Contributed by: Samvad Partners
Introduction
The Ministry of Electronics & Information Technology, constituted a Committee of Experts in September, 2019 (“Committee”) to deliberate on a data governance framework for non-personal data. The Committee, through its report dated 12th July, 2020 (“Report”) recommended the introduction of a separate legislation to regulate non-personal data in India and outlined a governance framework for the same. The stated objective of the Report is to enable a data-sharing framework to maximise the economic, social and public value of data while addressing the concerns of harm arising out of use of such data, such as privacy violations, and enabling discriminatory or exploitative practises against a community. The proposed legislation would also have a significant impact on most entities and businesses in India, both from a commercial perspective and a compliance perspective.
What is non-personal data?
The Report defines non-personal data (“NPD”) as data that is not defined as ‘Personal Data’ under the proposed Personal Data Protection Bill, 2019 (“PDP Bill”) or data that does not contain any personally identifiable information. In essence, the definition covers two types of data; (i) data that were initially personal data, but were later anonymised, and (ii) data that never related to an identified or identifiable natural person such as data on weather conditions and data from public infrastructures.
The Report further broadly categorises NPD into:
Public NPD, which is collected or generated by the government, and includes data collected or generated in the course of execution of all publicly funded works. However, if such data is explicitly afforded confidential treatment under the law, it shall not constitute Public NPD. Examples of Public NPD would include anonymised data of land records and vehicle registration data.
Private NPD, which consists of data that is collected or produced by persons or entities other than the government, the source or subject of which relates to assets and processes that are privately owned by them. It includes inferred or derived data involving application of proprietary knowledge. Private NPD may also include generative adversarial networks[1] or data in a global dataset that pertains to non-Indians and which is collected in foreign jurisdictions.
Community NPD, which comprises anonymised personal data or NPD about inanimate and animate things or phenomena – whether natural, social or artefactual, the source or subject of which pertains to a community of natural persons. Therefore, datasets comprising user-information collected even by private players like telecom, e-commerce and ride-hailing companies would be categorised as Community NPD. The Report clarifies that this category of data excludes Private NPD. The Report defines ‘a community’ as any group of people that are bound by common interests and purposes, and involved in social and/or economic interactions.
Sensitivity-based categorisation of NPD
The Committee has applied the concept of sensitivity to NPD, based on the following risks such NPD bears: (i) relating to national security or strategic interests; (ii) such NPD being business sensitive or confidential information; (iii) such NPD being anonymised data that bears a risk of re-identification; or (iv) such NPD bearing risk of collective harm to a group. Anonymised data containing health information is an example of Sensitive NPD, as the underlying data (on health) is classified as ‘Sensitive Personal Data’ under the PDP Bill.
Key Roles and stakeholders in the non-personal data ecosystem
A Data Principal, in case of Public NPD and Private NPD, is the entity or individual to whom the data relates. In case of Community NPD, the community to whom the data relates would be the Data Principal. The Committee recommends that the Data Principal should be asked to provide consent upfront at the time of collection of their personal data, for anonymisation and usage of such anonymised data. The anonymised data must continue to be treated as the NPD of that Data Principal given the risk of re-identification.
A Data Custodian, is the entity that collects, stores, processes and uses the NPD. This includes both private and public entities. The Data Custodian must use the data in a manner that is in the ‘best interest’ of the Data Principal. With respect to Community NPD, they have a 'duty of care' to the concerned community in relation to which the NPD has been collected. The parameters to determine what constitutes ‘best interest’ or ‘duty of care’ shall have to be clearly specified in the legislation. It is indicated that the parameters could include anonymisation standards and requirements; protocols for safe data sharing, etc.
A Data Trustee has been defined as the most appropriate representative body through which a particular community can exercise its data rights. The Report does not set out the guidelines on who would constitute the appropriate trustee. It merely indicates that for the majority of community data, the corresponding government entity or community body may act as the Data Trustee. Principles and guidelines regarding who can constitute the appropriate trustee in a given context of group or community data shall be provided for in the legislation. It is unclear as to whether private organizations or non-profit organizations funded by private entities can become Data Trustees.
Data Trusts are institutional structures comprising specific rules and protocols for containing and sharing a given set of data, and can contain pooled data from multiple sources, custodians, etc. that are relevant to a particular sector, and are required for providing a set of digital or data services. Data Custodians may voluntarily share data in these Data Trusts or may be mandatorily required to do so by the government for sector-specific purposes.
Ownership of non-personal data
The Committee has adopted the notion of ‘beneficial ownership/interest’ over NPD, as different stakeholders may have simultaneous ownership rights and privileges over such data. It is proposed that Public NPD is to be treated as a ‘national resource’. For NPD that is derived from the personal data of an individual, that individual will act as the Data Principal. However, it is unclear how this can be established once the data has been anonymised or aggregated. For Community NPD, the rights over such NPD shall vest with the Data Trustee, with the community being the beneficial owner. The Indian regulatory framework will apply to all data collected in or from India or by Indian entities.
Non-Personal Data Protection Authority
To regulate the collection, processing, storage and sharing of NPD, the Committee suggests the constitution of a Non-Personal Data Authority (“NPDA”). It requires the NPDA to play an enforcing role and an enabling role. The NPDA has several roles and functions, inter alia, i) administering the NPD legislation; ii) enabling legitimate data sharing requests and regulating corresponding data sharing arrangements; iii) addressing market failures and supervising the market for NPD; and iv) ensuring a level playing field for all Indian actors to fulfil the objective of maximising Indian data’s value for the Indian economy. The NPDA is required to function harmoniously with the Competition Commission of India, the ‘Data Protection Authority’ under the PDP Bill (“DPA”) and other sectoral regulators.
