By Amar Patnaik & Nikhil Pratap
The Committee of Experts on Non-Personal Data (NPD) lately released a revised report on the Draft Non-Personal Data Framework. The report attempts to provide a information policy blueprint for India, a nation which “can arguably be projected as being one of the top consumer markets, and by extension data markets in the world”. Some of the underlying objectives behind regulating non-individual information is to tap into information as an financial asset, incentivise start off-ups by correcting the imbalance established by a handful of dominant players and use information for public fantastic and financial added benefits of citizens even though safeguarding collective neighborhood interests more than such information as opposed to the individual information protection regime constructed in the Personal Data Protection (PDP) Bill that seeks to make certain primacy to the person and not the neighborhood more than his individual information.
To realize these aims, the Committee has proposed a sui generis framework for non-individual information, independent from the individual information protection law. It aims to translate a category of information from ‘club goods’ into ‘public goods’. Public goods are non-rivalrous, non-excludable and freely out there such as clean air, street lights, drinking water, and so forth. To keep away from formation of attainable monopolies in case of club goods, the committee identified crucial players and argues for establishment of a regime of rights and obligations.
Under the NPD framework, a ‘data custodian’ is the entity that collects, shops and processes non-individual information which may possibly be a private entity such as a social media enterprise or the Government itself. A ‘data trustee’, on the other hand, is an organisation which is accountable for handling of the non-individual information. A common instance would be a trade body such as NASSCOM.
A Data Trustee has the duty to seek all information from information custodians which “may be useful for policy making, improving public service, devising public programs, infrastructures, etc”. These categories of non-individual information have to be shared with other entities at no remuneration. The Committee puts these information in the category of what it calls as ‘raw data’. However, comparable terminology is absent in the PDP Bill. Besides, the PDP Bill defines ‘data fiduciaries’ as these who shop as nicely as method information and ‘consent managers’ as these who would manage the consent of men and women.
The only exception to the overarching energy of the information trustee to seek information from the information custodian are ‘proprietary’ or ‘inferred’ information (“where insights are developed by combining different data points typically involving trade secrets, algorithms, computational techniques, advanced analytics etc”). While the PDP Bill tends to make no such separate categorisation of ‘inferred data’, it contains inferred information in the definition of individual information. Thus, inferred information could be each individual or non-individual. It is broadly believed that generating privately collected information out there publicly may possibly outcome in disclosure of business enterprise technique as the pattern and nature of ‘raw data’ collected may possibly reveal the path of the business enterprise to its competitors. The Personal Data regulatory framework recommended below the PDP Bill having said that protects even the ‘inferred’ information.
Given the above conceptual distinction in between each the regimes, the recommendation of the Committee to have an independent Non-Personal Data Protection Authority (‘NPDA’) notwithstanding the truth that there currently exists a Data Protection Authority (‘DPA’) for regulating individual information and privacy may possibly prima facie seem justified. According to the report, anonymised and non-identifiable information is regulated by the NPDA as non-individual information, whereas individual information is regulated by the DPA. It is having said that now undisputed that information can by no means be totally anonymised and is often below the threat of re-identification.
Further, mixed information-sets in massive volumes make it challenging for any authority to decide the anonymity accurately. Identifiable and anonymized information are not either/or watertight compartments but a spectrum or a scatter. Data can exist at any point inside the spectrum/scatter. Besides, which authority will make a decision if the information is identifiable or not? Thus, two authorities tasked with overlapping functions could be at loggerheads more than jurisdiction as a result generating unnecessary confusion and attainable more than- regulation.
Hence, it tends to make eminent sense to harmonise each the regimes conceptually as nicely as in design and style and terminology which, to us, seems completely feasible. A case in hand is the European Union GDPR which does not have separate regulations for PD and NPD. A frequent regime will lead to ease of compliance and reduction of regulatory expenses, which will provide an impetus to organizations and financial development. More importantly, it will allow the DPA to superior safeguard neighborhood interests and privacy—by requiring information fiduciaries to take explicit consent from information principals, prior to they convert anonymised individual information into non-individual information. Further, a frequent framework will also allow harmonisation of regulation of information fiduciaries and information custodians—both of which are normally the exact same entity.
A single DPA will also let resolution of a key point of conflict i.e., regulation of “inferred data”. The committee, in truth, thought of suggestions for consolidation of the DPA and NPDA but rejected it cursorily without the need of taking into consideration the merits of the proposal at depth.
The NPD report has effectively articulated a core philosophy of regulating non-individual information even though at the exact same time escalating, public fantastic. However, there is no compelling explanation as to why the DPA can not also be empowered to regulate non-individual information considering the fact that section 91 of the PDP Bill currently regulates non-individual information for enhancing governance and development. In truth, one of the aims of the PDP Bill (enunciated in its preamble) is “to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto”.
Thus, extending the Bill to non-individual information regulation only appears like a organic course of action. A single one can conveniently regulate both—efficiently and at a a great deal decrease price.
Patnaik is member, Rajya Sabha (from Odisha), and Pratap is a practising advocate. Views are individual