Non Personal Data regulation – Part I

  • IASbaba
  • July 25, 2020
  • 0
UPSC Articles

ECONOMY/ GOVERNANCE 

Topic: General Studies 2 and 3:

  • Indian Economy and issues relating to planning, mobilization, of resources, growth, development and employment.
  • Government policies and interventions for development in various sectors and issues arising out of their design and implementation

Non Personal Data regulation – Part I

Context:  The Committee of Experts on non-personal data governance framework (“NPD Committee”) released its draft report.  

NPD was constituted by the Ministry of Electronics and Information Technology (“MeitY”) on September 13, 2019 under the Chairmanship of Kris Gopalakrishnan (Co-Founder, Infosys). 

What is non-personal data? 

  • In its most basic form, non-personal data is any set of data which does not contain personally identifiable information.  
  • This in essence means that no individual or living person can be identified by looking at such data. 
  • For example, while order details collected by a food delivery service will have the name, age, gender, and other contact information of an individual, it will become non-personal data if the identifiers such as name and contact information are taken out 

Significance of Non-Personal Data 

  • Can be harnessed for Public Interest: Data should be unlocked in public interest beyond the sole service of commercial interests of a few large companies. 
  • Economic Value: These data sets will help to map consumer biases and ensuretargeted delivery of services. It will unlock the doors of economic value and innovation in the country. 
  • Subject of Communities: Data, in many cases, are not just a subject of individual decision-making but that of communities, such as in the case of ecological information 

Key Takeaways from the draft report 

1. Definition: The report has classified non-personal data into three main categories, namely 

  • Public non-personal data: It involves all the data collected by the government and its agencies during execution of all publicly funded works. 
  • E.g. census, data collected by municipal corporations on the total tax receipts. 
  • Community non-personal data: It involves any data identifiers about a set of people who have either the same geographic location, religion, job, or other common social interests. 
  • E.g. The metadata collected by ride-hailing apps, telecom companies, electricity distribution companies. 
  • Private non-personal data: It can be defined as those which are produced by individuals which can be derived fromapplication of proprietary software or knowledge. E.g data generated by companies like Google, Amazon etc. 

 2. Sensitive Non-Personal Data (NPD)

  • The NPD committee has recommended classification of NPD into general NPD, sensitive NPD and critical NPD- just like the classification of personal data under the PDP Bill 
  • There will also be storage restrictions will also apply to NPD based on sensitivity-  
    • (a) general NPD can be stored anywhere in the world;  
    • (b) sensitive NPD can be transferred outside India, but it must be stored in India  
    • (c) critical NPD (subject to the definition of critical PD, which is yet to be defined) must be stored in India 

3. Different roles in the NPD ecosystem 

  • Data Principals, Data Custodians, Data Trustee and Data Trusts have been identified & their roles defined in the NPD ecosystem 

 4. Introducing a new category of ‘data businesses’

  • Entities involved in data collection or processing will be classified as ‘data businesses’ based on a certain threshold of data collected/processed. 
  • Data businesses will have to submit meta-data about data user and community from which data is collected with certain details 
  • This meta-data will be stored digitally in meta-data directories in India, which will be made available on an open access basis to citizens and organizations. 
  • Based on this meta data, ‘potential users’ can identify opportunities for combining data from multiple data businesses or governments to develop products and services. 

5. NPD Regulatory Authority:

  • The report has also suggested setting up of a new authority which would be empowered to monitor the use and mining of such non-personal data. 
  • Along with having an enforcing role (to ensure that all stakeholders in the NPD ecosystem follow rules and regulations, enforce valid data sharing requests etc.), it will also have an ‘enabling role’, which is quite broad. 
  • It will have the power to address market failures in terms of lack of information and also ensure a ‘level playing field’ with fair and effective competition in digital and data markets 

(Part-II– of the article will deal with Criticism of the report and Way Forward)

Connecting the dots 

  • The Personal Data Protection Bill 2019 
  • EU Data Protection Law 

Search now.....

Sign Up To Receive Regular Updates