“To unleash innovation and research by start-ups and academia, a National Data Governance Policy will be brought out. This will enable access to anonymized data,” India’s Finance Minister Nirmala Sitharaman remarked on February 1 as part of her Budget 2023 speech.
Why does this matter: This is not an entirely new proposal. Over the years, the government has time and again talked about enabling access to anonymised or non-personal data (NPD) to enable innovation. It has also come out with various reports and draft legislation to this effect. Most recently, in May 2022, the IT Ministry released the draft National Data Governance Framework Policy. It’s not clear what exactly will be proposed this time or how/if it will be different from the May 2022 draft, but as before, there are multiple concerns with making anonymised or non-personal data available.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Here’s a quick 2-minute take by our editor Nikhil Pahwa on some risks:
Some of the issues with such a policy: It is not possible to comment on all the possible issues without knowing the specifics of the proposed policy, but two important concerns are:
1. Anonymised data can be deanonymised: There have been multiple studies that have found that anonymised data sets can be deanonymised by various means including by layering multiple types of anonymised datasets. We’ve covered this issue in-depth here.
The National Data Governance Policy which wants to share anonymized data is happening without the Digital Personal Data Protection Bill. Anonymised data is just personal data that will be de-anonymised with right amount of additional data BigTech already has on us.
— Srinivas Kodali (@digitaldutta) February 1, 2023
2. Who will be covered by this policy: Will the policy mandate sharing of anonymised data by government entities only or private entities as well? If it includes the latter, that could potentially lead to myriad challenges including issues around intellectual property, compensation, etc. (more on this in the last section).
NPD data regulations: A Timeline of Events
- September 2019: IT Ministry constituted a Committee of Experts for Non-Personal Data Governance Framework (NPDG) to come up with a data governance framework. Infosys co-founder Kris Gopalakrishnan was asked to lead the committee.
- July 2020: The expert committee released its draft report to the public for consultation and feedback. It defined non-personal data as any data that is not related to an identified or identifiable natural person or personal data that has been anonymised. It proposed that NPD should be regulated by a new regulatory body, the Non-Personal Data Authority (NPDA). This data, the committee recommended, should be further classified into three categories— public NPD, community NPD, and private NPD.
- December 2020: The committee released a revised report addressing several concerns raised in the 1500 submissions received by them.
- November 2021: The committee submitted the final report to MeitY which has not been made public yet. The final report contains consultations and feedback received on the revised report.
- February 2022: The IT Ministry released the draft India Data Accessibility and Use Policy to enable sharing of government data, but the same was criticized for a host of reasons.
- May 2022: The IT Ministry released the draft National Data Governance Framework after shelving the previous version (India Data Accessibility and Use Policy). While the framework mainly dealt with government data, it also encouraged private companies to share non-personal data with startups and researchers through a proposed India Datasets programme. However, multiple concerns were raised about this version as well.
MediaNama discussions on regulating non-personal data
We’ve held multiple discussions on NPD regulations over the years where we deep dive into the various issues. Here are reports from these discussions:
- MP Amar Patnaik On Non-Personal Data: Different DPAs Would Impede Protection Of Citizens’ Rights Read
- Regulating Non-Personal Data: Why It Might Not Address Antitrust Concerns Like Data Monopolies And Barriers To Entry Read
- Regulating Non-Personal Data: How To Share Data Voluntarily And Mitigate The Attendant Risks Read
- Regulating Non-Personal Data: What Are The Concerns Of Start-Ups Over Data Sharing And How To Address Them? Read
- Regulating Non-Personal Data: How The Free Flow Of Data Makes Anonymisation Harder Read
- Regulating Non-Personal Data: Is There A Need For An Overarching Policy? Read
- What Would A Non-Personal Data Authority’s Role Be? Is One Even Required? Read
- Issues With the Definition Of Communities, Public Good, And Unabated Sovereign Access To Non-Personal Data Read
- What Does The Non-Personal Data Framework Mean For Businesses? Will It ‘Unlock’ the Economic Potential Of Data? Read
- What Are Data Trusts? How Do They Work? Read
- Anja Kovacs On The Problems With India’s Report On Non-Personal Data Governance Framework Read
- Sameer Nigam On The Perils Of Requiring Companies To Sell Non-Personal Data Read
- Issues With The Non-Personal Data Authority, And Treating Non-Personal Data As A ‘Common Resource’ Read
- Non-Personal Data For Sovereign And Public Interest Purposes Read
- Evaluating Intellectual Property Rights Over Non-Personal Data Read
- Assessing The Concepts Introduced In The Non-Personal Data Report Read
- Is Defining Non-Personal Data Possible? Is Anonymising It A Good Idea? Read
- Recommendations For Governing Non-Personal Data; What Data Trusts Are Read
- Why Does The Indian Government Want To Regulate Non-Personal Data? Read
- Considering Intellectual Property Rights Over Non-Personal Data Read
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Why India Should Think About Harms Of Deanonymisation In Non-Personal Data Governance And Privacy Law
- New Data Governance Framework Ditches Monetisation, Encourages Businesses To Share Non-Personal Data
- (Em)Powering India Through Data: Thoughts On The National Data Governance Policy Framework
- A Guide To Non Personal Data Regulation In India
- Summary: Draft India Data Accessibility And Use Policy, 2022