Report by the Committee of Experts on Non-Personal Data Governance Framework

The Ministry of Electronics and Information Technology (MEITY) constituted a committee of experts (Committee) in September 2019, to devise a framework for regulation of non-personal data (NPD). The Committee released its report (Report) on 12 July 2020 for public consultation/feedback, and has set a deadline of 13 August 2020 for comments from the public. The Committee has proposed the introduction of legislation governing NPD (NPD Legislation), to be enforced by an NPD authority (NPDA) and lays down key principles to be incorporated in the NPD Legislation. This is a distinctive move given that at present most other nations, including the European Union, have focused primarily on regulating the flow of NPD between countries. The NPD Legislation would be one of the first to govern the collection and processing of NPD within a jurisdiction.

We have briefly analysed below the key principles and recommendations of the Committee.

Rationale for an NPD Framework

The Report proposes the regulation of NPD on the primary ground that the economic and social value of data is concentrated in the hands of a few companies who have become monopolies in the absence of any regulation. The introduction of an NPD framework is aimed at catalysing data companies such that the welfare of all relevant stakeholders is maximised. In recognising this value of NPD, the Report states that the lack of regulation denies both individual citizens and communities the benefits that they can derive from such data, and also gives rise to a risk of collective harm from misuse. The Committee believes that a balanced regulation for NPD will spur improved service delivery, innovation and research by both public and private sector entities, while specifically benefitting the India start-up ecosystem.

Definition and classification of NPD

The Committee defines NPD as data that either (i) never related to an identified or identifiable natural person; or (ii) is sourced from personal data (PD), as defined under the Personal Data Protection Bill, 2019 (PDP Bill), i.e. it is data which was initially personal but was later aggregated and made anonymous. However, the Committee has recognised that anonymised data has the potential to be re-identified. Certain data aggregation processes may also result in data being continuously anonymised and re-identified, and it is therefore unclear how such data will be treated under the proposed framework.

Based on this definition, the Committee has broadly categorised NPD into the following:

• Public NPD – collected or generated by the government or in the course of publicly funded work and excluding data that is treated confidentially under any law, such as anonymised land records and vehicle registration data.
• Private NPD – collected or produced by persons or entities other than the governments, the source or subject of which relates to assets and processes that are privately-owned, and includes derived/inferred data that result from private effort, insights involving application of algorithms or proprietary knowledge, and data included in a global dataset pertaining to non-Indian which is collected in foreign jurisdictions. This would therefore include any and all data that is collected by private entities that it is not Community NPD.
• Community NPD – whose source or subject is a community, i.e. a group of people that are bound by common interests and purposes and involved in social/economic interactions, including entirely virtual communities. This may include data collected by the municipal corporations, public electric utilities, and private players like telecom, e-commerce, and ride-hailing companies.

Community NPD is a concept introduced by the Committee that does not presently find place in equivalent global legislations.

Community NPD also specifically excludes Private NPD. The Report clarifies that raw data collected by private entities from a community would constitute Community NPD, while inferred or derived data would constitute Private NPD. However, Community NPD appears to overlap both with Public NPD and Private NPD. For instance, the Report states that Community NPD includes data collected by municipal bodies, which would also clearly fall within the definition of Public NPD. Similarly, many NPD data sets relating to group of customers including from virtual communities (such as social media users) form part of Community NPD. The baseline definition of these three fundamental concepts itself is confusing under the report.

Further, the definition of Private NPD includes data in a global dataset pertaining to non-Indians which is collected in foreign jurisdictions. Inclusion of non-Indian data does not align with the stated objectives of the Report.

Sensitive NPD

Given that sensitive or personal information can lead to collective privacy harms, even in the form of NPD, the Committee has defined a new concept of Sensitive NPD, which is NPD that may relate to (i) national security or strategic interests such as vital infrastructure; (ii) business sensitive or confidential information; or (iii) anonymised data, that bears a risk of re-identification.

With respect to anonymised data, the Committee has recommended that all NPD that is derived from sensitive personal data (SPD), as defined under the PDP Bill, should inherit the sensitivity of the underlying SPD. However, unlike the increased compliances for SPD under the PDP Bill, the Committee has provided no information as to the additional measures to be taken to protect Sensitive NPD, aside from certain cross-border transfer restrictions.

Further, such a principle is only beneficial in cases where the underlying data can be clearly categorised as SPD, such as health data. In this respect, the classification of NPD as sensitive should not solely rely on the presence of underlying SPD, given that even NPD that has no underlying SPD datasets may be also be considered sensitive. For instance, a dataset containing information regarding potential COVID-19 risk areas in a city could be created by layering non-sensitive datasets of the address and travel history of persons in a city. Such a dataset is likely to be considered Sensitive NPD even though neither of the underlying datasets constitute SPD.

Consent for Anonymised Data

Recognising the risk of anonymised data being de-anonymised, the Committee has sought to protect individuals from any harm arising out of such re-identification. The Committee has recommended that appropriate standards of anonymisation be defined to prevent or minimize the risks of re-identification, and has laid down recommended anonymisation processes that may be followed. It is important that such standards be harmonised with those notified under the PDP Bill, to ensure conformity between the two regimes. Further, the Committee has recommended that any PD that is being anonymised should continue to be viewed as NPD of the provider of such information. The individual should therefore be required to provide consent for the anonymisation of the PD and the subsequent use of the resulting anonymised data. This consent can be obtained at the time of collection of the PD under the PDP Bill.

Download PDF to read more