This article is written by Nikita Arora, from the Trinity Institute of Professional Studies. This is an exhaustive article which deals with the framework of non-personal data.
Table of Contents
Introduction
In 2019, the Ministry of Electronics & Information Technology (MEITY) formed a Committee to make recommendations on the regulation of non-personal data for the Central Government’s consideration. The expert committee headed by Mr. Kris Gopalakrishnan, co-founder of Infosys, released its report on the system for non-personal data governance. It researched the different issues of non-personal data and made clear suggestions for the Central Government’s consideration of non-personal data regulation. It released its report on 12 July 2020.
The report attempted to describe non-personal data and suggested many definitions, including the notion of society, public and private data, non-personal data authority, data trusts, data companies, data custodians, etc. This committee of experts was effectively set up to provide the areas of focus and a blueprint for adequate control and balance structure of governance. While many of the areas of focus were outlined in the report, it failed to explain what kind of administrative framework could help in controlling non-personal data, ensuring that data leaders benefit equally from the collection of their data, or how abuse can be halted.
Definition of non-personal data
A data that is not personal and does not involve or apply to a natural person who is directly or indirectly identifiable, taking into account any function, characteristics, attributes, or other characteristics of the identity of that natural person, whether online or offline, or any combination thereof with any other details, and shall contain any conclusion derived from such data for profiling, or the data is without any publicly identifiable information.
Mandatory data sharing
In the report, the committee mainly recommended three reasons for data sharing:
Sovereign purpose
For the protection of legal and regulatory purposes, data can be required.
Core public interest purpose
For community uses/benefits or public goods, analysis and creativity, for greater public service delivery, policy creation, etc., data can be required.
Economic purpose
Data may be required for economic welfare purposes to foster competitiveness and have a level playing field in any industry, including, most notably, to allow domestic start-up operations or as part of a well-regulated data market for equal monetary consideration, etc.
Market disruption
In the report, the committee stated that, by gathering, preserving, analysing, and handling data, companies gain new or additional economic value from data. For example, a hospital not only derives economic benefit from the provision of medical care but may generate extra value from the use of medical data and the provision of value-added services (such as customised treatment plans). The committee, therefore, recommended the development of a new sector category /taxonomy called ‘Data Business’ that satisfies certain requirements for the data limit.
The report envisages that companies may be categorised as data businesses based on a threshold of data obtained or stored. Firstly, it should be explained whether the data gathered or the data analysed, or both would be included in the calculation of the data enterprise threshold stage. The study does not explain why data processors are handled at the same level as data controllers. This could result in a workload for data processors who only process the data supplied by the data controllers. There is a provision on open access to meta-data directories of data enterprises in the data disclosures section. Meta-data is a vital aspect of the different services implemented by data providers and free access to meta-data will contribute to creativity stifling and reducing the competitive advantage companies can have.
Rationale and underlying assumption
The report does not explain what kind of administrative framework will help control non-personal data, ensuring that data leaders benefit equally from the collection of their data, or how abuse can be halted. The aim of the study appears to be to find opportunities to monetize knowledge and the rights of people are something of an afterthought.
Architectural consistency and ethical coherence are absent in the non-personal data governance system. The meanings and categorizations are especially ambiguous. It does not provide an overview of the relationship between its plans and current legal rights. The report assumes that knowledge has an inherent value, but it does not specify what this intrinsic value is and how it can help individuals, governments, and the private sector.
Links between personal and non-personal data are not rigorously specified in the report. The examples and diagrams, which are arbitrarily picked, demonstrate that any personal data can be reclassified as non-personal data by introducing unsuccessful anonymization approaches that have been previously proven by researchers in the field do not work. The report makes certain assumptions that haven’t been checked even on a pilot basis. It was based, on a one-size-fits-all solution which is not the case. The use of weather data or road data, for example, would not be identical to the use of data classified as private or vital non-personal data.
Looking ahead
At the very least, the Non Personal Data (hereinafter referred to as NPD) landscape in India is perplexing. There is no clarification on how non-personal data regulations and regulators will interact with personal data regulations and regulators. This necessitates an immediate and persuasive response, particularly given that certain aspects of data governance such as the regulation of inferred data and the characterization of mixed datasets seem to fall squarely within the purview of both. The interaction between the NPD system and competition law, as well as intellectual property, remains unaddressed, putting not only weak data governance but also regulatory arbitrage at risk.
The proposed structure is based on the basic premise that data can be priced, sold, and owned, which is at best reductive because it deliberately ignores the non-economic, non-price dimensions of data, which have been expressly recognised by the Supreme Court in KS Puttaswamy v. Union of India, and the Srikrishna Committee during the PDP Bill’s drafting.
Case for regulation
Several arguments in favour of NPD access rights have been advanced over the last two years. Governments around the globe accept that creativity, invention, and policy initiatives powered by data will do tremendous public benefit. Aggregated commuter results, for example, will help municipalities provide improved transit networks, introduce safer traffic laws, and reduce their carbon footprint. It is also argued that to create a data-agile economy that reinforces equal competition, NPD should flow smoothly between jurisdictions, states, and corporations. Another school of thought suggests that NPD (like population data) will contribute to the recognition of a particular group and its particular needs when paired with technical resources and other knowledge, which would then facilitate improved distribution and targeting of private and public services. As a consequence, many jurisdictions have begun to look closely at how best to control NPD processing to optimise the gains that come from it.
Definition of NPD and types of NPD
Where the data is not personal data and does not involve or apply to a natural person who is directly or indirectly identifiable, taking into account any function, characteristics, attributes, or other characteristics of the identity of that natural person, whether online or offline or any combination thereof with any other details. The non-personal data shall be known as non-personal data and shall contain any conclusion derived from such data for profiling, or the data is without any publicly identifying information.
Types of NPD in the report
-
Public non-personal data
It means non-personal data collected or produced by governments or any government entity which requires data collected or generated by all publicly funded works in the process of implementation. It contains anonymised land register data, records on public health, vehicle registration data, etc. Public non-personal data shall not constitute any non-personal data obtained or produced by the government, where such data is expressly given confidential status under the statute.
-
Community non-personal data
It means non-personal data, including anonymised personal data, and non-personal information about inanimate and animate things or phenomena, whether real, social, or artifactual, excluding private non-personal data, whose source or subject belongs to a group of natural persons. This includes datasets gathered by local corporations and public electric utilities, datasets composed of consumer data gathered by private players such as telecoms, e-commerce, ride-hailing providers, etc.
-
Private non-personal data
This means non-personal data gathered or generated by individuals or organisations other than states, the source or subject of which relates to the properties and processes of which that individual or organisation is privately owned, and involves certain elements of the data acquired and observed as a result of private efforts. This involves assumed or generated data/insights concerning algorithm use, patented algorithms, etc.
Sensitivity of NPD
Provided that private or personal information can contribute to mutual harm to privacy, even in the form of Non Personal Data, a new definition of ‘Sensitive NPD’ has been identified by the Committee. Non Personal Data that can contribute to the national security or strategic objectives, such as:
(I) Critical infrastructure;
(II) Business-sensitive or classified information; or
(III) Anonymised information that is at risk of being re-identified.
With concern to anonymised data, the Committee has proposed that the sensitivity of the underlying SPD should be inherited by all NPDs extracted from sensitive personal data (SPD), as specified under the PDP Bill., However, unlike the enhanced enforcement of the PDP Bill with the SPD, the Committee presented little detail on the additional steps to be taken to secure the Sensitive NPD, other than some limitations on cross-border transactions.
In addition, such a concept is only useful in situations where the underlying data, such as health data, can be easily defined as SPD. The classification of NPD as vulnerable in this regard should not be focused entirely on the inclusion of the underlying SPD, since even NPDs that do not have underlying SPD datasets can also be considered sensitive.
For example, by layering non-sensitive datasets of the address and travel background of individuals in a city, a dataset containing information about possible COVID-19 danger areas in a city may be generated. Such a dataset is likely to be called Vulnerable NPD even though SPD does not constitute any of the underlying datasets.
Consent for anonymised data
The Committee has tried to shield people from any danger resulting from such re-identification, acknowledging the possibility of anonymised data being de-anonymised. To avoid or reduce the risks of re-identification, the Committee has recommended that appropriate anonymisation criteria be established and has set out recommended anonymisation procedures that should be followed. To ensure consistency between the two jurisdictions, certain requirements must be harmonised with those notified under the Personal Data Protection Bill. In addition, the Committee proposed that any personal data that is being anonymised should continue to be known as the provider’s NPD. Therefore, permission for the anonymisation of the personal data and the subsequent usage of the resulting anonymised data should be required by the person. Under the Personal Data Protection Bill, this permission may be sought at the time of compilation of the personal dagta.
Key constituents of NPD ecosystem
Within the NPD framework, the Report lists the following positions for future players:
Data principles
In the case of the Public NPD and Private NPD, the person to whom the data refers is the person (individuals, corporations, communities). The group which is the root of the NPD will be the data principle in the case of Community NPD. In relation to PD, this is analogous to the categorization of a data principal under the PDP Bill, with Data Principles authorising their NPD to exert considerable authority and economic rights.
Data trust
There is an institutional framework that is constrained by the rules for dealing with a single NPD package. These trusts may retain NPDs that may be freely exchanged on orders from the government or Data Trustees by Data Custodians, or mandatory shared NPDs. The Committee has, however, offered very little input into how data trusts will work, including how such trusts will be formed, who will decide their members, and their role in the NPD ecosystem.
Data custodian
This is the person who carries out NPD selection, storage, sorting, and use. Public or private sector agencies processing NPD, such as government departments, telephone providers, or e-commerce organisations, maybe data custodians. Data custodians must comply with NPD Regulation specifications, such as the implementation of specified levels of anonymisation. Data custodians use NPD in a way that is in the “best interest” of the data principal. They have a responsibility towards the person or group from which NPD has been received. This theory is identical to that of a data fiduciary under the PDP Bill, which sets out clear duties for the data fiduciary to fulfill concerning the data rights of the data principal. The norm for protecting the data principal’s ‘best interest’ is still undefined, and the Committee has proposed that they be detailed in the NPD regulations. They also suggested that anonymization strategies and graduated data sharing could relate to those requirements.
-
Data trustee
This is the agent by which a group exercises its data rights and who takes steps to protect the community from any mutual damage resulting from the use of Community NPD. The Data Trustee may be the nearest and most fitting elected body for a community in most situations and can be a government entity at any level. It may also, however, be citizens’ organisations (such as municipal data health residents’ associations) or civil society organisations. There is, however, little guidance about how to identify a Data Trustee, the qualifying requirements for such an individual, or whether group data representatives play a role in selecting the Data Trustee, and this is to be given under the NPD Regulations.
Rights over NPD
They embraced the idea of ‘beneficial control/interest’ of data because, due to the non-rivalrous existence of data, multiple actors can have simultaneous ownership rights and data privileges. The beneficial interest of society is operationalized by a data trustee. To maximise gains and mitigate risk to the environment, the community will decide and monitor how certain data and information is used, possibly by the data trustee.
Establishment of NPD authority
The report proposes that a separate non-personal data authority should be created because non-personal data is still an emerging field in India. It has been mentioned at one point in the study that the primary goal of the Non-Personal Data Authority (‘the Authority’) would be to unlock the importance of non-personal data in India and not to avoid personal injury. This blurs the demarcation between a corporation or government and a regulator’s position. Instead, the role of a regulator should not be to stimulate creativity but to safeguard the interests of all concerned stakeholders. The authority should be granted powers to hear citizen situations as well. However, the report limits the authority’s mandate to work on the exchange of data, competition, re-identification, and mutual privacy.
Conclusion
There is no question that the present non-personal data usage and enforcement study is a rather progressive approach embraced by MEITY, taking into account technical advancements and data production. Without an iota of doubt, any statute adopted by the Government of India on the guidelines of this report will certainly help ensure that the economic aspect of non-personal data, which will be a win-win situation for all the parties concerned is properly used and exhausted.
References
- https://ourgovdotin.files.wordpress.com/2020/07/kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf
- Guidance on the Regulation on a Framework for the free flow of non-personal data in the European Union, Communication From The Commission To The European Parliament And The Council, COM(2019)
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: