Privacy & Information Security Law Blog

On December 16, 2020, the Committee of Experts within India’s Ministry of Electronics and Information Technology (MeitY) (the “Committee”) issued a revised report on the Non-Personal Data Governance Framework (the “NPDF”) for India (the “Revised Committee Report”).

As we previously reported, the Committee released the first version of the NPDF in July 2020 for public consultation. The goals of the NPDF include creating a framework to unlock the economic, social and public value from using data; creating incentives for innovation and new products, services and startups in India; and addressing privacy concerns, including from re-identification of anonymized data.

The Committee received over 1,500 responses to the consultation and has made several changes to the NPDF based on this feedback. The Centre for Information Policy Leadership at Hunton Andrews Kurth responded to this request for feedback in September 2020.

Key takeaways from the Revised Committee Report include:

• Interaction with the Proposed Personal Data Protection Bill: The Revised Committee Report includes a section on the interface between the NPDF and the Personal Data Protection Bill 2019 (the “PDPB”). It reinforces that the NPDF applies to all data that is not personal data under the PDPB or does not have any personally identifiable information. It also clarifies that mixed data sets that have inextricably linked personal and non-personal data will be governed by the PDPB.
• Treatment of Re-identified Data: The Revised Committee Report notes that non-personal data will continue to be regulated by the NPDF as long as it remains non-personal data. If the individuals whose data constitute the anonymized dataset are re-identified (e.g., through the failure of anonymization technologies, linkage with other information or any other means of conscious re-identification) then the data will fall within the remit of the PDPB.
• Consent to Anonymize Data: The Revised Committee Report more clearly outlines that data collectors must provide individuals with the option to opt-out of having their data anonymized. Opting out functions prospectively and will not an impact anonymization that was carried out before the opt-out was exercised.
• Meaning of a “Data Business”: The Revised Committee Report elaborates on the parameters that may be considered in establishing the thresholds an organization would have to meet to be considered a “data business.” These include gross revenue, number of consumers, households or devices handled and the percentage of revenue generated from customer information. The report also suggests that the thresholds should be aligned with the thresholds for classifying a data fiduciary as a “significant data fiduciary” under the PDPB.
• Mandatory Data Sharing Requirements: The Revised Committee Report revises the scope of the requirement mandating that organizations share anonymized datasets. Under the revised framework, such datasets may only be required to be shared for public good purposes (e.g., for policy making, improving public service, devising public programs, infrastructures and supporting a wide range of societal objectives including science, healthcare, urban planning, etc.). Importantly, the original requirement to share data for economic purposes with other companies has effectively been removed. The revised framework notes that for data sharing for business purposes (i.e., between two or more for-profit entities), such data sharing already exists today and therefore the Committee does not make any recommendations with respect to such sharing.

The Committee is accepting comments on the revised NPDF until January 31, 2021.