UPDATE ON THE REPORT ON THE NON-PERSONAL DATA GOVERNANCE FRAMEWORK
The Ministry of Electronics & Information Technology (MEITY) had issued an Office Memorandum No. 24(4) / 2019-CLES dated 13 September 2019 to form an eightmember committee (Committee) to deliberate on the data governance framework. The main objective of the Committee was to study various issues relating to Non-Personal Data (Non-Personal Data) and to make specific suggestions for the consideration of the Central Government on regulation of the Non-Personal Data. The Committee released its Report (Report) for public consultation and feedback and has set a deadline of 13 August 2020 for comments from the public.
A summary of the key recommendations of the Committee:
1. Defining Non-Personal Data:
The Committee has defined three categories of Non-Personal Data:
- Public Non-Personal Data
- Community Non-Personal Data
- Private Non-Personal Data
The Committee has also defined a new concept of “Sensitivity of Non-Personal Data”, considering the data could be sensitive from a national security, strategic interest and business perspective. Further, the Committee has recommended that the data principal should provide consent for anonymization and usage of the anonymized data while providing consent for collection and usage of his/her personal data and that appropriate standards of anonymization should be defined in order to prevent/minimize the risks of re-identification
2. Defining key Non-Personal Data roles:
The Committee has also listed down the roles of the key stakeholders within the Non-Personal Data framework being the data principal, data custodian and data trustee and an institutional form of data infrastructures, namely a data trust.
The Committee has referred to the fact that all the Non-Personal Data collected in/from India or by Indian entities would be subjected to Indian laws, rules and regulations.
4. Defining a “Data Business”:
Since organizations are deriving new or additional economic value from data, by collecting, storing, processing, and managing the data, the Committee has recommended that a new category/taxonomy of business called “Data Business” (Data Business) needs to be created that would meet certain data threshold criteria. The Committee has suggested that such Data Business is to be registered which would again, be subject to certain data-related threshold criteria and this would be applicable to commercial organizations, governments and other nongovernment organizations as well, that collect, process or otherwise manage the data. Further, the Committee has also recommended that Data Businesses shall provide, within India, open access to metadata, i.e., the data that provides information about the other data and also provide a regulated access to the underlying data. Accordingly, metadata about the data that is being collected, stored and processed by Data Businesses, shall be stored digitally in meta-data directories in India and any Indian citizen or India based organization would have open access within India to the meta-data of the data collected by different Data Businesses and the government. The objective being, potential users may identify opportunities for combining the data from multiple Data Businesses and/or government to develop innovative solutions, products and services.
5. Defining data-sharing purpose:
The Committee has identified three purposes for which Non-Personal Data may be shared with companies, policy and research organizations and the government, i.e.,
- Sovereign purposes: Data may be requested for security, legal, law enforcement and regulatory purposes;
- Core public interest purposes: Data may be requested for community usage/benefits or public goods, research and innovation, for better delivery of public services, policy development, etc.
- Economic purposes: Data may be requested for the economic welfare purposes – in order to encourage competition and provide a level playing field in any sector, including in the start-up sector.
6. Defining data-sharing mechanisms and checks and balances:
The Committee has recommended that an appropriate data-sharing mechanism for sharing public, community and private data needs to be established. Additionally, the Committee has recommended that the government should make improvements on the existing open government data initiatives and should ensure that high-quality public nonpersonal datasets are available. Further, with respect to checks and balances, the Committee has recommended that factors such as locations, tools, compliance with the terms of the contract entered between the cloud provider and Data Businesses are required to be maintained in order to ensure appropriate implementation of the rules and regulations with respect to datasharing
7. Defining a Non-Personal Data Authority:
The Committee has recommended that a separate Non-Personal Data Authority be created which possesses specialized knowledge on the data governance, technology, etc. The Committee has also recommended defining the role of the authority, i.e., i. Enabling role: To ensure that the data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes. ii. Enforcing role: To ensure that, all the stakeholders follow the rules and regulations laid and provide data appropriately when legitimate data requests are made, etc. Further, it is suggested that the Non-Personal Data Authority should work in consultation with the Data Protection Authority (DPA), Competition Commission of India (CCI) and other sector regulators, as appropriate, so that the issues around data-sharing, competition, re-identification of anonymized personal data or collective privacy are harmoniously dealt with.
Thus, the Committee has recommended that the proposed Non-Personal Data governance framework becomes the basis of a new legislation for regulating the Non-Personal Data. Further, the Committee has also recommended that the proposed Non-Personal Data governance framework and the roles of the proposed Non-Personal Data Authority would need to be aligned and harmonized with other relevant laws and roles of the other authorities respectively.