A Committee of Experts constituted by the Ministry of Electronics and Information Technology published a report on July 12, 2020 making a case to the Government for regulation of non-personal data. Here are some of the key principles and recommendations of the Committee as set out in the report.
Definition and Characterization of Non-Personal Data
Taking a cue from the guidance issued by the European Commission in 2019, the Committee developed a definition of ‘Non-Personal Data’ based on the origin of the relevant data (viz. data that originates from personal data, and that which does not). NPD is defined to mean data which is not ‘personal data’ (as defined under the Personal Data Protection Bill, 2019) or which is without any personally identifiable information.
The report also defines three categories of NPD: (i) Public Non-Personal Data, (ii) Community Non-Personal Data and (iii) Private Non-Personal Data.
Similar to personal data, the report also introduces the concept of ‘Sensitive Non-Personal Data’, that is, NPD relating to (i) national security and public interest, (ii) anonymized data which can be re-identified, (iii) collective privacy, or (iv) sensitive or confidential business information.
Ownership of Non-Personal Data
The report sets out a ‘legal basis for establishing rights’ over NPD. The guiding principles expressed in the report include:
• Data Sovereignty – some data sets about the people of India and collected in India, can be considered a national resource and, therefore, will be owned by the State.
• Beneficial Ownership / Interest – in case of community NPD, rights over the NPD would vest in a trustee (who is the ‘closest and most appropriate’ representative of the community), and the community would be the beneficial owner, in whose interest such NPD ought to be utilised. The report states that the Government should keep in mind that same or similar data may have overlapping interests and co-existing rights, due to the ‘non-rivalrous nature’ of NPD.
• Origin from Personal Data – NPD from personal data will be owned by the individual whose personal data is underlying the NPD.
In view of the above, the three key NPD roles identified in the report are that of a data principal (individuals, companies or communities), data custodian (responsible for processing NPD in the interest of the data principal) and a data trustee / data trust (community representative or institutional structure).
Need for the Regulation of Non-Personal Data
The Committee recognizes the potential of NPD to contribute to the economy and the need to use it for social welfare and public good while at the same time also recognizes the need for correcting ‘imbalance in the market’ resulting out of creation of “data monopolies”. The Committee also believes that balanced regulation of NPD would spur innovation and research.
The report articulates that there is a need for a Non-Personal Data Authority (‘NPDA’), as self-regulation by businesses and oversight over interactions between private enterprises and the Government would be difficult to achieve. The functions of the NPDA would include an ‘enforcing role’ (to ensure that stakeholders follow the regulation) and an ‘enabling role’ (to ensure that data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes, for spurring innovation, economic growth and social well-being in the country).
Regulation of Data Businesses
The report argues that ‘data businesses’ (above a certain threshold volume of processing) ought to be registered with the Government and regulated. These businesses would need to submit detailed information relating to their data processing and collection at the time of registration. If data traffic of a ‘data business’ exceeds certain thresholds, then the metadata regarding the NPD being collected and processed by such ‘data business’ should be made freely accessible.
Sharing of Non-Personal Data
The Committee makes a case for sharing of NPD with citizens, by both the Government and private companies, for purposes including national security, public interest and economic welfare. The report states that doing so will be useful for research and academia, start-ups who will be incentivized to develop innovative offerings, and even other citizens, for transparency, in certain situations.
While sharing is encouraged in public interest, the report has also recommended certain ‘checks and balances’, including enforcement of FRAND (fair, reasonable and non-discriminatory) terms in data sharing contracts, sharing of only raw data by private entities, compensation for NPD where a private entity has made some value addition, protection of underlying personal information in NPD, etc.
Way Forward
The Committee understands the immense potential of NPD in spurring innovation and growth and hence, makes the case to urgently regulate NPD to ensure equal and non-discriminatory access to such data. It also recognizes that NPD regulation cannot exist in a vacuum, and would need to be aligned with other relevant regulations such as the Personal Data Protection Bill, 2019, Competition Act, 2002 as well as intellectual property laws.
However, given the very nature of NPD, risk of an overlap with ‘personal data’ and other data sets cannot be ruled out and there could be competing ownership and use interests. Any future regulation would, therefore, have to devise a mechanism whereby rights, interests and obligations are clearly delineated. Similarly, regulatory framework will have to be developed such that it is not overly burdensome and has sufficient checks and balances.
Lastly, some of the recommendations in the report need to be carefully scrutinized and considered before implementation as they may have a significant impact on technology companies and data processing companies, who may be forced to share data with their competitors.