Privacy & Cybersecurity Law Blog

On July 13, 2020, a Committee of Experts within India’s Ministry of Electronics and Information Technology (“the Committee”) published the first draft of a Non-Personal Data Governance Framework for India for public consultation.

In drafting the framework, the Committee studied various issues relating to non-personal data and has put forward recommendations for consideration by the Indian Government on the regulation of non-personal data.

The Committee believes that regulating the data ecosystem is necessary to:

• create a modern framework to unlock the economic, social and public value from using data;
• create certainty and incentives for innovation and to encourage startups in India;
• create a data sharing framework to enable the availability of data for social, public and economic good; and
• address privacy concerns, including from re-identification of anonymized personal data.

Key takeaways of the Committee Report include:

• Definition of Non-Personal Data: The Committee provides new definitions for different types of non-personal data (public, community and private) and defines the concept of “sensitive” non-personal data.
• Consent for Anonymized Data: The Committee recommends that individuals who provide consent for the collection of their personal information must provide a separate consent for the anonymization and usage of anonymized data.
• Key Non-Personal Data Roles: The Committee defines key roles that are to be governed by non-personal data rules and regulations—this includes data principal, data custodian and data trustee. The Committee also includes, in the framework, an institutional form of data infrastructure—a data trust.
• Ownership of Non-Personal Data: The Committee recommends adopting the notion of “beneficial ownership/interest” in articulating a legal basis for establishing rights over non-personal data.
• New Category of “Data Business”: The Committee recommends creating a new category of business called a “Data Business” that meets certain data threshold criteria. Such businesses will have to formally register and declare what they do and what data they collect, process and use, and in which manner and for what purposes they use the data. Metadata about data being collected by these businesses will be open-access within India, and data requests may be made for the detailed underlying data by other companies and the government.
• Data Sharing Mechanisms: The Committee sets out a mechanism for mandatory data sharing for some forms of non-personal data. The Committee specifically notes that, with respect to private non-personal data, algorithms and proprietary knowledge may not be considered for data sharing.
• Data Sharing Checks and Balances: The Committee recommends establishing several checks and balances to ensure appropriate implementation of the rules and regulations with respect to data sharing, including mimicking rules on data transfers that are applicable to personal data in the Personal Data Protection Bill 2019 (the “PDPB”).
• Non-Personal Data Authority: The Committee recommends the creation of a separate non-personal data authority. This authority would be independent from the data protection authority proposed by India’s PDPB. In cases of mandated sharing, if an organization refuses to share requested data, the non-personal data authority will adjudicate the data sharing dispute.

Comments are due on the draft framework by September 13, 2020.