The Ministry of Electronics & Information Technology (“MEITY”) in the year 2019 formed a Committee to make recommendations for the consideration of the Central Government on the regulation of the Non-Personal Data. The Expert Committee headed by Infosys co-founder, Mr. Kris Gopalakrishnan, released its report (“Report”) on Non-Personal Data Governance Framework.
The Committee in its Report has observed that the world is awash with data due to the growth of the technology. The data, inter-alia, contributes to economic value and wealth, and the organizations have been discovering ways to generate value from data. The digital economy is witnessing the emergence of a few dominant players and a certain imbalance in the market. Considering the increasing importance and value generation capacity of the data economy there is need to enable and regulate all aspects of data, both Personal and Non-Personal Data.
- The MEITY has already introduced the Personal Data Protection Bill 2019 which primarily deals with the protection and use of the Personal Data of individuals. However, the present Report is first of its kind as it suggests a separate legislation for regulating the use of the Non-Personal Data, in order to achieve the following enabling and enforcing benefits:
To generate economic benefits for citizens and communities in India and unlock the immense potential for social / public / economic value data; - To create certainty and incentives for innovation and new products / services creation in India;
- To create a data sharing framework such that community data is available for social / public / economic value creation; and
- To address privacy concerns, including from re-identification of anonymised personal data, preventing collective harms arising from processing of Non-Personal Data, and to examine the concept of collective privacy
NON-PERSONAL DATA
When the data is not a personal data and is not about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling, or the data is without any personally identifiable information, it is considered as Non-Personal Data.
In the Report, the Committee has further defined three categories of Non-Personal Data –
1. Public Non-Personal Data
It means Non-Personal Data collected or generated by the governments, or by any agency of the governments, and includes data collected or generated in the course of execution of all publicly funded works. It includes anonymised data of land records, public health information, vehicle registration data, etc.
Ø All Non-Personal Data collected or generated by the Government where such data is explicitly afforded confidential treatment under a law, shall not constitute Public Non-Personal Data.
2. Community Non-Personal Data
It means Non-Personal Data, including anonymised personal data, and non-personal data about inanimate and animate things or phenomena – whether natural, social or artefactual, whose source or subject pertains to a community of natural persons, excluding Private Non-Personal Data. It includes datasets collected by the municipal corporations and public electric utilities, datasets comprising user-information collected even by private players like telecom, e-commerce, ride-hailing companies, etc.
3. Private Non-Personal Data
It means Non-Personal Data collected or produced by persons or entities other than the governments, the source or subject of which relates to assets and processes that are privately-owned by such person or entity, and includes those aspects of derived and observed data that result from private effort. It includes inferred or derived data / insights involving application of algorithms, proprietary knowledge, etc.
In the Report, the Committee has also defined a new concept of ‘sensitivity of Non-Personal Data’, as even Non-Personal Data could be sensitive from the following perspectives –
1) It relates to national security or strategic interests;
2) It is business sensitive or confidential information;
3) It is anonymised data that bears a risk of re-identification.
CONSENT FOR ANONYMIZATION OF DATA
The Committee recommends that the data principal should also provide consent for anonymisation and usage of this anonymized data while providing consent for collection and usage of his/her personal data. Also, the Committee recommends that appropriate standards of anonymisation be defined to prevent / minimize the risks of re-identification.
KEY NON-PERSONAL DATA ROLES
In the Report, the Committee has defined the following key Non-Personal Data roles:
Data Principal: In case of Government and Private Non-Personal Data, the data principal will be the corresponding entities (individuals, companies, communities) to whom the data relates. In case of Community Data, a community is the data principal.
Data Custodian: The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal.
Data Trustee: The data principal group/community will exercise its data rights through an appropriate data trustee.
Data Trusts: They are the institutional structures, comprising specific rules and protocols for containing and sharing a given set of data.
DATA BUSINESS
In the Report, the Committee has observed that organizations are deriving new or additional economic value from data, by collecting, storing, processing, and managing data. For instance, a hospital derives economic value not only from providing medical services, it may derive additional value by harnessing the medical data and offering value-added services (such as personalized treatment plans, medicines etc.). Therefore, the Committee suggested to create a new category / taxonomy of business called ‘Data Business’ that meets certain data threshold criteria.
It has been also suggested in the Report, that there should be a process for registration of the Data Business, and such requirement will be applicable to not only commercial organizations, but also Governments and other non-government organizations that collect, process or otherwise manage data. Further, such Data Business should be made accountable to declare what they do and what data they collect, process and use, in which manner, and for what purposes (like disclosure of data elements collected, where data is stored, standards adopted to store and secure data, nature of data processing and data services provided).
SHARING OF DATA
In the Report, the Committee has proposed primarily 3 purposes for sharing data:
Sovereign purposes – Data may be requested security, legal, law enforcement and regulatory purposes.
Core Public Interest purposes – Data may be requested for community uses / benefits or public goods, research and innovation, for better delivery of public services, policy development, etc.
Economic purposes – Data may be requested for economic welfare purposes – in order to encourage competition and provide a level playing field in any sector, including, very importantly, for enabling domestic startup activities, or for a fair monetary consideration as part of a well-regulated data market, etc.
NON-PERSONAL DATA AUTHORITY
In the Report, the Committee has recommended for creation of a separate Non-Personal Data Authority. The Non-Personal Data Authority is to be tasked with enabling legitimate sharing requests and requirements; with regulating and supervising corresponding data sharing arrangements involving Data Businesses, data trustees and data trusts.
The Non-Personal Data Authority has two roles to play:
Enabling role: ensuring that data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes and thus spurring innovation, economic growth and social well-being in the country.
Enforcing role: ensuring all stakeholders follow the rules and regulations laid, provide data appropriately when legitimate data requests are made, undertaking ex-ante evaluations of the risk of re-identification of anonymised personal data and so on.
DATA-SHARING MECHANISM
In the Report, the Committee has recommended for establishing appropriate data sharing mechanisms for sharing public, community and private data need to be established. The process of data sharing starts with a data request being made to the relevant Data Business. The data requests may be made for the detailed underlying data.
A business including start-up may raise a data sharing request to a data custodian based on the meta-data of the data custodian. If the data custodian services the request, the transaction is complete. If the data custodian refuses to share the request, the request is made to the Non-Personal Data Authority. The Authority evaluates the request from social / public / economic benefit perspective. If the request is genuine and can result in such benefits, the authority will request the data custodian to share the raw/factual data. If the authority determines that the benefits are not real, the request is denied.
TECHNOLOGY ARCHITECTURE
In the Report, the Committee has recommended some technology related guiding principles that can be used for creating and functioning of shared data directories / data bases, and for digitally implementing the rules and regulations related to data sharing.
CONCLUSION
There is no doubt that the present Report on the use and regulation of the Non Personal Data is a very progressive approach adopted by MEITY, considering the advancement in the technology and creation of data. Without any iota of doubt, any statue enacted by the Government of India on the guidelines of the present Report will definitely help in ensuring proper usage and exhaustion of the economical aspect of the Non Personal Data which will be a win-win situation for all the concerned parties.
By:
Rajat Jain, Advocate
Principal Associate, Vaish Associates Advocates
Email ID: rajatjain@vaishlaw.com
Mobile No.: +91 9953887311