The Quint, July 23, 2020
The report has proposed the legislation of a separate law to govern and regulate non-personal data.
An expert committee set up by the Union Electronics & IT Ministry (MeitY) in 2019 has come up with a framework to regulate and leverage non-personal data.
The “Report by the Committee of Experts on Non-Personal Data Governance Framework” recommends that “the world is awash with data” and it must be regulated in order to create economic value for the country and citizens.
The framework proposes a separate “new national law” to govern non-personal data as well as the creation of a Non-Personal Data Authority.
The 72-page report, however, has come under sustained criticism since its publication on 13 July.
Legal, policy and technology experts have pointed out the vagueness in language, lack of a proper inter-ministerial or public consultation, contradiction with other policy proposals and the provision of wide powers to the government to collect and use data without judicial oversight.
What is Non-Personal Data?
Among the tasks the committee was entrusted with was to define what “non-personal data” exactly means.
According to the report, “When the data is not ‘Personal Data’ (as defined under the Personal Data Protection Bill), or the data is without any Personally Identifiable Information (PII), it is considered Non-Personal Data.”
The report identifies non-personal data from two perspectives:
- Any data that is not related to an identified or identifiable natural person, such as data on weather conditions.
- Or, is personal data that has been anonymised.
The committee has defined three categories of Non-Personal Data:
- Public Non-Personal Data
- Community Non-Personal Data
- Private Non-Personal Data
The Committee has also defined a new concept of ‘sensitivity of Non-Personal Data,’ “as even Non-Personal Data could be sensitive from the following perspectives”:
- It relates to national security or strategic interests
- It is business sensitive or confidential information
- It is anonymised data, that bears a risk of re-identification
How Has This Report Come About?
The Centre, on 13 September 2019, formed a committee of experts to deliberate on a data governance framework, which would study “the economic dimension of data” and “various issues related to non-personal data.”
The Ministry of Electronics & IT (MeitY), in an official note, stated that a nine-member committee, with Infosys co-founder Kris Gopalakrishnan as chairman, “will deliberate on a data governance framework” primarily pertaining to a category of data described as community data.
The Committee comprises nine members from the private and public sectors:
- Kris Goapakrishnan: Co-founder Infosys
- Additional Secretary/Joint secretary DPIIT
- Debjani Ghosh: President, Nasscom
- Neeta Verma: Director General, National Informatics Center
- Lalitesh Katragadda: Founder, Indihood
- P Kumaraguru: IIIT Hyderabad
- Parminder Jeet Singh: Executive Director, IT For Change
The government has invited comments on the Governance Framework till 13 August.
Non-Personal Data as an ‘Economic Good’
This report flows from the Centre’s overarching position that data is primarily an economic good. This is reflected in the Personal Data Protection Bill (currently tabled in Parliament), the Economic Survey of India in 2019 and 2020 as well as the decision of ministries to sell the data of citizens without consent to generate revenue.
“Data creates economic value and wealth, apart from enormous social and public value,” the report states in the section titled ‘Case for Regulating Data.’
Explaining that data is increasingly taking the centre-stage in core-technological businesses, the report states, “It is in this context, that the Committee has sought to set out the case for regulation of data. As a starting point therefore, one needs to understand the nature of data as an economic good.”
The Committee goes on recommend that rules and regulations are required to manage data in a manner such that leads to the “creation of economic value from use of data and generate economic benefits for citizens and communities in India and unlock the immense potential for social / public / economic value data.”
Udbhav Tiwari, Public Policy Advisor at Mozilla, expands on the government’s interpretation of data as an economic good and the committee’s view of community rights over non-personal data.
“By community rights what the report means is that it views data like land or other natural resources – as an extractable and exploitable resource. The report attempts to tell how to go about this,” Tiwari told The Quint.
“It couches everything in this nebulous concept of community data but does nothing for community rights,” Tiwari added.
What About Privacy of Citizens’s Data?
The report identifies four key roles related to non-personal data: Data principal, data custodian, data trustees and data trusts.
Individuals, whose data may be collected and used by private companies are seen as data principals while the data custodians are those that undertake “collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal.”
The government or private companies, therefore can be ‘data custodians’ while individual citizens, to whom the data pertains would be the ‘data principals’.
Nikhil Sud, a lawyer and regulatory affairs specialist, writes in a Medianama analysis piece, “the report frequently – and commendably – notes the importance of acting in the best interest of the data principal but it stops short of explaining what that means.”
Udai S Mehta, deputy executive director, CUTS International, a consumer rights organisation points out that the relation between data custodian and data principal is not clear from the text of the report.
“Given the uneven bargaining power, the data regulator must empower individual and community data principals to confidently negotiate and enforce their rights with respect to data custodian,” said Mehta.
“While the report mentions that data custodians are required to act in ‘best interest’ and have a ‘general duty to care’, these obligations must not remain mere principles, but should be enforceable as well,” Mehta further said, adding “data principals and the regulator should be able to clearly examine if these principles are complied with or not, and initiate appropriate actions.”
A major concern arises also from the manner of the government’s access to data. The report suggests that the government may collect and use NPD “national security, law enforcement, legal or regulatory purposes.”
Sud, in his analysis warns that “This broad language can spur concerns regarding state surveillance, and potentially discourage consumers to share data with the government or with businesses, stunting innovation and growth.”
What About the Consultation Process for This Report?
While the committee, comprising members from the field of technology belonging to the government, public and private sectors, deliberated on the issue for over nine months, there is no mention in the report of any consultation with other experts.
“It’s apparent that it wasn’t made through a public consultation process as it seems to create new rules and an economy that bears no resemblance with the state of data in the world or the requirements of an Indian society,” said Mishi Choudhary, technology lawyer and founder of SFLC.in . “It’s locked within too narrow a perspective and fails to ask any inter disciplinary questions,” she adds.
Choudhary points out that a “glaringly surprising part” is that the framework’s relationship with the copyright law, trade secrets law or any other laws has not been discussed at all other than mentioning a pending Data Protection Bill.
“It seems as if the committee wrote in vacuum and presented rules and a bunch of conclusions. No sociologists or economists seem to have been consulted and therefore conclusions presented are orthogonal to what the rest of the world is thinking,” Choudhary further stated.
High on Rhetoric, Vague on Details
Among the major issues raised by several analysts and experts is that of the language of the report.
“The report on Non-Personal Data is a culmination of over two years of discussion. However, the report language appears vague and does not account for many of the concerns raised,” Udbhav Tiwary told The Quint.
“Many of the recommendations are ambitious and further this narrative of data as an exploitable resource. However, there are many risks to vulnerable communities that the report does not address.” – Udbhav Tiwary, Public Policy Advisor, Mozilla
As an example of a recommendation that appears high on rhetoric and low on implementability, Tiwary points out the example of the Non-Personal Data Authority (NPDA).
“It will be incredibly challenging to implement some of recommendations regarding the NPDA and its role. The amount of rhetoric here is very high as is the case with technical recommendations regarding metadata,” he further said.
According to the report, the NPDA will have two roles. First, an “enabling role” to ensure that data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes, and second, an “enforcing role,” ensuring all stakeholders follow the rules and regulations.
This news item can also be viewed at: