The Committee of Experts on Non Personal Data (NPD), chaired by Infosys co-founder Kris Gopalakrishnan, was constituted on 13 September 2019 with the objective of defining a regulatory framework for the governance of NPD. They released an initial draft of the report in July 2020 and opened it to the public for submissions presenting concerns and suggestions. Having received over 1,500 submissions, the committee reworked the report and subsequently released it in December 2020.
The report addresses several of the concerns raised, including some relevant arguments put forward by The Dialogue, and builds upon the fundamental objective of mapping out the various ways in which NPD can be leveraged to promote innovation and growth in the country.
Also read: How India’s data bill falls short of offering solutions for regulating digital competition
Changes from the previous draft
At the outset, it would be fair to say that the revised draft reads as a much improved and more easily consumable draft when compared with the previous version. There are significant changes made to the new draft, ensuring it is more comprehensive and displays a greater familiarity with the ecosystem at hand.
Firstly, the new draft has removed further classification of NPD into any hard brackets and relies on the source from which data has been derived to act as the main criteria for segmentation. The Dialogue, in its submission, recommended that such classification be removed in order to avoid confusion at a later stage.
Secondly, in its quest to harmonise with the personal data protection (PDP) framework, the report recommends excluding the provisions concerning non-personal data, namely S. 91(2) and S. 93(x) from the ambit of the PDP Bill, 2019.
Unlike the previous draft where the report suggested that the NPD authority should work within the framework of PDP, the revised report envisages a harmonious co-existence of the two frameworks while suggesting that the two concepts are mutually exclusive.
Another major change has been in terms of data sharing, where mandatory data sharing for sovereign and business purposes have been excluded from the framework, citing that the mechanism for such sharing already exists. Under the current draft, sharing of data will only be done for public good purposes. Fourthly, data trusts as a separate entity have been dissolved and it seems that the power of the data trusts under the previous draft has been given to the data trustees.
Non personal data regulation
The revised report has made significant additions to the previous iteration, the most important of which seems to be the introduction of High Value Datasets (HVDs).
HVDs have been defined as datasets which are “beneficial to the community at large and shared as a public good”. The report further classifies the granularity of datasets wherein raw/factual and aggregate data may be accessed by the trustees, however, no access will be given to the inferred level data. As far as data trustees are concerned, they could be an organically created organisation which can be a government entity or a not-for-profit private organisation incorporated under section 8 of Companies Act, 2013. They are responsible for creation, maintenance and data sharing of HVD.
In another important development, the report now recognises copyright and trade secret protection for NPD data sets, though in a limited capacity. The framework mandates data sharing for high value datasets where the field of the data required has to be predetermined. According to the committee, in such cases design copyright would not be violated. Further, trade secret protection will only be allowed in cases where the data collected is inherently confidential and the onus to prove that is on the entity claiming the protection.
Challenges
Having briefly examined the key additions and positive changes made to the revised draft, it is important to note that there are still certain elements of the report which require further scrutiny.
Firstly, the committee seems to have missed an opportunity to develop a mechanism to govern anonymisation standards. Though the framework has suggested certain anonymisation techniques, those are mere suggestive in nature and may raise privacy concerns later. Creating a governance framework and prescribing minimum standards for anonymisation would have helped the framework and overcome privacy challenges.
As discussed earlier in the article, the report also allows organisations incorporated under section 8 of the companies Act to become data trustees. Considering the role of a data trustee involves the creation, maintenance, and data-sharing of HVDs, the committee might want to consider creating a more comprehensive list of criteria for an organisation to qualify for this role.
Another potential concern is the conflicting set of responsibilities of the NPD Authority (NPDA). These take the form of both promoting economic benefit by leveraging NPD, as well as ensuring consumer protection by addressing issues surrounding privacy and misuse of this data. While the two are not completely opposing goals, there is clear scope for conflict of interest, and the committee should reconsider certain aspects of this regulation.
Furthermore, there are concerns regarding the concentration of power in the hands of the data trustees and NPDA given the fact that powers of the erstwhile data trust has been transferred to data trustees and there is a lack of any oversight or appellate mechanisms against the orders passed by NPDA respectively.
Then, the scope of public good needs to be revisited. Currently, it has been left open ended, which could create vulnerabilities when data trustees request for certain datasets. Lastly, a clear picture of the relationship between data trustee and data custodian needs to be established. In cases of data trustee being an interested party in the domains in which HVDs are created, this could create possible conflicts of interests.
The committee has come up with several positive changes, having adopted a forward-thinking approach. While there are still some concerns as outlined above, the NPD framework’s development is moving in a positive direction and there is good reason to believe that the additional issues will also be resolved by building on the current progressive discourse around the subject.
(Ayush Tripathi is a policy research associate and Gautam Kathuria is a policy analyst at The Dialogue)
Also read: Banking to groceries — Data Protection Authority has multi-sector role, but must be efficient