Report Summary
- In July 2020, the Expert Committee (Chair: Mr. Kris Gopalakrishnan), constituted by the Ministry of Electronics and Information Technology to study various issues relating to non-personal data, had published a draft report for public consultation. The Committee observed that non-personal data should be regulated to: (i) enable a data-sharing framework to tap the economic, social, and public value of such data, and (ii) address concerns of harm arising from the use of such data. Based on the feedback received from this consultation, the Committee released a revised version of the draft for public consultation in December 2020.
- Non-personal data: Non-personal data is defined as data which is not personal data as per the Personal Data Protection Bill (PDP), 2019 or data without any personally identifiable information. The PDP Bill defines personal data to include data about characteristics, traits, or attributes of identity, which can be used to identify an individual. In terms of origin, non-personal data can be data which was never related to natural persons (such as data on weather or supply chains), or data which was initially personal data, but has been anonymised (through use of certain techniques to ensure that individuals to whom the data relates to cannot be identified).
- Further, the Committee recommended that PDP Bill should be amended to remove provisions related to non-personal data so that there is no overlap between the two regulatory frameworks. Currently, the PDP Bill empowers the central government to direct any entity to provide non-personal data for targeting of delivery of services or formulation of evidence-based policies.
- Consent for anonymisation of personal data: The Committee observed that large collections of anonymised data can be de-anonymised, especially using multiple non-personal data sets. Hence, the individual needs more protection. The Committee recommended that data collectors should provide a notice to the individuals and offer them an option to opt out of data anonymisation.
- Rights of community over non-personal data: The Committee held that a community can exercise rights over non-personal data. It defines community as any group of people that are bound by common interests and purposes and are involved in social or economic interactions. The community could be a geographical community or an entirely virtual community. The community may form a society, trust or not-for-profit organisation to raise a complaint with regulatory authority about harms emerging from sharing of non-personal data about their community.
- Data custodians and processors: Data custodian is a public or private entity which undertakes collection, storage, processing, and use of data. Data custodian will have a duty of minimising harms to the concerned community. A data processor is defined as a company that processes non-personal data on behalf of data custodian. Data processors will not be considered a data custodian under the framework.
- High-value datasets and data trustees: Datasets which are beneficial to the community at large and are shared as a public good have been classified as high-value datasets. It will include datasets useful for: (i) economic objectives such as financial inclusion, healthcare, and urban planning, (ii) creation of new and high-quality jobs, (iii) creation of new businesses. A representative entity called data trustee can be appointed for creation, maintenance, and sharing of high-value datasets. A data trustee will request data custodians for the required data.
- Sharing of non-personal data: The Committee recommended that data trustees share high-value datasets with public and private organisations (registered in India) for public good purposes. Public good purposes include community uses, research and innovation, policy development, and better delivery of public services. For sharing high-value datasets, certain reasonable charges may be paid to the data custodian towards the processing of data such as anonymisation, aggregation, and sharing. Data trustees may also levy a nominal charge to the data requesters towards data infrastructure and processing.
- Data businesses: Any business which collects, processes, stores, or otherwise manages data will be classified as a data business. A data business above a certain threshold will be required to register in India. The threshold could include gross revenue, the number of consumers/households/devices handled, and the percentage of revenues from consumer information. Data business will be required to share metadata (information describing data) on the data they manage. Organisations registered in India will have open access to this metadata. Access to metadata will provide opportunities for identifying datasets which may be beneficial in community interest.
- Non-Personal Data Authority: Non-Personal Data Authority will be established for putting in place the framework for the governance of non-personal data. The Authority will be responsible for framing guidelines concerning data sharing and risks associated with non-personal data. The Authority will adjudicate in cases where data custodian refuses to share a high-value dataset with the data trustee.
DISCLAIMER: This document is being furnished to you for your information. You may choose to reproduce or redistribute this report for non-commercial purposes in part or in full to any other person with due acknowledgement of PRS Legislative Research (“PRS”). The opinions expressed herein are entirely those of the author(s). PRS makes every effort to use reliable and comprehensive information, but PRS does not represent that the contents of the report are accurate or complete. PRS is an independent, not-for-profit group. This document has been prepared without regard to the objectives or opinions of those who may receive it.