Context: A government committee headed by Infosys co-founder Kris Gopalakrishnan has suggested that non-personal data generated in the country be allowed to be harnessed by various domestic companies and entities.
More on the news:
- The nine-member committee has released the draft report for the public to send suggestions.
- It has also suggested setting up of a new authority which would be empowered to monitor the use and mining of such non-personal data.
Highlights of the report:
- A data-sharing regulation: To shift data’s economic benefits for citizens and communities in India as well as help the government in policy making and service delivery.
- The report’s proposed regulation would require companies to share their private data, excluding “proprietary data”, at no remuneration.
- Citizens, startups, researchers, and the government can request data for purposes of national security, legal, public interest (such as service delivery), and economic purposes to create a level playing field.
- Non-personal data: Refers to any set of data which does not contain personally identifiable information. The report focuses on three types of non-personal data:
- Public non-personal data, owned by governments
- Private non-personal data, owned by non-government players and derived from assets or processes privately-owned, and
- Community data which is the raw data of a group of people that may also be collected by private players.
A broader version of this proposal had made its way into the IT Ministry’s Personal Data Protection (PDP) Bill (currently in the Parliament).
- A new business category called “Data Businesses”: That exists horizontally across sectors.
- Community data: The report argues that legal and ownership rights over this type of data should be given to a trustee of the community, most often a community body or government agency.
- This trustee can collaborate with a new data regulator called the Non-Personal Data Authority (separate from a Data Protection Authority called for by the pending Data Bill) to seek and enforce data sharing.
What makes non-personal data very sensitive?
According to the committee -
- Data in certain categories, even if provided in anonymised form such as data related to national security or strategic interests such as locations of government laboratories or research facilities, can be dangerous.
- Data regarding health of a community or a group of communities, though may be in anonymised form, can still be dangerous. Possibilities of such harm are much higher if the original personal data is of a sensitive nature.
Therefore, the non-personal data arising from such sensitive personal data may be considered as sensitive non-personal data.
Global standards on non-personal data:
- EU regulation framework for the free flow of non-personal data: Came in 2019, suggested that member states of the European Union would cooperate with each other when it came to data sharing.
- The framework requires member states to inform the commission of any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement.
- However, the framework had not defined what non-personal data constituted of.
- In several other countries across the world, there are no nationwide data protection laws, either for personal or non-personal data.
Significance of regulating and sharing non-personal data:
- The committee strongly believes that meta-data sharing by Data Business will spur innovation at an unprecedented scale in the country.
- One of the associated key objectives is to promote and encourage the development of domestic industry and startups that can scale their data-based businesses.
- Social and economic benefits: The recommendations, if implemented, will help businesses create value of their data having an economic good, not just information.
- Minimize the possibility of data monopolies: Created as a result of imbalances in bargaining power between few companies (first-mover advantage) with access to large data sets accumulated in a largely unregulated environment.
Issues with India’s non-personal data draft:
- Silent on community rights: The draft proposes the nebulous concept of community data while failing to adequately provide for community rights.
- Privacy concerns: Non-personal data often constitutes protected trade secrets and often raises significant privacy concerns.
- Regulation must be clear, and concise to provide certainty to its market participants.
- Clearly define the roles of all participants: The final draft of the non-personal data governance framework must clearly define the roles for all participants, such as the data principal, the data custodian, and data trustees.
- The report is unclear on these counts, and requires public consultation and more deliberation
Image Source: IE