- The Digital Personal Data Protection Bill, 2022 does not cover non-personal data (NPD)
- The Data Protection Bill 2021 covered NPD and was criticised for the same, with experts arguing that NPD should be regulated separately
- The Personal Data Protection (PDP) Bills of 2018 and 2019 did not cover NPD, but the 2019 version allowed the government to direct companies to provide NPD under certain grounds
The Digital Personal Data Protection (DPDP) Bill 2022, announced on 18 November, does not attempt to regulate non-personal data (NPD), with the 24-page Bill not mentioning or referring to the term anywhere.
This is in contrast with last year’s version, the Data Protection Bill 2021, which was the first version to bring NPD under the ambit of the Data Protection Act, with the JPC noting that NPD is essentially derived from one of the three sets of data— personal data, sensitive personal data, critical personal data — and then anonymised or converted into non-identifiable data.
The Ministry of Electronics and Information Technology (MeitY) has invited feedback from the public on the draft Bill by December 17, 2022. The feedback may be submitted on the MyGov website.
How did previous versions of the Bill deal with NPD?
What the 2018 and 2019 Bill said: The PDP Bill, 2019 and the PDP Bill, 2018 did not apply to NPD. Although, the 2019 version did include provisions that allowed government access to NPD. Section 91(2), for instance, allowed the central government to “direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.”
What the 2021 Bill said: The Data Protection Bill 2021 applied to the processing of non-personal data in addition to personal data. Additionally, the Bill allows the government to draft separate policies on non-personal data and include them in the Data Protection Act.
The JPC decided to ultimately include NPD under the ambit of the Bill observing that there is a mass movement of data without any distinction of personal or non-personal. It added that it is not possible to differentiate between personal or non-personal data in the initial stage or at the later stages. The committee also opined that “it is actually simpler to enact a single law and a single regulator to oversee all the data that originates from any data principal and is in the custody of any data fiduciary” as it will restrict grey areas in terms of anonymisation and re-identification. Thus, the committee recommended that the legal framework on NPD must be a part of the Data Protection Act instead of any separate legislation and that both personal and non-personal data should be regulated by one Data Protection Authority (DPA) to avoid confusion and mismanagement. These recommendations by JPC went against the recommendations of the NPD expert committee (more below).
And as with the 2019 version, the central government may “direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.”
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox
What the government-appointment NPD expert committee recommended
- September 2019: The Ministry of Electronics and Information Technology (MeitY) first constituted a Committee of Experts for Non-Personal Data Governance Framework (NPDG) to come up with a data governance framework in 2019. Infosys co-founder Kris Gopalakrishnan was asked to lead the committee.
- July 2020: The expert committee released its draft report to the public for consultation and feedback. It defined non-personal data as any data that is not related to an identified or identifiable natural person or is personal data that has been anonymised. It proposed that NPD should be regulated by a new regulatory body, the Non-Personal Data Authority (NPDA). This data, the committee recommended, should be further classified into three categories— public NPD, community NPD, and private NPD.
- December 2020: The committee then released a revised report addressing several concerns raised in the 1500 submissions received by them. The submissions are not public. The committee wrote that the framework should become the basis of new legislation for regulating NPD. Interestingly, the expert committee called for an amendment in the PDP Bill, 2019, stating: “At present, the provisions of Section 91(2) and Section 93(x) attempt to establish within the PDP Bill a regulatory framework within which even non-personal data could be regulated under the provisions of the PDP Bill. In order to ensure that the two frameworks are mutually exclusive yet work harmoniously with each other it would be advisable to delete these sections from the PDP Bill and ensure that they are appropriately covered under the NPD framework. If that is done then the words ‘other than the anonymized data referred to in section 91’ in Section 2(B)) could also be deleted as infructuous.”
- November 2021: The committee submitted the final report to MeitY which has not been made public yet. The final report contains consultations and feedback received on the revised report. The final draft reaffirmed the committee’s position on a national Non-Personal Data Protection Authority reporting to the Indian government. It appears the committee’s recommendations were not heeded by the Joint Parliamentary Committee working on the Data Protection Bill.
Stakeholders’ views on NPD
Needs soft-touch regulation: “The non-personal data (NPD) regulation should be to promote this one [market] through soft-touch regulations. There are chances of market failure, once the market is developed then the regulation has to be a little stronger than before,” Rajya Sabha MP Dr Amar Patnaik had said at the launch of a report on the impact assessment of the Non-Personal Data Governance (NPGD) framework. “The question of possible misuse of non-personal data to create disharmony in society will come later,” he said.
India is not ready for dealing with non-personal data: Speaking at a MediaNama event, Ulrika Dellrud, Chief Privacy Officer at PayU, recommended that NPD should be addressed separately at a later stage because:
- Privacy laws in India are in their infancy: While in Europe privacy laws have been there for a while now, in India we do not have any proper privacy law, and incorporating non-personal data now is too early, Dellrud said.
- Unclear what provisions apply to NPD: Furthermore, it is currently unclear what provisions of the Bill apply to non-personal data, there is no clear demarcation, Dellrud explained. It is better to have some kind of sandbox to figure this out, Dellrud added.
“We have the IT Act but there’s not a proper privacy law. And then when going from, I shouldn’t say zero, but maybe 2 to 200, immediately by also putting non-personal data, I think that is a problem.”– Ulrika Dellrud
- A Complete Guide to the Digital Personal Data Protection Bill, 2022
- Financial Data, Non-Personal Data And Algorithmic Transparency Should Be Regulated Separately
- Is defining non-personal data possible? Is anonymising it a good idea?
- Considering intellectual property rights over non-personal data
- Why does the Indian government want to regulate non-personal data?
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.