The Ministry of Electronics and Information Technology (MEITY) has extended the deadline for submission of comments on the Committee of Experts’ Report on governance of Non-Personal Data to September 13, 2020 (hat tip: Arun P.S.). MEITY had formed the committee headed by Infosys co-founder Kris Gopalakrishnan on September 13, 2019 to focus on non-personal data, and to come up with a related data governance framework. Earlier, the deadline was August 13.
In the report, which was released on July 12, 2020, the committee has defined non-personal data as any data that is not related to an identified or identifiable natural person, or is personal data that has been anonymised. It has also proposed that a new legislation should govern the regulation of non-personal data along with a new regulatory body, the Non-Personal Data Authority (NPDA).
The committee has recommended classifying such data into three categories — public NPD, community NPD, and private NPD. The report has also identified a host of new stakeholders in the non-personal data ecosystem, including data principal, data custodian, data trustee, and data trust — many of which find their analogues in the Personal Data Protection Bill. The committee has delineated these stakeholders’ obligations and the mechanisms that could enable data sharing. It has also defined the circumstances under which a private organisation, that collects non-personal data, could be remunerated for sharing its trove of non-personal data.
Not all elements of the report are entirely clear. For instance, the report states that given enough data sets, all data can be de-anonymised. If that is the case, and academic research suggests that it indeed is, it raises two questions — does it counter the definition of anonymisation in the Personal Data Protection Bill, 2019, as per which irreversibility is the standard for anonymisation? And if anonymised data is indeed impossible, shouldn’t all inferred data be within the realm of the Personal Data Protection Bill whose expanded definition of personal data now includes inferred data as well?
If that is not enough, the relationships between the new stakeholders — data custodians, data trustees, data trusts, data businesses — are not entirely clear. As is the definition of community which is understood in far more fluid terms in all areas of science and social science than in the report. What happens when non-personal data, both anonymised and non-human related (like weather data), relates to two or more communities? Who is the data trustee then? For instance, for all anonymised education data of K-12 students, who will be the data trustee — the Ministry of Human Resource Development or the Ministry of Women and Child Development? The report has also not considered the pitfalls of assigning ministries and government agencies as the data trustees for communities, especially when it comes to the interests of marginalised communities.
What is also unclear is how the proposed legislation would interact with existing laws, including the pending Personal Data Protection Bill, and how the proposed authority would ensure clear jurisdictional lines from other regulators. Its conflicts with the proposed e-commerce policy are also a matter of concern. For instance, the report exempts proprietary knowledge and algorithms from data sharing but that brings it in conflict with the new draft e-commerce policy that seeks to give government access to algorithms to check for biases.