No compelling reason why the Data Protection Authority can’t be empowered to regulate both personal & non-personal data
By Amar Patnaik & Nikhil Pratap
The Committee of Experts on Non-Personal Data (NPD) recently released a revised report on the Draft Non-Personal Data Framework. The report attempts to provide a data policy blueprint for India, a country which “can arguably be projected as being one of the top consumer markets, and by extension data markets in the world”. Some of the underlying objectives behind regulating non-personal data is to tap into data as an economic asset, incentivise start-ups by correcting the imbalance established by a few dominant players and use data for public good and economic benefits of citizens while protecting collective community interests over such data as opposed to the personal data protection regime built in the Personal Data Protection (PDP) Bill that seeks to ensure primacy to the individual and not the community over his personal data.
To achieve these aims, the Committee has proposed a sui generis framework for non-personal data, independent from the personal data protection law. It aims to translate a category of data from ‘club goods’ into ‘public goods’. Public goods are non-rivalrous, non-excludable and freely available such as clean air, street lights, drinking water, etc. To avoid formation of possible monopolies in case of club goods, the committee identified key players and argues for establishment of a regime of rights and obligations.
Under the NPD framework, a ‘data custodian’ is the entity that collects, stores and processes non-personal data which may be a private entity such as a social media company or the Government itself. A ‘data trustee’, on the other hand, is an organisation which is responsible for handling of the non-personal data. A typical example would be a trade body such as NASSCOM.
A Data Trustee has the duty to seek all data from data custodians which “may be useful for policy making, improving public service, devising public programs, infrastructures, etc”. These categories of non-personal data must be shared with other entities at no remuneration. The Committee puts these data in the category of what it calls as ‘raw data’. However, similar terminology is absent in the PDP Bill. Besides, the PDP Bill defines ‘data fiduciaries’ as those who store as well as process data and ‘consent managers’ as those who would handle the consent of individuals.
The only exception to the overarching power of the data trustee to seek data from the data custodian are ‘proprietary’ or ‘inferred’ data (“where insights are developed by combining different data points typically involving trade secrets, algorithms, computational techniques, advanced analytics etc”). While the PDP Bill makes no such separate categorisation of ‘inferred data’, it includes inferred data in the definition of personal data. Thus, inferred data could be both personal or non-personal. It is widely believed that making privately collected data available publicly may result in disclosure of business strategy as the pattern and nature of ‘raw data’ collected may reveal the direction of the business to its competitors. The Personal Data regulatory framework suggested under the PDP Bill however protects even the ‘inferred’ data.
Given the above conceptual distinction between both the regimes, the recommendation of the Committee to have an independent Non-Personal Data Protection Authority (‘NPDA’) notwithstanding the fact that there already exists a Data Protection Authority (‘DPA’) for regulating personal data and privacy may prima facie appear justified. According to the report, anonymised and non-identifiable data is regulated by the NPDA as non-personal data, whereas personal data is regulated by the DPA. It is however now undisputed that data can never be fully anonymised and is always under the threat of re-identification.
Further, mixed data-sets in large volumes make it difficult for any authority to determine the anonymity accurately. Identifiable and anonymized data are not either/or watertight compartments but a spectrum or a scatter. Data can exist at any point within the spectrum/scatter. Besides, which authority will decide if the data is identifiable or not? Thus, two authorities tasked with overlapping functions could be at loggerheads over jurisdiction thus creating unnecessary confusion and possible over- regulation.
Hence, it makes eminent sense to harmonise both the regimes conceptually as well as in design and terminology which, to us, appears entirely feasible. A case in hand is the European Union GDPR which does not have separate regulations for PD and NPD. A common regime will lead to ease of compliance and reduction of regulatory costs, which will provide an impetus to businesses and economic growth. More importantly, it will enable the DPA to better protect community interests and privacy—by requiring data fiduciaries to take explicit consent from data principals, before they convert anonymised personal data into non-personal data. Further, a common framework will also enable harmonisation of regulation of data fiduciaries and data custodians—both of which are usually the same entity.
A single DPA will also allow resolution of a major point of conflict i.e., regulation of “inferred data”. The committee, in fact, considered recommendations for consolidation of the DPA and NPDA but rejected it cursorily without considering the merits of the proposal at depth.
The NPD report has successfully articulated a core philosophy of regulating non-personal data while at the same time increasing, public good. However, there is no compelling reason as to why the DPA cannot also be empowered to regulate non-personal data since section 91 of the PDP Bill already regulates non-personal data for improving governance and growth. In fact, one of the aims of the PDP Bill (enunciated in its preamble) is “to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto”.
Thus, extending the Bill to non-personal data regulation only seems like a natural course of action. A single one can conveniently regulate both—efficiently and at a much lower cost.
Patnaik is member, Rajya Sabha (from Odisha), and Pratap is a practising advocate. Views are personal