Revised Report by the Committee of Experts on Non-Personal Data Governance Framework

The Ministry of Electronics & Information Technology (MeitY) constituted a Committee of Experts (Committee) in September 2019, to deliberate and devise a framework for governing non-personal data (NPD). This Committee released an initial report (Initial Report) for public consultation in July 2020, which proposed the introduction of legislation governing NPD (NPD Legislation), to be enforced by an NPD authority (NPDA) and laid down key principles to be incorporated in the NPD Legislation.

On the basis of over 1500 representations and submissions from industry bodies, companies, civil society and independent experts, the Committee has released a revised report (Report) which modifies the previous framework and addresses several issues raised with respect to the Initial Report. Notably, the Revised Report aims to provide more clarity on the definition of NPD and its categorisation, attempts to delineate the difference in the governance of personal data (PD) and NPD, streamlines the data sharing purposes that are subject to regulation and modifies the data sharing mechanism. Public submissions on the Revised Report are being accepted till 27 January 2021.

We have briefly analysed the key recommendations of the Committee, while also highlighting key changes made from the Initial Report.

Objectives

The objectives laid down by the Committee in the Revised Report remain unchanged from those set out in the Initial Report, with the regulation of NPD being considered necessary to (i) generate economic, social and public value from the use of NPD for its citizens and communities; (ii) incentivize innovation and creation of new products/services in India and encourage start-ups; and (iii) address privacy concerns from processing NPD and to examine the concept of collective privacy.

Definition of NPD

The Committee has retained the broad definition of NPD in the Initial Report, which defines NPD as data that either (i) never related to an identified or identifiable natural person; or (ii) is sourced from PD, as defined under the Personal Data Protection Bill, 2019 (PDP Bill), i.e. data which was initially personal but was later aggregated and made anonymous.

The Initial Report had categorised NPD into three distinct categories i.e. Public, Private and Community NPD, with each category having distinct ownership rights. While the Revised Report has done away with this explicit categorisation, the underlying concepts of Public, Private and Community Data have been retained in the Revised Report.

Notably, the scope of Private NPD, still includes data in a global dataset and which is collected in foreign jurisdictions. Although sharing this data for High Value Datasets (HVDs) appears to be exempt, no further clarity is given on how the Revised Report applies to this data. This is likely to have an adverse impact on outsourcing into India.

Sensitivity and Localisation of NPD

The Initial Report had created additional categories of NPD classified as ‘Sensitive NPD’ or ‘Critical NPD’, which would inherit the sensitivity of the underlying category of PD from which it is derived. The location where NPD was to be stored was required to follow the localisation requirements for the corresponding PD under the PDP Bill, with a copy of all Sensitive NPD being stored in India, while all Critical NPD being stored only in India. The Initial Report had also added certain other grounds on which NPD may be classified as sensitive, such as (i) national security or strategic interests such as vital infrastructure; (ii) business sensitivity or confidentiality; and (iii) risk of collective harm.

The Revised Report does not create such an explicit classification but instead states that NPD that forms a part of an HVD would inherit the sensitivity of the underlying PD for the purposes of complying with the corresponding localisation requirements. It does not base the sensitivity classification on subjective factors such as national security, strategic interest, or risk of collective harm. Unlike the Initial Report, the Revised Report does not discuss the treatment of NPD derived from underlying critical PD (as defined under the PDP Bill), and it is unclear whether such NPD would also be subject to corresponding localisation requirements.

Regulation of PD and NPD

The Initial Report had several ambiguities in relation to how NPD and PD were to be separately governed by the proposed legislation on NPD and the PDP Bill respectively. Any PD that has been anonymized becomes NPD that automatically falls outside the purview of the PDP Bill. However, there is a potential for overlap between these two regimes, given that anonymised PD which is classified as NPD has the potential to be re-identified, thereby making it PD. The Initial Report recognised this risk and recommended that appropriate standards of anonymisation be defined to prevent or minimize the risks of re-identification. The custodians are also required to obtain consent for the anonymisation of the PD and the subsequent use of the anonymised data.

The Revised Report introduces several clarifications to the Initial Report that seek to harmonise the PD and NPD regimes, with respect to regulation of data, prescribed operational standards and thresholds, as well as specific amendments to avoid overlaps. Firstly, it clarifies that any NPD that may be re-identified in any manner would once again be governed by the PDP Bill. On this basis, the Revised Report also goes on to recommend specific amendments to be made to the PDP Bill to ensure that there is no overlap in regulation. The Revised Report also clarifies that where a dataset contains inextricably linked PD and NPD, it would be governed under the PDP Bill. The Revised Report goes on to recommend that the standards of anonymisation under the NPD framework be harmonised with those prescribed under the PDP Bill to ensure standard practices can be followed by all data collection entities.

With respect to consent for anonymisation of data, the Revised Report has diluted the explicit consent requirement under the Initial Report. The Committee has now suggested that Data Principles be notified of anonymisation, and that they would be able to exercise control in the form of an opt-out to anonymisation. Such an opt-out would function prospectively, and would not impact any past anonymisation carried out before the exercise of the opt-out. However, where such data has not already been anonymised, they can withdraw their consent for any future anonymisation.

Download PDF to read more