The Government of India began its quest to bring the non-personal data under regulation in the fall of 2019, with Ministry of Electronics and Information Technology constituting the Committee of Experts on Non-Personal Data Governance Framework under Axilor Ventures Chairman and former Infosys Vice-Chairman Kris Gopalakrishnan.
The report has now been put out in the public domain for comments from stakeholders till August 13, 2020. This exercise comes at a time when there is growing datafication of our lives, across socio-economic and political realms. The document, therefore, begins by providing a justification for the need to govern Non-Personal Data, citing the need to unlock the economic, social and community benefits of data.
The document defines non-personal data as data which is not “personal data” or data without any personally identifiable information (PII). The current definition is not a well-defined one, considering that non-personal data can be derived either from a personal dataset or from other sources, such as traffic data.
A clear and nuanced definition would enable better regulation of non-personal data. The expert committee report identifies three kinds of non-personal data: public data, community data, and private data.
Among the various suggestions made by the committee to unlock the potential of non-personal data, here are the highlights:
Collective Harms: The document, interestingly, highlights Collective Harms, going beyond the individual-centricity of Personal Data Protection, in the form of individual privacy and related concerns. The report cites the concept of Collective Privacy, and the possible harms of opening up data to expose communitarian identity markers, among other things.
Sensitivity: The report talks about possible limits to complete freedom in exploiting data, in the form of exceptions like national security concerns, business concerns related to the intellectual property, and the risk of the re-identification of non-personal data.
Data Actors: The report envisages a range of new “data actors”, including the Data Principal, Data Custodian, Data Trusts, Data Trustees. One aspect that stands out is the identification of the “Duty of Care” for the Data Custodian, who would be the actor responsible for community data.
Data Sovereignty: The report states that the rights over the non-personal data obtained from an individual’s personal data would remain with her while those derived from a community would vest with the community. Such data would be shared with data businesses and government bodies, to be used in their best interests. The report assigns the trusteeship of community data to the most appropriate representative body – central/state/local government agency, therefore, asserting the government’s ownership over the non-personal data of a community. However, the report is silent on the “adequate system of decision implementation” to be employed by these government bodies. Therefore, the key data sharing principles must be based keeping in mind the social value of the data, ensuring just use and openness in decision-making and action – securing accountability.
Data Business: The report talks about a Data Business, a new kind of entity that significantly deals with data in a large measure. This would perhaps include existing businesses that are increasingly dealing with data, or new kinds of businesses that are data-driven.
Non-Personal Data Authority: With an aim to coordinate between the regulators such as the Competition Commission of India (CCI) and the Data Protection Authority (DPA) (under Personal Data Protection Bill (PDP)) and other sector regulators, the committee has proposed to set up an entirely new regulator, the Non-Personal Data Authority (NPDA). However, the exact composition, powers and role of the NPDA have not been defined. It can be argued that the DPA, under the PDP Bill, could have been empowered to deal with non-personal data too. However, the report reasons that “unlike the DPA which is focused on prevention of personal harm, this authority will focus on unlocking value in Non-Personal Data for India.”
Harmonisation: The report also foresees the regulation of NPD by divergent ministries and regulatory bodies. Therefore, the report proposes harmonisation between the Competition Commission of India, and the Personal Data Protection Authority envisaged by the Personal Data Protection Bill, 2019.
The current report that has been put forth for public comments, was prepared in a heavily opaque manner. Although the report states in its methodology that representatives of various sectors of businesses were consulted, and several experts presented their views in front of the committee, the list or the qualifications of these deemed experts has not been released. Such secrecy of policymaking is unwarranted for and arouses suspicions.
This primer on Non Personal Data is compiled by Preeti Raghunath, Gyan Tripathi, with review and inputs from Padmini Ray Murray via the Kaarana Collective.