Protection of Non-Personal Data: A Legal Perspective

Introduction

With the introduction of PDP bill in Parliament, India may soon get its Personal Protection Law. While the personal data of individuals is protected by privacy laws in different legislations in India, there is currently no law to regulate Non-Personal Data. A Committee was formed by the Ministry of Electronics and Information Technology (MeitY) to make suggestions on regulation of non-personal data. The Committee was led by the co-founder of Infosys – Kris Gopalakrishnan. The Committee released its first report on July 12, 2020 (‘Old Report’), and the revised report was released in December 2020 (‘New Report’). The report aims to make pivotal recommendations that act as a substantial basis for India’s data protection regime.

What is the role of Data?

Data is a valuable resource for any individual, corporation, or a government. Access to data helps in informed decision-making. Data can either be standalone individual data such as the financial details of clients available with banking institutions or be at the level of community such as data created by recording and storing information about movement of vehicles at an intersection or data generated by climatic conditions. Data can be used for analytical, statistical, business and security purposes. The unprecedented explosion in the volume of data creates as much a threat to its misuse as it creates opportunities for utilization for policy making. Business models of companies are increasingly centred around data. Targeted advertisements, personalized recommendations, and data-strategies as a means to attain competitive advantage by corporations are some ways that value has been attached to data. As much as these mechanisms are beneficial to the companies, the importance of ownership of data must not be undermined.

What is the need to come up with a regulatory regime for Non-Personal Data?

India is likely to become one of the largest sources of commercially useful data in the world. In just three years since 2014, monthly data usage in the country has increased fifteen times, as smartphones and mobile internet became cheaper and faster. At the end of 2014, the average monthly data consumption was only 0.26GB per person, which increased to over 4GB at the end of 2017. Greater internet usage means generation of more data and therefore, greater requirement to prioritize privacy, consumer protection and regulate flow of data for leveraging it to benefit the domestic economy.

Data acts as a Digital capital (granting data the status of ‘capital’ at par with financial capital of a corporation) and has come to be reckoned as one that matters no less than intellectual property or industrial capital (funds). Greater access to data provides a greater digital capital to a corporation, granting it an advantage over its competitors. A handful of companies today dominate the digital economy. They are successfully exploiting the significant first mover’s advantage in the data-driven ecosystem. Without access to adequate data, MSMEs and start-ups remain at a disadvantage to develop many innovative solutions. With the view of streamlining the access to data, while protecting privacy of users, steps are being taken to regulate non-personal data in India.

What is Non-Personal Data?

Non-personal data is defined as data which is not personal data as per the Personal Data Protection Bill (PDP), 2019 or data without any personally identifiable information. The PDP Bill defines personal data to include data about characteristics, traits, or attributes of identity, which can be used to identify an individual. In terms of origin, non-personal data can be data which was never related to natural persons (such as data on weather or supply chains), or data which was initially personal data, but has been anonymised (through use of certain techniques to ensure that individuals to whom the data relates to cannot be identified).

What are the benefits flowing through the regulations?

The Committee believes that the policy / regulation will lead to the following benefits:

Realizing economic value from use of non-personal data. To generate economic benefits for citizens and communities in India and unlock the potential of social / public / economic value of data.

The benefits accruing from processing non-personal data should accrue not only to the organizations that collect such data, but also to India and the community that typically produces the data that is being captured.

Creating incentives for innovation and new products / services and start-ups in India.

Addressing privacy concerns, including from re-identification of anonymised personal data, preventing collective harms arising from processing of non-personal data.

What are the categories of Non-Personal data?

In the new report, the classification of non-personal data is excluded. The first reports provided for classification of data into the following categories:

Public Non-Personal Data: It means Non-Personal Data collected or generated by the governments, or by any agency of the governments, and includes data collected or generated in the course of execution of all publicly funded works. It includes anonymised data of land records, public health information, vehicle registration data, etc. All Non-Personal Data collected or generated by the Government where such data is explicitly afforded confidential treatment under a law, shall not constitute Public Non-Personal Data.

Community Non-Personal Data: It means Non-Personal Data, including anonymised personal data, and non-personal data about inanimate and animate things or phenomena – whether natural, social or artefactual, whose source or subject pertains to a community of natural persons, excluding Private Non-Personal Data. It includes datasets collected by the municipal corporations and public electric utilities, datasets comprising user-information collected even by private players like telecom, e-commerce, ride-hailing companies, etc.

Private Non-Personal Data: It means Non-Personal Data collected or produced by persons or entities other than the governments, the source or subject of which relates to assets and processes that are privately-owned by such person or entity and includes those aspects of derived and observed data that result from private effort. It includes inferred or derived data / insights involving application of algorithms, proprietary knowledge, etc.

What are the Key Features in the revised report?

Overlap of NPD Framework with the PDP Bill: The Committee in the new report Suggested deleting Clause 91 of the PDP Bill to ensure that it does not regulate NPD. It is recommended that such deletion is necessary to ensure that PDP bill and NPD framework are mutually exclusive, yet harmonious constructed.

Consent for anonymisation of personal data: The Committee considered that large collections of anonymised data can be de-anonymised, especially when using multiple Non-Personal Data sets. Thus, considering the risk committee realised that the individual (data principal) needs more protection. Therefore, the Committee recommends that data collectors at the time of collecting personal data should provide a notice and offer the data principal the option to opt out of data anonymization.

Data businesses: It has been recommended to Create a new category / taxonomy of business called ‘Data Business’ that collects, process, store, or otherwise manages data, and meets certain threshold criteria. Data Business is a horizontal classification and not an independent industry sector. Many existing businesses in various sectors, collecting data beyond a threshold level, will get categorized as a Data Business. Data Businesses will provide, within India, open access to meta-data and regulated access to the underlying data. The compliance process will be light-weight and fully digital. Data Businesses will be required to disclose the data elements collected, stored and processed, and data-based services offered. In the report there are certain compliance requirements as well which are to be followed by Data Businesses.

Access to meta-data of Data Businesses: The Committee strongly believes that meta-data sharing by Data Business will spur innovation at an unprecedented scale in the country. One of the associated key objectives is to promote and encourage the development of domestic industry and start-ups that can scale their data-based businesses. For example, automobile companies may collect data about roads through various sensors. A start-up will know that this data is available based on the meta-data provided by automobile companies. The start-up can request for access for this data and can combine this data with public traffic data to create a solution for safest road routes for senior citizens.

Rights over Non-Personal Data: The rights over non-personal data include:

Right to derive economic and other value and maximising data’s benefits for the community and

Right to eliminating or minimizing harms from the data to the community.

Who will exercise these rights over Non-Personal Data?

In case of personal data, the rights are exercised by the data principal. However, in case of non-personal data, once the personal data is anonymised or in case the data pertains to things other than a person (such as machine, natural phenomenon, etc.), there is no data principal associated. The Committee recognises that, in the absence of a data principal for non-personal data, a community can exercise these rights over non-personal data.

Key Roles in the Non-Personal Data Ecosystem:

In order to provide institutionalized mechanisms for the community to exercise these rights, the Committee recommends the creation of:

Defined roles such as data custodian and data processor;

High-value Datasets (HVDs)

A new role, data trustee, to exercise the rights of the community over nonpersonal data collected in these HVDs;

NPD Authority, to govern the rules and regulations on non-personal data.

Data Processor: A data processor means a company that processes Non-Personal Data on behalf of a data custodian.

Data Custodian: The data custodian is an entity that undertakes the collection, storage, processing, use, etc. of data. Typically, it is the data custodian that has a relationship with the consumer from whom data is collected. The data custodian has an obligation / responsibility to share appropriate NPD when data requests are made for defined data sharing purposes.

High-value Datasets (HVD) and Data Trustee. : An HVD is a dataset that is beneficial to the community at large and shared as a public good, subject to certain guidelines pertaining to the management of an HVD and data sharing. The Committee has defined a data trustee as an organization, either a Government organization or a non-profit Private organization (Section 8 company / Society / Trust), that is responsible for the creation, maintenance, data-sharing of High-value Datasets in India Data Trustees have a responsibility towards responsible 'data stewardship' and a 'duty of care' to the concerned community in relation to handling NPD related to it. Further, the Revised Report also imposes the following obligations on a Data Trustee:

A Data Trustee has to ensure that the HVD are used only in the interests of the community.

A Data Trustee has a responsibility to ensure that no harm to persons / groups of persons occur by their re-identification of NPD.

A Data Trustee is obligated to establish grievance redressal mechanisms so that the community can raise grievances.

Classification/creation of HVDs: The Committee proposes a process for creation of HVDs:

An HVD is a dataset that is a public-good and benefits the community at large.

In consultation with the NPDA, a Government or non-profit private organization (like an industry body, community body) in its role as a data trustee may request for a creation of an HVD.

The NPDA will set detailed guidelines to determine appropriateness of the chosen HVD and data trustee (in terms of dataset, objectives, size, actors involved etc.)

Non-Personal Data Authority: Non-Personal Data Authority will be established for putting in place the framework for the governance of non-personal data. The Authority will be responsible for framing guidelines concerning data sharing and risks associated with non-personal data. The Authority will adjudicate in cases where data custodian refuses to share a high-value dataset with the data trustee.

Sharing of non-personal data: The Committee recommended that data trustees share high-value datasets with public and private organisations (registered in India) for public good purposes. Public good purposes include community uses, research and innovation, policy development, and better delivery of public services. For sharing high-value datasets, certain reasonable charges may be paid to the data custodian towards the processing of data such as anonymisation, aggregation, and sharing. Data trustees may also levy a nominal charge to the data requesters towards data infrastructure and processing.

For Sovereign Purpose: The latest Report suggests that Data may be requested for national security, law enforcement, legal or regulatory purposes. Already regulations exist in India which address sharing of data for Sovereign purpose. This framework only reiterates the need for such data sharing and does not propose anything new or additional. Few Non-Exhaustive examples have been included in the report like:

Data requested for mapping security vulnerabilities and challenges, including people's security, physical infrastructure security and cyber security.

Data required for crime mapping, devising anticipation and preventive measures, and for investigations and law enforcement.

Data required for pandemic mapping, prediction and prevention, and also subsequent interventions.

Data required by a regulator to understand and keep abreast of developments in a sector with regard to need for regulatory interventions.

For Public Good Purpose: Data may be requested for community uses / benefits or public goods, research and innovation, for policy development, better delivery of public services.

For Business Purpose: The Report has clarified that such data sharing exists between two private entities, the Committee does not make any recommendations on this. sharing of data for business related purposes will be outside of the scope of the NPD framework.

Exemptions to Data Sharing: The Revised Report has clarified that the following NPD will not form part of mandatory sharing requirements under the NPD framework:

Data sharing that would involve access to private companies' trade secrets or other proprietary information regarding their employees / internal processes and productivity data.

Data sharing that would likely result in violating the privacy of individuals, groups, or communities.

Sharing of datasets to create HVDs: The Committee suggests the granularity of non-personal data that is to be collected for creating a HVD and lays out a process for sharing HVDs. As per the New Report, complete raw/factual/transactional level datasets will not be collected from both public and private sources for creating HDVs. Only specific subsets of data may be collected. Private inferred data of private companies will not be collected for creation of HDVs. There will be no restriction on collection of aggregate data.

Legal Analysis of the NPD Framework: The Committee did a legal analysis of proposed NPD Governance Framework from the perspective of Property Law, Copyright Law, Trade Secrets Law, IT Act 2000, Competition Law and the Indian Constitution. Indian property law has not recognised a property right (akin to ownership of land or goods) over data and there are no statutory protections in this regard. However, certain rights – in the nature of proprietary rights– have conventionally been derived from two sources - copyright and trade secrets law. As per the Committee recommendations, data sharing may be mandated only for designated high value datasets, where the fields for data to be shared are also pre-determined (which are expected to be a subset of the fields in the original database) and are relatively straight-forward. If the extraction is done per given pre-set fields, such extraction would not violate the database design copyright.

Community right over NPD: The NPD Committee has identified five key principles to ascertain community rights over data: (i) a community’s right over resources associated collectively with it; (ii) consent of the community for use of such resources; (iii) benefit sharing with the community; (iv) transparency in recording community resources to prevent misuse and enable easy access of the legitimate kind; and (v) community’s participation in governance of community resources.

Conclusion:

In the era of Industrial Revolution 4.0, economic development is based on data which is generated, stored, transmitted, or processed in large volumes. The increasing importance of data warrants treating it at par with other resources on which a country would have sovereign right. It is said that data is the new oil. Therefore, just like oil or any other natural resource, it is important to protect data, prevent its misuse, regulate the use and processing of data and address the concerns related to privacy and security. It is important to develop a framework for Non-Personal Data to better understand the uses and benefits of data and its value. Data is treated as an asset and monetized directly by trading it or building a service on top of the data, including (i) Treating data as an asset (ii) Activity or usage value of data (iii) Future value of data and (iv) Prudent value of data. The proposed framework is made with a view to be the basis for the government to come up with a new legislation to regulate non-personal data.

About the Author: Gurleen Kaur is an Associate at Seraphic Advisors, Advocates & Solicitors in New Delhi.