Proposed Non-Personal Data Rules: The overview (Part I)

The internet era promised us connectivity and decentralization of power. It kept its first promise, but miserably failed at the latter. Contrary to the promise of decentralization of power, a few organizations have grown heaps and bounds and have become more powerful than even governments. The resource which gives them this power is immeasurable amounts of “Data”. Tech giants like Facebook, Google, and Amazon have benefitted from moving first. They use the data that they collect for developing disruptive technologies like Artificial Intelligence and machine learning. They understand the behavior and demands of their customers better than their competitors. Thus, they are able to cater to them accordingly. These organisations enjoy a global oligopoly. To effectively counter this oligopoly, an expert committee formed by the Meity has moved a “Report of the Committee of Experts on Non-Personal Data”. So what are the proposed non-personal data rules all about?

Why is there an effort to regulate non-personal data?

This centralization of monetary and informational power that several tech giants enjoy has become a crucial concern across the world. It plays against healthy market competition and is a danger to new startups. It is this issue along with the concerns related to anonymization of personal data, that has triggered a legislative response. In this article we will understand the suggestions made by the committee in the report. We’ll also have a look at measures that the Indian government is planning next to curb this global data monopolization and facilitate a healthy market for Indian startups, and other organizations which can further facilitate India’s goal of biggest economy of the world.

What does the report say?

The report has rightly recognized the value of effective and efficient sharing of data including metadata, for the uplifting Indian businesses. Non-personal data can be highly beneficial for businesses. They can help to study a class of people with similar thoughts or preferences and base their decisions on their learning from the data. It also helps the businesses to respond to area wise demand. It can also tell a lot about what a business’s focused audience or customers expect from that business. E.g. General shopping patterns, customer demographics [age, gender, and location], Onsite traffic metrics.

The stand on data sharing

The report specifically focuses on the sharing of non-personal data. To ensure healthy market competition in the data economy, the report suggests open access of non-personal data to Indian startups and entities through the structure of ‘data trusts’. In order to understand the structure of data trusts and data ecosystems, as suggested under this report, we need to know a bit about non-personal data.

Non-Personal Data: Definition and Types

Non personal data includes elements of information which do not aid the identification of any natural person. In simple words, any dataset or information which does not disclose the identity of any natural person, to whom such data belongs, will be considered as non-personal data.

This data can be crucial for the betterment of services that businesses offer, as also mentioned earlier. The most basic category of non-personal data is anonymized and aggregated data. Anonymization is a process through which personal datasets are irreversibly [take it with a punch of salt!] converted in a manner that the natural persons cannot be identified directly or indirectly. Other categories of non-personal data include data collected from IoTs and sensors, weather data, etc.

The report divides non personal-data into three categories:

1. Public non-personal data,
2. Community non-personal data and
3. Private non-personal data.

We can further divide the last category into general and sensitive non-personal data.

Data Trust

Data trusts, as envisaged by the committee, are institutional structures which will maintain datasets from multiple sources (including metadata) and their stewardship. The report suggests that these institutions will be governed by certain rules and protocols for the maintenance and sharing of data. The functioning of these institutional structures will be supervised by appointed public servants. To make this structure work, the report proposes active collaboration with various stakeholders of a non-personal data ecosystem namely; data principal, data custodian, data trustee and beneficiaries. This structure resembles a normal trust.

Parties to a Data Trust

In a data trust, who will be who? According to the report, ‘data principle’ would be the individual, organization or community to whom such non personal data belongs. This concept is similar to the concept of data principle under the Personal Data Protection Bill (PDP), 2019. ‘Data custodians’ would be individuals or organisations who collect, store, use or process data, similar to data fiduciaries under PDP Bill. Data Trustees will be the stewards of a data trust. This authority will remain with the data principal group/community. E.g. The Ministry of Health and Family Welfare can play the role of a trustee for datasets on diabetes. The report suggests that in certain cases, mandatory data sharing should be done in order to open up the competition. It also says that the roles and requirements should be governed by non-personal data rules and regulation and by a new regulator, ‘non-personal data authority’.

Data Businesses

The report suggests creation of a new horizontal category of businesses namely data businesses. Data businesses need not centrally focus on data or information technology. Rather it can be any organization like hospitals, banks, financial institutions, public sector businesses or NGOs etc., who are collecting data beyond a threshold level. However, the report does explain the threshold to decide whether a business is a data business or not. The report suggests registration of data businesses and also proposes a model for the registration of data businesses.

In addition to this data, businesses will be required to share their non-personal data and metadata. They will need to be transparent about the nature of data they are collecting, processing and using and also about purposes for the processing of such data. This pharma and food processing industries already maintain this type of transparency with regard to non-personal data. It also proposes the creation of metadata directories and their availability across the India.

Specified Purpose for Sharing of Non-Personal Data

According to the report, data can be shared or given to the departments of Indian government, citizens, startups, companies, universities, research labs, NGOs, etc., upon request, for a specific purpose. The purposes for such data sharing may include a sovereign purpose (national security and legal purposes), core public interest purpose, and economic purpose (encouraging competition). It also proposes a data sharing mechanism on public, community and private levels.

The Government has asked for suggestions from the public on the solution proposed under this report to Meity.

In this article, we have briefly covered an overview of this report. In upcoming articles of this series, we will analyze the issues that the report on non-personal data rules intends to address in detail. We will also and analyze whether the proposed solutions are the best way to resolve the issues than an oligopolistic market poses.

Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.

You can also follow us on Instagram, Facebook, LinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.