Non-Personal Data: What the Govt Proposes & Why It Needs Reworking

An expert committee set up by the Union Electronics & IT Ministry (MeitY) in 2019 has come up with a framework to regulate and leverage non-personal data.

The “Report by the Committee of Experts on Non-Personal Data Governance Framework” recommends that “the world is awash with data” and it must be regulated in order to create economic value for the country and citizens.

The framework proposes a separate “new national law” to govern non-personal data as well as the creation of a Non-Personal Data Authority.

The 72-page report, however, has come under sustained criticism since its publication on 13 July.

Among the tasks the committee was entrusted with was to define what “non-personal data” exactly means.

The report identifies non-personal data from two perspectives:

• Any data that is not related to an identified or identifiable natural person, such as data on weather conditions.
• Or, is personal data that has been anonymised.

The committee has defined three categories of Non-Personal Data:

1. Public Non-Personal Data
2. Community Non-Personal Data
3. Private Non-Personal Data

The Committee has also defined a new concept of ‘sensitivity of Non-Personal Data,’ “as even Non-Personal Data could be sensitive from the following perspectives”:

• It relates to national security or strategic interests
• It is business sensitive or confidential information
• It is anonymised data, that bears a risk of re-identification

The Centre, on 13 September 2019, formed a committee of experts to deliberate on a data governance framework, which would study “the economic dimension of data” and “various issues related to non-personal data.”

The Ministry of Electronics & IT (MeitY), in an official note, stated that a nine-member committee, with Infosys co-founder Kris Gopalakrishnan as chairman, “will deliberate on a data governance framework” primarily pertaining to a category of data described as community data.

The Committee comprises nine members from the private and public sectors:

1. Kris Goapakrishnan: Co-founder Infosys
2. Additional Secretary/Joint secretary DPIIT
3. Debjani Ghosh: President, Nasscom
4. Neeta Verma: Director General, National Informatics Center
5. Lalitesh Katragadda: Founder, Indihood
6. P Kumaraguru: IIIT Hyderabad
7. Parminder Jeet Singh: Executive Director, IT For Change

The government has invited comments on the Governance Framework till 13 August.

This report flows from the Centre’s overarching position that data is primarily an economic good. This is reflected in the Personal Data Protection Bill (currently tabled in Parliament), the Economic Survey of India in 2019 and 2020 as well as the decision of ministries to sell the data of citizens without consent to generate revenue.

Explaining that data is increasingly taking the centre-stage in core-technological businesses, the report states, “It is in this context, that the Committee has sought to set out the case for regulation of data. As a starting point therefore, one needs to understand the nature of data as an economic good.”

The Committee goes on recommend that rules and regulations are required to manage data in a manner such that leads to the “creation of economic value from use of data and generate economic benefits for citizens and communities in India and unlock the immense potential for social / public / economic value data.”

Udbhav Tiwari, Public Policy Advisor at Mozilla, expands on the government’s interpretation of data as an economic good and the committee’s view of community rights over non-personal data.

“It couches everything in this nebulous concept of community data but does nothing for community rights,” Tiwari added.

The report identifies four key roles related to non-personal data: Data principal, data custodian, data trustees and data trusts.

The government or private companies, therefore can be ‘data custodians’ while individual citizens, to whom the data pertains would be the ‘data principals’.

Nikhil Sud, a lawyer and regulatory affairs specialist, writes in a Medianama analysis piece, “the report frequently – and commendably – notes the importance of acting in the best interest of the data principal but it stops short of explaining what that means.”

Udai S Mehta, deputy executive director, CUTS International, a consumer rights organisation points out that the relation between data custodian and data principal is not clear from the text of the report.

“Given the uneven bargaining power, the data regulator must empower individual and community data principals to confidently negotiate and enforce their rights with respect to data custodian,” said Mehta.

“While the report mentions that data custodians are required to act in ‘best interest’ and have a ‘general duty to care’, these obligations must not remain mere principles, but should be enforceable as well,” Mehta further said, adding “data principals and the regulator should be able to clearly examine if these principles are complied with or not, and initiate appropriate actions.”

A major concern arises also from the manner of the government’s access to data. The report suggests that the government may collect and use NPD “national security, law enforcement, legal or regulatory purposes.”

While the committee, comprising members from the field of technology belonging to the government, public and private sectors, deliberated on the issue for over nine months, there is no mention in the report of any consultation with other experts.

“It's apparent that it wasn't made through a public consultation process as it seems to create new rules and an economy that bears no resemblance with the state of data in the world or the requirements of an Indian society,” said Mishi Choudhary, technology lawyer and founder of SFLC.in . “It's locked within too narrow a perspective and fails to ask any inter disciplinary questions,” she adds.

Choudhary points out that a “glaringly surprising part” is that the framework’s relationship with the copyright law, trade secrets law or any other laws has not been discussed at all other than mentioning a pending Data Protection Bill.

Among the major issues raised by several analysts and experts is that of the language of the report.

“The report on Non-Personal Data is a culmination of over two years of discussion. However, the report language appears vague and does not account for many of the concerns raised,” Udbhav Tiwary told The Quint.

As an example of a recommendation that appears high on rhetoric and low on implementability, Tiwary points out the example of the Non-Personal Data Authority (NPDA).

“It will be incredibly challenging to implement some of recommendations regarding the NPDA and its role. The amount of rhetoric here is very high as is the case with technical recommendations regarding metadata,” he further said.

According to the report, the NPDA will have two roles. First, an “enabling role” to ensure that data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes, and second, an “enforcing role,” ensuring all stakeholders follow the rules and regulations.