The Ministry of Electronics and Information Technology has released the Draft Non-Personal Data Governance Framework (“Report”) and invited suggestions from the public. The Report has been prepared by a Committee of Experts constituted under the chairmanship of Mr. Kris Gopalakrishnan (“Committee”) on September 3, 2019.
The Committee makes a case for the need of rules and regulations to manage non-personal data as it creates economic value and wealth, apart from enormous social and public value. The key recommendations made by the Committee have been summarised below.
1. Ambit of Non-Personal Data
Non-Personal data includes (1) data that is not “personal data” and (2) data that is without any personally identifiable information. The Reports seeks to define non-personal data into three broad categories, namely Public, Community and Private.
Further, it also introduces the concept of sensitivity of such non-personal data, as non-personal data can also be sensitive if it is related to national security or business information or anonymised data that could be used for re-identification. The Committee recommended consent should be sought for anonymisation of personal data and usage of such anonymised data while collecting consent for usage of personal data.
2. Ownership of Non-Personal Data
The Report defines the roles of a Data Principal, being the corresponding entity to whom the data relates, and Data Custodian, being the entity that undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal. The Committee has also defined the roles of Data Trusts and Data Trustees for management of community non-personal data.
The Report further lays down the criteria for ownership of data to establish the legal basis for rights related to such data. While non-personal data derived from personal data would be owned by the person, the Committee recommended that rights over community non-personal Data collected in India should vest with the trustee of that community, with the community being the beneficial owner, and such data should be utilized in the best interest of that community.
3. Undertaking a Data Business
The Committee has recommended creating Data Business as a new category of business, which would include collection, processing, storage and management of data. Existing businesses collecting data beyond a certain threshold would qualify under this category and be subject to governance and regulation by an institutional authority.
4. Access to Data and Sharing with Stakeholders
The Report discusses the process of data sharing for sovereign, economic and core public interest purposes, wherein open-access to metadata and regulated access to the underlying data of Data Businesses shall be given to stakeholders who request for such data.
Further, the Committee has broadly outlined the process for data sharing wherein a stakeholder may request the data custodian to share certain data. If the request is denied the stakeholder, may apply to the Non-Personal Data Authority for access to such data.
Only the raw/factual data pertaining to community data that needs to be shared may be provided at no remuneration. Depending upon the level of value addition of data, the price of sharing such data may be determined.
The Committee has recommended that appropriate checks and balances in the form of location, contract, tools, liability, etc. should be put in place to ensure implementation of rules and regulations.
5. Non-Personal Data Regulatory Authority
The Committee observed that the regulation of non-personal data would be driven by the need to unlock the value inherent in this form of data as well as to protective from collective harms. It recommended that a separate Non-Personal Data Regulatory Authority (“NPDA”) should be created to regulate Data Businesses and data sharing, having enabling and enforcing roles.
The Report distinguishes NPDA from the Data Protection Authority (“DPA”) and Competition Commission of India (“CCI”) by suggesting that NPDA would be involved with harnessing the economic value of non-personal data. Unlike sector regulators, NPDA will have the expertise and a crosscutting view and role for ensuring data sharing (which requirement often crosses sectoral boundaries), and sectoral regulators can build additional data regulations etc. if required, over those developed by this authority in a horizontal fashion. The roles of NPDA, DPA and CCI should be harmonised.
6. Technology Architecture
The Committee discussed the technology related guiding principles for creating and functioning of shared data directories / data bases, and for digitally implementing the rules and regulations related to data sharing. This includes the proposal to create a standardised data exchange approach irrespective of the type of data, method or platform of sharing. Further, it suggested that mechanisms must be put in place to ensure that re-identification of anonymised data does not occur.
The ministry has invited feedback and suggestion on the Report. The last date to submit feedback is September 13, 2020.
This post has been contributed by Ms. Vaneesa Agrawal and Ms. Sanyukta Srivastav.
[Disclaimer: This article is for academic purpose and is solely to provide readers with general information regarding developments in Indian law. For specific queries, please write to us at firstname.lastname@example.org ]