVD.
- Data Sharing Framework: In the Report, the NPD Committee clarified that with respect to private NPD, only raw and factual data pertaining to a community is required to be shared, at no remuneration. Data in relation to proprietary knowledge and algorithms was excluded for this purpose. Further, where there has been a value-add to community data, and where such value-add is non-trivial, such sharing of data will be subject to a fair, reasonable and non-discriminatory (FRAND) based remuneration. Where there is an increasing value addition made to such data, the price will be determined by market forces. Where there is a high level of value addition, private organizations are allowed to solely determine how they would wish to use the data.
The Revised Report suggests that only data that is necessary for creation of HVD will be subject to mandatory sharing. Notably, the Revised Report suggests granularity of NPD that is to be collected for the purpose of HVD and also lays out the process for sharing HVD. As per the Revised Report, a Data Trustee should request data from all major Data Custodians in the relevant data-category to create HVD. To determine the data that may be collected by the Data Trustee for the purpose of HVD, the NPD Committee has classified data into:
- raw/factual/transactional level data (for example, census information of a citizen (anonymized));
- aggregate level data (for example, aggregated details of taxi trips of all travelers in a locality); and;
- inferred level data (for example, derived view of data that is developed by combining different data points typically involving trade secrets, algorithms etc.).
As per the Revised Report, complete raw/factual/transactional data cannot be collected from public and private resources. Only specific sub-sets of data may be collected. There are no restrictions on collecting aggregate level data. Private inferred data from private organizations cannot be collected.
- Purposes of Data Sharing: Under the Report, the NPD Committee suggested that regulated access be provided by Data Businesses to various stakeholders such as government, citizens, start-ups, companies, universities, research labs and NGOs. However, a request for sharing of such data may only be made for certain defined purposes such as sovereign purposes, core public interest purposes and economic purposes.
As per the Revised Report, data may be requested for the following purposes:
- Sovereign Purpose: The Revised Report suggests that data may be requested for purposes of national security and legal purposes . However, data requests for sovereign purposes can only be made by public/government entity and such data requests may be made to public or private Data Custodians. The Revised Report also suggests that the NPD Authority will not adjudicate the validity of a data request made under sovereign purposes.
- Public Good Purpose: Data may be requested for community uses / benefits or public goods, research and innovation, for policy development, better delivery of public-services. However, such data can only be requested by public or private organizations registered in India and no individual person can make a data request.
- Business Purpose: The Revised Report has clarified that sharing of data between business entities for business related purposes will be outside of the scope of the NPD framework.
- Exemptions to Data Sharing: The Revised Report has clarified that the following NPD will not form part of mandatory sharing requirements under the NPD framework:
- Data sharing that would involve access to private companies' trade secrets or other proprietary information regarding their employees / internal processes and productivity data.
- Data sharing that would likely result in violating the privacy of individuals, groups, or communities.
- NPD Authority: As per the Report, the NPD Committee recommended a separate authority, NPD Authority, for the purpose of ensuring compliance with the proposed NPD Act. The NPD Authority will consist of members having relevant industry experience. Further, as per the Report, the NPD Authority will play the role of an enforcing and enabling authority. As an enforcing authority, the NPD Authority will ensure that all stakeholders adhere by the rules, fulfill data requests, evaluate risks of de-identification of anonymized data etc. As an enabling authority, the NPD Authority will ensure that data is shared for sovereign, social welfare, and for regulatory and competition purposes. The Committee also recommended that the roles of the Personal Data Authority (as per the PDP Bill), Competition Commission of India (CCI) and the proposed NPD Authority be harmonized to ensure that there is no conflict.
As per the Revised Report, the NPD Committee has expanded the enabling role and the enforcing role of the NPD Authority.
- Enabling Role: The NPD Authority's enabling functions would be (i) to ensure unlocking of economic benefit from NPD for India and its people / communities; (ii) to create a data sharing framework; and (i) to manage the meta-data directory of Data Businesses in India.
- Enforcing Role: The NPD Authority's enforcing functions would be (i) to establish rights over Indian NPD in a digital world; (ii) to address privacy, re-identification of anonymized personal data, prevent misuse of data; and (ii) to adjudicate the matter when the Data Custodian refuses to share data with the Data Trustee for the purpose of HVD.
- Innovation Advisory Body: The Revised Report recommends the NPD Authority to establish an Innovation Advisory Body consisting of accomplished experts from academia, Government, industry and society to develop and innovate aspects in relation to data sharing, data governance and technical standards (such as interoperability, privacy protection and data stewardship).
The NPD Committee seems to have taken into consideration comments received from the public and stakeholders on the mandatory sharing requirements and has heavily focused on limiting the scope of mandatory sharing requirements. Another notable change made to the Report is the explicit exclusion of trade secrets and proprietary information of private company from the applicability of the NPD framework, providing a huge relief to concerned stakeholders.
1. Under the Report, NPD has been defined as data which is not 'Personal Data' (as defined under the Personal Data Protection Bill, 2019 ("PDP Bill")), or data without any Personally Identifiable Information (PII), will be considered as NPD.
2. The PDP Bill was tabled in the Indian Parliament by the Minister of Electronics and Information Technology on December 11, 2019. It is presently being examined by a Joint Parliamentary Committee.
3. As per the PDP Bill, based on factors such as the volume of personal data processed, sensitivity of personal data processed, turnover of the Data Fiduciary, risk of harm resulting from any processing, use of new technologies, the Data Protection Authority will notify certain Data Fiduciaries as "Significant Data Fiduciary".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.