The Joint Parliamentary Committee (JPC) has recommended bringing non-personal data (NPD) under the ambit of the Data Protection Act, noting that NPD is essentially derived from one of the three sets of data— personal data, sensitive personal data, critical personal data — and then anonymised or converted into non-identifiable data.
Non-personal data provisions should be part of the Data Protection Act
The committee recommended that the legal framework on NPD must be a part of the Data Protection Act instead of any separate legislation and that both personal and non-personal data will be regulated by one Data Protection Authority (DPA) to avoid confusion and mismanagement. It was not in favour of having two DPAs. The committee wrote that the government can draft separate provisions on non-personal data and include them in the Data Protection Act, as soon as they are finalised.
- Earlier draft: There was no mention of the non-personal data regulation in the draft Personal Data Protection Bill, 2019.
- Reasons for change: The committee observed that there is a mass movement of data without any distinction of personal or non-personal. It added that it is not possible to differentiate between personal or non-personal data in the initial stage or at the later stages. The committee also revealed that “it is actually simpler to enact a single law and a single regulator to oversee all the data that originates from any data principal and is in the custody of any data fiduciary” as it will restrict grey areas in terms of anonymisation and re-identification. “The committee concluded that restricting the new legislation to personal data protection is detrimental to privacy,” the report stated. The committee surmised that to define and restrict the new legislation only to personal data or to name it as the Personal Data Protection Bill is detrimental to privacy.
The lowdown on developments regarding non-personal data
- September 2019: The Ministry of Electronics and Information Technology (MeitY) first constituted a Committee of Experts for Non-Personal Data Governance Framework (NPDG) to come up with a data governance framework in 2019. Infosys co-founder Kris Gopalakrishnan was asked to lead the committee. The draft Personal Data Protection (PDP) Bill, 2019, was only supposed to deal with personal data back then. The Srikrishna Committee, which presented the PDP Bill in its report (A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians), recommended that the government come up with a law to protect community and non-personal data.
- July 2020: The expert committee released its draft report to the public for consultation and feedback. It defined non-personal data as any data that is not related to an identified or identifiable natural person or is personal data that has been anonymised. It proposed that NPD should be regulated by a new regulatory body, the Non-Personal Data Authority (NPDA). This data, the committee recommended, should be further classified into three categories— public NPD, community NPD, and private NPD.
- December 2020: The committee then released a revised report addressing several concerns raised in the 1500 submissions received by them. The submissions are not public. The committee wrote that the framework should become the basis of new legislation for regulating NPD. Interestingly, the expert committee called for an amendment in the PDP Bill, 2019, stating: “At present, the provisions of Section 91(2) and Section 93(x) attempt to establish within the PDP Bill a regulatory framework within which even non-personal data could be regulated under the provisions of the PDP Bill. In order to ensure that the two frameworks are mutually exclusive yet work harmoniously with each other it would be advisable to delete these sections from the PDP Bill and ensure that they are appropriately covered under the NPD framework. If that is done then the words ‘other than the anonymized data referred to in section 91’ in Section 2(B)) could also be deleted as infructuous.”
- November 2021: The committee submitted the final report to MeitY which has not been made public yet. The final report contains consultations and feedback received on the revised report. The final draft reaffirmed the committee’s position on a national Non-Personal Data Protection Authority reporting to the Indian government. It seems like the committee’s recommendations was not heeded by the joint parliamentary committee working on the Data Protection Bill.
‘Non-personal data needs soft-touch regulation’
“The non-personal data (NPD) regulation should be to promote this one [market] through soft-touch regulations. There are chances of market failure, once the market is developed then the regulation has to be a little stronger than before,” Dr. Amar Patnaik had said at the launch of a report on the impact assessment of the Non-Personal Data Governance (NPGD) framework. “The question of possible misuse of non-personal data to create disharmony in society will come later,” he said. Patnaik is a Rajya Sabha MP and one of the members of the Joint Parliamentary Committee tasked with studying the Data Protection Bill.
This is a clear signal as to which way the Indian government will be leaning when it comes to non-personal data. Dr. Patnaik also stressed that the main purpose of the NPGD framework should be to promote a market like the Union government had done with the telecom sector in the past.
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: