Search Your Queries Related To Trilegal

Analysis

Revised Report by the Committee of Experts on Non-Personal Data Governance Framework

08 Jan 2021

Cloud thumb image
The revised Report introduces key changes to the proposed non-personal data framework including harmonising the legal framework applicable to personal and non-personal data, streamlining data sharing purposes, conceptualising high-value datasets, and modifying the data sharing mechanisms.

The Ministry of Electronics & Information Technology (MeitY) constituted a Committee of Experts (Committee) in September 2019, to deliberate and devise a framework for governing non-personal data (NPD). This Committee released an initial report (Initial Report) for public consultation in July 2020, which proposed the introduction of legislation governing NPD (NPD Legislation), to be enforced by an NPD authority (NPDA) and laid down key principles to be incorporated in the NPD Legislation.

On the basis of over 1500 representations and submissions from industry bodies, companies, civil society and independent experts, the Committee has released a revised report (Report) which modifies the previous framework and addresses several issues raised with respect to the Initial Report. Notably, the Revised Report aims to provide more clarity on the definition of NPD and its categorisation, attempts to delineate the difference in the governance of personal data (PD) and NPD, streamlines the data sharing purposes that are subject to regulation and modifies the data sharing mechanism. Public submissions on the Revised Report are being accepted till 27 January 2021.

We have briefly analysed the key recommendations of the Committee, while also highlighting key changes made from the Initial Report.

Objectives

The objectives laid down by the Committee in the Revised Report remain unchanged from those set out in the Initial Report, with the regulation of NPD being considered necessary to (i) generate economic, social and public value from the use of NPD for its citizens and communities; (ii) incentivize innovation and creation of new products/services in India and encourage start-ups; and (iii) address privacy concerns from processing NPD and to examine the concept of collective privacy.

Definition of NPD

The Committee has retained the broad definition of NPD in the Initial Report, which defines NPD as data that either (i) never related to an identified or identifiable natural person; or (ii) is sourced from PD, as defined under the Personal Data Protection Bill, 2019 (PDP Bill), i.e. data which was initially personal but was later aggregated and made anonymous.

The Initial Report had categorised NPD into three distinct categories i.e. Public, Private and Community NPD, with each category having distinct ownership rights. While the Revised Report has done away with this explicit categorisation, the underlying concepts of Public, Private and Community Data have been retained in the Revised Report.

Notably, the scope of Private NPD, still includes data in a global dataset and which is collected in foreign jurisdictions. Although sharing this data for High Value Datasets (HVDs) appears to be exempt, no further clarity is given on how the Revised Report applies to this data. This is likely to have an adverse impact on outsourcing into India.

Sensitivity and Localisation of NPD

The Initial Report had created additional categories of NPD classified as ‘Sensitive NPD’ or ‘Critical NPD’, which would inherit the sensitivity of the underlying category of PD from which it is derived. The location where NPD was to be stored was required to follow the localisation requirements for the corresponding PD under the PDP Bill, with a copy of all Sensitive NPD being stored in India, while all Critical NPD being stored only in India. The Initial Report had also added certain other grounds on which NPD may be classified as sensitive, such as (i) national security or strategic interests such as vital infrastructure; (ii) business sensitivity or confidentiality; and (iii) risk of collective harm.

The Revised Report does not create such an explicit classification but instead states that NPD that forms a part of an HVD would inherit the sensitivity of the underlying PD for the purposes of complying with the corresponding localisation requirements. It does not base the sensitivity classification on subjective factors such as national security, strategic interest, or risk of collective harm. Unlike the Initial Report, the Revised Report does not discuss the treatment of NPD derived from underlying critical PD (as defined under the PDP Bill), and it is unclear whether such NPD would also be subject to corresponding localisation requirements.

Regulation of PD and NPD

The Initial Report had several ambiguities in relation to how NPD and PD were to be separately governed by the proposed legislation on NPD and the PDP Bill respectively. Any PD that has been anonymized becomes NPD that automatically falls outside the purview of the PDP Bill. However, there is a potential for overlap between these two regimes, given that anonymised PD which is classified as NPD has the potential to be re-identified, thereby making it PD. The Initial Report recognised this risk and recommended that appropriate standards of anonymisation be defined to prevent or minimize the risks of re-identification. The custodians are also required to obtain consent for the anonymisation of the PD and the subsequent use of the anonymised data.

The Revised Report introduces several clarifications to the Initial Report that seek to harmonise the PD and NPD regimes, with respect to regulation of data, prescribed operational standards and thresholds, as well as specific amendments to avoid overlaps. Firstly, it clarifies that any NPD that may be re-identified in any manner would once again be governed by the PDP Bill. On this basis, the Revised Report also goes on to recommend specific amendments to be made to the PDP Bill to ensure that there is no overlap in regulation. The Revised Report also clarifies that where a dataset contains inextricably linked PD and NPD, it would be governed under the PDP Bill. The Revised Report goes on to recommend that the standards of anonymisation under the NPD framework be harmonised with those prescribed under the PDP Bill to ensure standard practices can be followed by all data collection entities.

With respect to consent for anonymisation of data, the Revised Report has diluted the explicit consent requirement under the Initial Report. The Committee has now suggested that Data Principles be notified of anonymisation, and that they would be able to exercise control in the form of an opt-out to anonymisation. Such an opt-out would function prospectively, and would not impact any past anonymisation carried out before the exercise of the opt-out. However, where such data has not already been anonymised, they can withdraw their consent for any future anonymisation.

Download PDF to read more

Subscribe to our Knowledge Repository

If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.








    Disclaimer

    Under the rules of the Bar Council of India, Trilegal is prohibited from soliciting work or advertising in any form or manner. By accessing this website, www.trilegal.com, you acknowledge that:

    • You are seeking information about Trilegal of your own accord and there has been no form of solicitation, advertisement or inducement by Trilegal or its members.
    • This website should not be construed as providing legal advice for any purpose.
    • All information, content, and materials available on this website are for general informational purposes only.
    • Any information obtained or material downloaded from this website is completely at the user’s volition, and any transmission, receipt or use of this website is not intended to, and will not, create any lawyer-client relationship.
    • Information on this website may not constitute the most up-to-date legal or other information. Trilegal is not liable for the consequences of any action taken by any person based on any material or information available on this website, or for any inaccuracy in or exclusion of any information or interpretation thereof.
    • Readers of this website or recipients of content or information available on this website should not act based on any or all such content or information, and should always seek advice of competent legal counsel licensed to practice in the appropriate jurisdiction.
    • Third party links contained on this website re-directing users to such third-party websites should neither be construed as legal reference / legal advice, nor considered as referrals to, endorsements of, or affiliations with, any such third party website operators.
    • The communication platform provided on this website should not be used for exchange of any confidential, business or politically sensitive information.
    • The contents of this website are the intellectual property of Trilegal.

    We prioritize your privacy. Before proceeding, we encourage you to read our privacy policy, which outlines the below, and terms of use to understand how we handle your data:

    • The types of information we collect and why we collect them.
    • How we use your information to provide a personalized experience.
    • The measures we take to ensure the security of your data.
    • Your rights and choices in managing your personal information.
    • How we may share information with trusted partners for specific purpose.

    For more information, please read our terms of use and our privacy policy.

    Up arrow