Privacy Data Protection Bill: Redressal mechanisms needed for non-personal data

Business Line, July 19, 2020

Legal experts have raised concerns over a lack of grievance redressal mechanisms (for individuals and communities), in case of a breach and glaringly overlooked copyright laws, as a part of the Expert Committee report on Non-Personal Data (NPD).

The Ministry of Electronics and Information Technology (MeITY) had tasked a committee under the Chairmanship of Infosys’ co-founder, Kris Gopalakrishnan, to prepare the framework for NPD. The report suggested a separate national legislation and a separate authority to oversee NPD. This development follows the legislation around the Personal Data Protection Bill, 2019, to frame rules that can govern personal and non-personal data.

NPD has been classified into two sections – public NPD that refers to data collected by government (such as public health information) and community-generated NPD. The committee in its 72-page report has mooted for a new regulator to handle NPD, and suggested mandatory sharing of data, creation of data trusts, amongst others.

Clarity on data rights

Industry watchers believe that the committee has not highlighted avenues and mechanisms to address their grievances and enforce their rights in case of violations. “There should be clarity on institutions authorised to hear complaints of data principals and provide redressal mechanisms, which is missing at present,” said Udai S Mehta, Deputy Executive Director, CUTS International, a public policy think tank.

Even as rules are being framed to ascertain the value of NPD, there is a widespread belief that it should not undermine the rights of data principals.

‘Data principals’ refers to personal data of individuals as defined in the Privacy Data Protection Bill, 2019. “There should be provisions regarding compensation to data principals in case of non-compliance. Liabilities of data custodians, businesses, trustees are also not sufficiently laid down,” said Mehta.

This issue assumes significance in the country as India is the second highest number of smartphone users and a 550 million internet base is one of the top consumer markets. With large amounts of data generated the government is trying to balance needs of citizens and businesses.

Government’s view

The Committee has also mooted mandatory sharing of personal and non-personal data, as it may be useful for Indian entrepreneurs to develop new and innovative services or products to benefit citizens. “The glaringly surprising part is that relationship with the copyright law or trade secrets law or any other laws has not been discussed at all,” said Mishi Choudhary, Technology Lawyer and Managing Partner at Mishi Choudhary and Associates.

Mehta added, “Such forced data sharing may also go against intellectual property rights and may non incentivise innovation,” he said.

While the government is contemplating a number of new legislations or regulations with ‘data’ as a focal point, what has to be kept in mind is that there is no conflict or overlaps between these and the authority of the regulators, said Supratim Chakraborty, Partner, Khaitan & Co.

The creation of a separate NPD Authority would complicate matters as there is an existing Data Privacy Authority. “There should be a single data regulator, else silos will be created,” said Mehta.

This news item can also be viewed at: