A national non-personal data protection (NPD) authority must be established by the Indian government according to a recommendation by a committee led by Infosys co-founder Kris Gopalakrishnan, Economic Times reported. The recommendation has been made in the draft Bill and the final report submitted to the Ministry of Electronics and Information Technology (MeitY) two months ago, the report added.
The final report also classifies companies that control high amounts of data as “data businesses” and explains what constitutes a “high value data” set; the government or other companies will be able to access these data sets at a price decided by the market forces, as per ET.
The expert committee had come out with a draft in July 2020, and released a revised version on which it invited comments from stakeholders in December 2020. The final report takes into account all the feedback received by the expert committee. The committee’s job was to study use cases of NPD and prescribe a regulatory structure for NPD in the country.
NPD can be defined as data without any Personally Identifiable Information such as:
- Data not related to individuals/national persons (weather, from industrial sensors, from public infrastructure).
- Data that has been anonymised or aggregated so that individual data is not identifiable.
An authority on NPD is crucial in implementing the law laid down by the government, however, it is likely that a separate authority for NPD will clash with the authority envisaged in the draft bill for personal data.
Concerns around the regulatory body
The Indian government has not yet released the copy of the report or acknowledged its receipt publicly so it is difficult to comment on what is the scope of the authority.
Need for regulation not established: Alok Prasanna Kumar, co-founder and lead, Vidhi Centre for Legal Policy Karnataka, in MediaNama’s discussion on the revised report on a Non-Personal Data Governance Framework, was not convinced if the state “should be involved as a regulator yet”. “The concerns (around NPD) raised are valid, it’s just that they don’t necessarily lead to the conclusion that we need a non-personal data authority, or rather, that we need regulation, which will necessarily help us for sovereignty,” Kumar said.
Conflict with other bodies: Kumar said that the proposed Non-Personal Data authority could be in conflict with other institutions. “One is the proposed Data Protection Authority under the PDP bill. Another is the Competition Commission of India, and the third is the Central Information Commission. A lot of the data that we’re talking about might be sitting with government agencies and it might be possible to get some of this data by filing an RTI application,” Kumar said.
MoS IT bats for a single regulator: “We should not have a proliferation of regulators—a personal data regulator and a non-personal data regulator. There are some businesses that enjoy this kind of arbitrage opportunity that is represented by multiple regulators. I will have no problem if there is a convergence of regulatory entities or institutions for the entire data economy,” said Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, at CyFy 2021 in a session on regulation of the digital ecosystem in India.
It remains to be seen whether these lacunae have been addressed in the final report.
Understanding the NPD authority
The committee recommended that the focus of the regulatory body for governing Non Personal Data, should be on “unlocking value in non-personal data for India.”
“Unlike CCI”, the committee report says, the Non Personal Data Authority “will be a proactive actor providing early and continued support for Indian digital industry and startups, and ensuring that necessary data is available for the community.”
Here are some of the committee’s recommendations regarding the NPDA:
- Industry Participation: It must be created with industry participation.
- Regulatory harmonisation: It should be harmonised with other bodies (DPA, CCI etc)
- Functions: The NPDA will create,
- An Enforcing framework for:
- Establishing the rights of India and its communities over NPD
- Address privacy, reidentification of anonymised personal data and prevent misuse of and harms from data
- Adjudicate only when a data custodian refuses to share data with data trustee
- An Enabling framework for:
- Unlocking economic benefit from NPD for India and communities
- Create a data sharing framework
- Manage meta-data directory of data businesses in India
- An Enforcing framework for:
- Sectoral regulators can build additional data regulations over those developed by the NPDA
MediaNama’s take: Giving a regulator competing goals (unlocking economic benefit from data versus consumer protection – addressing privacy and misuse harms) is a bad idea, and will create complications when the regulator has to balance the risk of privacy and misuse harms when it comes to enabling access to certain datasets.
It will only be clear whether the committee has accounted for these issues once the government releases the final report to the public.
- A Guide to Non Personal Data Regulation in India
- #NAMA: What would a Non Personal Data Authority’s role be? Is one even required?
- Summary: Revised Draft Report on Non Personal Data
- #NAMA: Issues with the non personal data authority, and treating non personal data as a ‘common resource’
Have something to add? Post your comment and gift someone a MediaNama subscription.