ALG India Law Offices LLP
What's New
Review: Government Report on Non-Personal Data Governance Framework (MeitY)
Author: Gaurav Bhalla
Introduction
A Committee of Experts (under the chairmanship of Mr. Kris Gopalakrishnan, Co-Founder Infosys) was constituted by the Ministry of Electronics & Information Technology (MeitY) to deliberate on a Data Governance Framework. The goals for the committee were to: (i) to study various issues relating to Non-Personal Data; and (ii) to make specific suggestions for consideration of the Central Government on regulation of Non-Personal Data. The Committee prepared and published a Report on Non-Personal Data Governance Framework and invited comments from the public.
The report covers several aspects pertaining to Non-Personal Data including providing for a definition of Non-Personal Data, elaboration on the concept of community data and the appropriate rights and privileges over this data. The Report also defines and elaborates on three categories of Non-Personal Data – Public, Community and Private. It has also introduced a concept of a new horizontal classification under which some businesses which would qualify as a Data Business. Further, the Report has also defined purposes for data sharing under sovereign, core public interest and economic purposes. The report finally recommends the establishment of a Non-Personal Data Regulatory Authority with an enabling role as well as enforcing role.
What is Non-Personal Data?
The Report firstly, on a general note, states that the data which is not ‘Personal Data’ [as defined under the Personal Data Protection (PDP) Bill], or the data is without any Personally Identifiable Information (PII), it is considered Non-Personal Data. Thereafter, the Report goes on to elaborate on the definition by stating that non-personal data would be:
1. Data that never related to an identified or identifiable natural person; and
2. Data which was initially personal data, but was later made anonymous.
Categories of Non-Personal Data
The Report provides for the following three categorisations of Non-Personal Data:
1. Public Non-Personal Data – Non-Personal Data which is collected or generated by the governments, or by any agency of the governments, and includes data collected or generated in the course of execution of all publicly funded works. A few examples of these are anonymised data of land records, public health information, vehicle registration data, etc.
2. Community Non-Personal Data – Non-Personal Data, including anonymised personal data, and non-personal data about inanimate and animate things or phenomena – whether natural, social or artefactual, whose source or subject pertains to a community of natural persons. A few examples of these are datasets collected by the municipal corporations and public electric utilities, etc.
3. Private Non-Personal Data – Non-Personal Data collected or produced by persons or entities other than the governments, the source or subject of which relates to assets and processes that are privately-owned by such person or entity, and includes those aspects of derived and observed data that result from private effort.
Sensitivity of Non-Personal Data
The Report recognises that even if Personal Data is anonymised into Non-Personal Data, the possibility of harm to the original data subject(s) cannot be ruled since no anonymisation technique provides perfect irreversibility. The Report states that possibilities of such harm are obviously much higher if the original Personal Data is of a sensitive nature. In light of this, the Report recommends that the Non-Personal Data arising from such sensitive Personal Data may be considered as sensitive Non-Personal Data. The Report goes on to recommend that Non-Personal Data inherits the sensitivity characteristic of the underlying Personal Data from which the Non-Personal Data is derived.
Consent for Anonymised Data
Under the Personal Data Protection Bill, consent is necessary for the collection and processing of Personal Data. We cannot assume that consent provided for Personal Data applies automatically to Non-Personal Data. Accordingly, the Report recommends that the data principal should provide consent for anonymisation and usage of this anonymised data while providing consent for collection and usage of his/her Personal Data.
Key Non-Personal Data Roles
The Report mentions a set of roles/stakeholders and data infrastructures needs to be defined in order to develop and enable a robust Non-Personal Data ecosystem. It recommends the following roles:
1. Data Principal – In case of Public Non-Personal Data, the data principal will be the corresponding entities (individuals, companies, communities) to whom the data relates. In case of Private Non-personal Data, the data principal will be the corresponding entities (individuals, companies, communities) to whom the data relates. In case of Community Non-Personal Data, a community, that is the source and/or subject of community data may be treated as the data principal
2. Data Custodian – The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal. Data custodians have a ‘duty of care’ to the concerned community in relation to handling Non-Personal Data related to it.
3. Data Trustees – The data principal group/community will exercise its data rights through an appropriate community data trustee. In the case of community data, unlike personal data where an individual can directly exercise control over her data, the concept of trustee for community data comes in, who would exercise such rights on the behalf of the community. The Report mentions that, in principle, it should be the closest and most appropriate representative body for the community concerned.
4. Data Trusts – Data trusts are the institutional structures, comprising specific rules and protocols for containing and sharing a given set of data. Data trusts can contain data from multiple sources, custodians, etc. that is relevant to a particular sector, and required for providing a set of digital or data services. Such data trusts and infrastructures can be managed by public authorities or by new, neutral bodies, cooperatives, or industry associations, and so on.