Data Businesses
The Report suggests the introduction of a new category of businesses called Data Businesses, deriving new or additional economic value from data, by collecting, storing, processing, and managing data. Therefore, companies in any sector including banking or finance, telecom, internet-enabled services, transportation and consumer goods will fall within this category, if they are collecting or processing data beyond a prescribed threshold.
The key legal compliance requirements of such Data Businesses have been discussed below. These requirements shall be in addition to the sectoral regulator’s compliance requirements. The Report also proposes a technical architecture to enable this framework, which hasn’t been addressed in this article.
Registration: Once a company reaches a prescribed data-related threshold, it will be required to register as a data business. For businesses below the threshold, registration is voluntary.
Integration of its raw-data pipes with the NPDA: For submission of raw data upon request as per the regulatory guidelines, it is suggested that Data Businesses should be required to integrate its raw-data pipes with the NPDA within the stipulated timelines.
Disclosures: Data Businesses will have to disclose, a) data elements collected, stored and processed, and data-based services offered; and b) what they do and what data they collect, process and use, in which manner, and for what purposes.
Open access to meta-data: Data Businesses will be required to provide open access within India to its meta-data and regulated access to the underlying data. By looking at the meta-data, potential users may identify opportunities to develop innovative solutions, products and services and/or businesses may identify opportunities for combining data from multiple Data Businesses to develop innovative solutions, products and services. Meta-data refers to the data that describes or summarises the basic information about the underlying data of the Data Business.
Data Sharing requirements and its mechanism
The Committee has identified certain purposes for which NPD may be shared; (i) a sovereign purpose such as national security or legal or regulatory purposes; (ii) public interest such as for policymaking or better delivery of public services; or (iii) economic purposes such as providing fair monetary consideration or encouraging competition and innovation.
The process of data sharing starts with a data request being made to the relevant Data Business (Data Custodian). The data requests may be made for the detailed underlying data of the Data Business. If the Data Custodian refuses the request, the requesting entity can approach the NPDA. The NPDA is empowered to exercise its discretion and request the Data Custodian to share such NPD, if such data sharing gives rise to social, public or economic benefits. The government may also require Data Businesses/Custodians to mandatorily share their NPD for sector-specific purposes, as discussed earlier.
The Committee has recommended that Community NPD or Private NPD which is raw or factual data collected by a private entity, can be requested at no remuneration. The assumption that companies see no value in raw data is misguided given that many businesses invest in significant resources and have proprietary processes in place for collection of such raw or factual data. Private NPD where the processing value add is significant may be shared based on remuneration which is fair, reasonable and non-discriminatory. Companies need not share algorithms and proprietary knowledge under this framework. However, under the Draft E-Commerce Policy, the government may seek disclosure of source codes and algorithms from e-commerce entities to protect against ‘digitally induced biases’ by competitors.
The Report also recommends the following checks and balances:
Data localisation: Sensitive NPD may be transferred outside India, but shall continue to be stored within India. The Critical NPD (as may be notified by the government) can only be stored and processed in India. All other categories of NPD may be stored and processed in any jurisdiction.
Contractual arrangement with cloud service providers to comply with the terms of storage, processing, and usage specified by the NPDA.
Testing and probing tools are to be continuously run on the data in secure clouds and reports generated, auto-submitted by cloud providers and registered organisations to check compliance.
Liability: Organisations that comply thoroughly with the laid-down standards, self-audited digital compliance reports, exhibit good faith and have best-efforts internal processes in-line with the best of industry standards, are to be indemnified against any vulnerability found as long as they swiftly remedy it.
Conclusion
While, the purpose of a regulatory framework for NPD is to unlock the immense potential of social, public and economic value of data, this needs to be balanced with interests that are crucial to competition, such as addressing privacy concerns and protecting proprietary processes or knowledge of businesses. The Report seems to view Community NPD as an asset collectively owned by a community. However, the broad definition of ‘community’ (see above) is likely to create regulatory challenges as multiple groups might be able to claim ownership over a certain data set. Further, many e-commerce platforms rely heavily on contributions or interactions of their ‘community’ of users on such platforms. Ownership of such data is imperative to the competitive edge maintained by such businesses.
The Committee had provided time until 13th August, 2020 to submit feedback on the Report. Several entities, including tech giants such as Google, Facebook and Amazon have pushed back on the governance framework. It has been highlighted that “forced data sharing” with companies including competitors might limit foreign trade and investment in India and would be antithetical to promoting competition.
Further, the NPDA has wide discretionary powers in allowing or disallowing data sharing requests from any entity (from start-ups, large businesses or a competitor) based on the social, public and economic benefits of the NPD. The regulatory framework has to bring in substantial checks and balances to ensure that this discretionary power is exercised in a manner that fosters competition and not deters it. Another major concern raised is the requirement to make NPD available to the government, that could lead to unfettered access and arbitrary exercise of power. It remains to be seen how these concerns will be addressed and whether large businesses will consider moving data to countries where better protection is afforded to proprietary data, subject to the regulatory framework allowing them to do so.
Contributed by Samvad Partners
The above article has been authored by Mr. Siddharth Seshan(Partner), Ms. Lakshmi Kishore(Senior Associate), and Ms. Vaasavi Sashiraman(Associate)
