In September 2019, the Ministry of Electronics & Information Technology constituted a committee of experts ("Committee") to deliberate on issues related to Non-Personal Data ("NPD") and suggest suitable recommendations for its regulation. On July 12, 2020, the Committee released its report ("Report") for public consultation on inter alia the enactment of a legislation for regulation of NPD ("NPD Statute") as well as establishment of an authority under NPD Statute ("NPD Authority").
In this newsletter, we set out some of the key recommendations suggested by the Committee as under:
- Case for Regulation
The Committee notes that the world has become "awash with data" due to the world-wide adoption of internet, smartphones, and cloud driven apps as well as increasing use of artificial intelligence systems. The Committee takes note of the economic value and wealth generated by data in addition to the social and public value and that the data is increasingly taking the centre-stage in core-technological businesses, all economic sectors around the world and in addressing various social and public administration issues. Additionally, given the population of India and its projection as one of the top consumer markets as well as possibilities of data monopolies in an unregulated environment, the Committee recognised that the government's role is to catalyse the data businesses in a manner that maximizes overall welfare of all stakeholders.
In this context, the Committee has set out a case for regulation of NPD to achieve the following enabling benefits:
- To create a modern framework for realisation of economic value from use of data, to generate economic benefits for citizens and communities in India and unlock the potential for social/public/economic value data.
- To create certainty and incentives for innovation and new products/services creation and encourage start-ups in India.
- To create a data sharing framework such that community data is available for social/public/ economic value creation.
- To address privacy concerns, including from re-identification of anonymised personal data, preventing collective harms arising from processing of NPD, and to examine the concept of collective privacy.
- Definition of NPD and types of NPD
The Report defines NPD as data which is not 'Personal Data'1, as defined under the Personal Data Protection Bill, 2019 ("PDP Bill") or the data is without any 'personally identifiable information'.
The Committee has further classified NPD into three (3) sub-categories:
- Public NPD: NPD collected or generated by government or by any agency of the government and includes data collected or generated in the course of execution of all publicly funded works but does not include data which is explicitly afforded confidential treatment under a law. Examples include anonymised data of land records, vehicle registration data etc.
- Community NPD: NPD, including anonymised personal data, and non-personal data about inanimate and animate things or phenomena (whether natural, social or artefactual) whose source or subject pertains to a community of natural persons. Examples include datasets collected by the municipal corporations, public electric utilities, datasets comprising user-information collected even by private players like telecom, e-commerce, ride-hailing companies etc.
- Private NPD: NPD collected or produced by persons or entities other than the governments, the source or subject of which relates to assets and processes that are privately-owned by such person or entity, and includes those aspects of derived and observed data that result from private effort. Examples include inferred or derived data/insights involving application of algorithms, proprietary knowledge.
- Sensitivity of NPD
Drawing inference from the concept of sensitivity of data in the context of personal data, the Committee has introduced a concept of sensitivity in the context of NPD which may relate to:
- national security or strategic interests;
- bears risk of collective harm to a group (collective privacy etc.);
- business sensitive or confidential information;
- anonymised data, that bears a risk of re-identification
Additionally, recognising the possibility of harm to the original data in view of the fact that no anonymisation technique provides perfect irreversibility, the Committee recommended that NPD arising from 'sensitive personal data' (as defined under the PDP Bill)2 should also be considered as sensitive NPD.
- Consent for Anonymised Data
Based on the inputs of the industry as well as its own research, the Committee observed that the large collections of anonymised data can be de-anonymised and protection was needed for the individual. This principle is based on the premise that the personal data that is anonymised should continue to be treated as the NPD of the data principal and the data principal should also provide consent for anonymisation and usage of this anonymised data while providing consent for collection and usage of personal data. The Committee has also recommended that appropriate standards of anonymisation be defined to prevent/minimize the risks of re-identification.
- Key Constituents of NPD Ecosystem
The Committee has identified the following four (4) key constituents in the NPD ecosystem:
- Data Principal: In case of Public NPD and Private NPD, the data principal will be the corresponding person (individuals, companies, communities) to whom the data relates. In case of Community NPD, the Committee recommends that the community should be deemed to be the data principal as it is the source/subject of the community data.
- Data Custodian: The data custodian undertakes collection, storage, processing, use etc. of data in a manner that is in the best interest of the data principal and may be considered as data fiduciary having a 'duty of care' to the concerned community in relation to the handling of NPD and an obligation to act in the 'best interest' of such community. The Committee has suggested that an appropriate NPD framework legislation will also inter alia lay down principles and guidelines for various incentives for data custodians, respective data privileges, compensations where needed, the nature of the well-regulated data markets, etc.
- Data Trustee: Data trustee is a person through which a data principal group/community will exercise its data rights. The Committee recommends that the NPD Statute should lay down the principles and guidelines about who can constitute the appropriate trustee in a given context of group/community data and in principle, it should be the closest and most appropriate representative body for the community concerned.
The Report also suggests the following roles for a data trustee:
- enforcement of safeguards on the sharing of Community NPD of which it is the trustee before the data regulator (NPD Authority) in cases where mandatory data sharing will be required to open up competition in any concerned sector enabling start-ups, or for other community/public interest purposes;
- recommending to the data regulator (NPD Authority) the enforcement of obligations on data custodians, like transparency and reporting mechanisms, or stronger ones involving regulation of data practices, within the framework to be specified by NPD Statute;
- collaborating with the data regulator (NPD Authority) seeking and enforcing data sharing regarding various community data on specific data requests.