Ownership of Data
The Report recommends that in case of Non-Personal Data derived from personal data of an individual, the data principal for personal data will continue to be the data principal for the Non-Personal Data, which should be utilized in the best interest of that individual. On the other hand, the rights over community Non-Personal Data collected in India should vest with the trustee of that community, with the community being the beneficial owner, and such data should be utilized in the best interest of that community. The Report adopts a notion of “beneficial ownership/interest” in ensuring that a Community’s interests are safeguarded regarding non-personal data over which there is an expectation of benefits being accrued to itself.
Concept of Data Business
The Report states that data business is not an independent industry sector. It is a horizontal classification cutting across different industry sectors. For example, companies in banking / finance, telecom, Internet-enabled services, transportation, consumer goods, travel, universities, private research labs, non-government organisations etc. may be classified as ‘Data Businesses’ based on a certain threshold of data collected / processed that will be defined by the regulatory authority.
The design principle for registration of and disclosures b data businesses is to be purely digital, lightweight and self-certified with a transparent framework written in code.
The data business would be required to submit meta-data about data user and community from which data is collected, with details such as classification, closest schema, volume, etc. This will be as per a directory of data classification and schema published by the Non-Personal Data Authority.
Indian citizens and India-based organizations will have open access to the meta-data about data collected by different data businesses including governments. Potential users may identify opportunities for combining data from multiple data businesses and/or governments to develop innovative solutions, products and services. Subsequently, data requests may be made for the detailed underlying data.
Data sharing and purposes of data sharing
The Report states that open-access to metadata and regulated access to the underlying data of data businesses will spur innovation and digital economy growth at an unprecedented scale in the country. The Report has also elaborated on the following 3 purposes of data sharing:
1. Sovereign purpose – Data may be requested for national security, law enforcement, legal or regulatory purposes. For example, data requested for mapping security vulnerabilities and challenges, including people’s security, physical infrastructure security and cyber security, data required for crime mapping, devising anticipation and preventive measures, and for investigations and law enforcement.
2. Core public interest purpose – Data may be requested for community uses / benefits or public goods, research and innovation, for policy development, better delivery of public-services, etc. The Report states that data held by the private sector when combined with public sector data or otherwise may be useful for policy making, improving public service, devising public programs, infrastructures, etc. and, in general, supporting a wide range of societal objectives including science, healthcare, urban planning etc.
3. Data sharing for economic purposes – Data may be requested in order to encourage competition and provide a level playing field or encourage innovation through start-up activities (economic welfare purpose), or for a fair monetary consideration as part of a well-regulated data market, etc.
Startups / businesses would have access to the meta-data about data collected by different data businesses and governments. From the meta data, these startups/ businesses may identify opportunities for combining data from multiple data businesses and/or governments to develop innovative solutions, products and services.
Data Sharing mechanisms
The Report recommends that the Government should improve on existing Open Government Data initiatives, and should ensure that high-quality Public Non-Personal Datasets are available.
With respect to sharing of private data, only the raw / factual data pertaining to community data that is collected by a private organization need to be shared, subject to well-defined grounds at no remuneration. Where processing value-add is non-trivial with respect to the value or collective contribution of the original community data and
collective community resources used, data sharing may still be mandated but on FRAND (fair, reasonable and non-discriminatory) based remuneration. With increasing value-add it may just be required that the concerned data is brought to a well-regulated data market and price be allowed to be determined by market forces, within general frameworks of openness, fairness, etc.
Checks and balances
Among other safeguards (in the form of testing and probing tools, expert probing, contractual obligations, etc.), the Report recommends the following safeguards as regards location of storage and processing of data:
Sensitive non-personal data may be transferred outside India, but shall continue to be stored within India
Critical non-personal data can only be stored and processed in India.
General non-personal data may be stored and processed anywhere in the world.
Non-Personal Data Authority
The Report recommends creation of a regulatory authority which will focus on unlocking value in Non-Personal Data for India. This authority will be a proactive actor providing early and continued support for Indian digital industry and startups, and ensuring that necessary data is available for all the needed social, public and economic purposes. This authority must evaluate the nature of data sharing requests to avoid unfair or spurious requests which don’t serve social, public or economic purposes.
The authority will have two roles to play –
1. Enabling role – Ensuring that data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes and thus spurring innovation in the country.
2. Enforcing role – Ensuring all stakeholders follow the rules and regulations laid, provide data appropriately when data requests are made, undertaking ex ante evaluations of the risk of re-identification of anonymised personal data and so on.
The Non-Personal Data Authority will ensure a level playing field for all Indian actors to fulfil the objective of maximising Indian data’s value to the Indian economy.
Disclaimer: Views, opinions, interpretations are solely those of the author, not of the firm (ALG India Law Offices LLP) nor reflective thereof. Author submissions are not checked for plagiarism or any other aspect before being posted.
Copyright: ALG India Law Offices LLP.