- Data Trust: Data trusts are institutional structures, comprising specific rules and protocols for containing and sharing a given set of data. Data Trusts can hold NPD voluntarily shared by data custodians. In case governments/data trustees also seek mandatory sharing of important data for a sector for specific purposes, such information would also be managed and provided by data trusts.
- Rights over NPD
The Committee has adopted the notion of "beneficial ownership/interest" with respect to establishment of legal rights over NPD.
In case of NPD developed from personal data of an individual, the data principal for personal data will continue to be the data principal for the NPD, which should be utilized in the best interest of that individual.
The Committee recommends that as Public NPD is derived from public efforts it should be considered as a national resource.
In case of Community NPD, the Committee recommends the rights should vest with the trustee of that community, with the community being the beneficial owner, and such data should be utilized in the best interest of that community.
In case of Private NPD, only such raw/factual data pertaining to a community that is collected by private organisation may need to be shared.
- Data Business
In view of the economic value derived by organisations from data, the Committee has recommended creation of a new category/taxonomy of business called 'Data Business' which meets certain data threshold. A data business will be a horizontal classification and not a separate industry sector. Once a business reaches a certain data-related threshold, it will be required to register as 'Data Business' and such registration is applicable for private as well as government organisations. Registration is voluntary for entities which do not fulfil the threshold.
The Data Business will be required to submit meta-data about data user and community from which data is collected, with details such as classification, closest schema, volume etc. as per a directory of data classification and schema published by the NPD Authority. Such meta-data will be openly accessible to Indian citizens and organisations.
- Data Sharing
The Committee has recommended three (3) purposes for which NPD may be shared:
- Sovereign Purpose: Data may be requested for national security, law enforcement, legal or regulatory purposes.
- Core Public Interest purpose: Data may be requested for community uses/benefits or public goods, research and innovation, for policy development, better delivery of public-services, etc.
- Economic Purpose: Data may be requested in order to encourage competition and provide a level playing field or encourage innovation or for monetary consideration as part of a well-regulated data market, etc.
- Data-Sharing Mechanisms and Checks and Balances
The Committee has inter alia suggested establishment of appropriate data sharing mechanisms for sharing public, community and private data as well as improvement on existing open government data initiatives and ensure that high-quality Public NPD sets are available.
Additionally, with respect to checks and balances, the Committee suggested various factors for ensuring appropriate implementation of the rules and regulations with respect to data sharing such as location of the NPD, contractual agreement between cloud provider and data business, tools for testing and probing on the data on secure clouds, expert probing, establishment of an Academic-Industry Advisory Body and limitation of liability through self-regulation and rectification.
- Establishment of NPD Authority
The Committee has suggested creation of a distinct NPD Authority for regulation of NPD as this is a new and emerging area of regulation and such authority will require specialized knowledge of data governance, technology, latest research and innovation in the space of NPD.
The NPD Authority will have two (2) roles:
- Enabling role: Ensuring that data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes and encouraging innovation; and
- Enforcing role: Ensuring all stakeholders follow the rules and regulations, provision of data appropriately when data requests are made, undertaking ex-ante evaluations of the risk of re-identification of anonymised personal data etc.
Additionally, the Committee also highlights the functions/duties of the NPD Authority which may be required to be undertaken such as:
- enabling legitimate sharing requests and requirements and regulation and supervision of corresponding data-sharing arrangements involving data businesses, data trustees and data trusts;
- addressing market failures and supervising the market for NPD;
- administration of the NPD Statute;
- ensuring a fair and level playing field for all Indian participants so as to maximise Indian data value for the Indian economy;
- Privacy related issues for NPD;
- Recognizing ownership rights and privileges in NPD and incentives to innovate.
Separately, the Committee also suggests harmonisation of the roles of the NPD Authority and authorities under the PDP Bill and the Competition Act, 2002.
- Technology Architecture
The Committee has considered some guiding principles for the technology architecture for creating and functioning of shared data directories/data bases and for digitally implementing the rules and regulations related to data sharing which include:
- Mechanisms for accessing data – All sharable NPD and datasets created or maintained by government agencies, companies, start-ups, universities, research labs, non-government organisations, etc. should have a REST (Representational State Transfer) API for accessing the data.
- Distribution for data security - Data storage to be in distributed format so as to avoid single point of leakage. Sharing of data to be undertaken using APIs only such that all requests can be tracked and logged and all requests for data must be operated after registering with the company for data access.
- Standardized data exchange: The Committee suggested creation of a standardized data exchange approach irrespective of data type, exchange method or platform wherein the collated data should be made available for stakeholders to use and make inferences. Additionally, the data exchange should be able to accept any form of data and produce standardised output that is usable for all stakeholders.
- Prevent de-anonymisation: The Committee has recommended adoption of the best differential privacy algorithms for creation of anonymised data and establishment of mechanisms to ensure prevention of re-identification of anonymised data.
Considering that data is valuable and it must be regulated in an appropriate manner, the Committee has strongly recommended that a clear definition of NPD and the key roles in the NPD eco-system must be identified, articulated and regulated through a NPD Statute.
1 Under the PDP Bill, 'personal data' has been defined as "data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling".
2 Under the PDP Bill, 'sensitive personal data' means such person data which may reveal or may be related to or constitute (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data by the Central Government.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.