India: Proposed Data Regulation Overhaul Includes New Draft Rules for Processing Non-Personal Data

|

Authors: Sameer Avasarala

——-

Disclaimers

This guest post is by Sameer Avasarala, a Data Protection and Technology Lawyer in Bengaluru. The material/opinion expressed is exclusively that of the author alone and does not expresses the views of Cyril Amarchand Mangaldas or any other firm / organization that the author is associated with. He can be contacted at [email protected]

Data protection and informational privacy have been gaining mainstream momentum in India with significant movement around the Aadhaar project, the forthcoming comprehensive regime for the protection of personal data and evolving data market trends. The legislators are now also considering regulating the processing of non-personal data, as shown in a new Report released by a Committee of experts put together for this purpose by the Ministry of Electronics and Information Technology. This contribution will set out the general background of data related regulatory efforts in India (1), and then it will look closely to the proposed rules for processing non-personal data: (2) its definition and classification, (3) the data localization requirement for sensitive and critical non-personal data, (4) guidance on anonymization, and (5) proposed data sharing obligations for organizations.

1) Setting the scene: a fundamental right to privacy and a growing data market

The recognition of a fundamental right to privacy by the Supreme Court[1] (Puttaswamy), as well as devising the triple test[2] as a basis to evaluate laws which may restrict the right to privacy and its application to the Aadhaar project[3], have been instrumental in triggering mainstream discourse around privacy in India.

At the same time, the data market in India is an exponentially growing market, with some studies estimating it to be a USD 16 billion industry by 2025 at a staggering 26% compounded annual growth. The government recognizes the need for a data governance framework to act as a catalyst for the growth of data economy in India.

Based on the normative foundation in Puttaswamy, the Ministry of Electronics and Information Technology (‘MEITY’) has constituted a Committee of Experts for a data protection framework, whose report and the resulting draft bill led to the introduction of the Personal Data Protection Bill in 2019 (‘PDP Bill’) in the Parliament. The PDP Bill is currently being reviewed by a joint parliamentary committee which is expected to present its report before the Parliament in the upcoming monsoon session, which may in turn be rescheduled owing to the COVID-19 pandemic.

Separately, the MEITY also constituted a committee of experts to deliberate on a data governance framework for India (‘Committee’) with a view to study various issues relating to non-personal data and make specific suggestions on its regulation. The Committee released its report on July 12, 2020 (‘Report’) and makes substantive recommendations on the scope, classification, ownership and other issues related to non-personal data. It also makes a clarion call for a comprehensive non-personal data regulation in India, to complement the future law dedicated to personal data. In addition, the Committee recommends the establishment of an overarching, cross-sectoral Non-Personal Data Authority (‘NPDA’).

2) Proposed definition and classification of non-personal data

The Report identifies existing issues such as entry barriers for startups and new businesses owing to first-mover advantage of market leaders and data monopolies, to name a few. Business, innovation and research are identified as cornerstones for furthering an inclusive framework for India’s data economy. It is also in line with the Draft National e-Commerce Policyin identifying data of Indian residents as an important ‘national resource’.

‘Non-personal data’ has been defined in the Report as any data that is not personal data[4], or is without any personally identifiable information. This includes personal data that has been anonymized[5] and aggregated data in which individual specific events are no longer identifiable, apart from data that was never personally identifiable. The Report classifies non-personal data into:

  • Public non-personal data: collected or generated by government agencies and in execution of all publicly funded works;
  • Private non-personal data: collected by entities or persons other than the Government and includes derived or observed data collected through private efforts, through use of algorithms or proprietary knowledge; and
  • Community non-personal data that relates to any group of people that are bound by common interests and purposes, and involved in social and/or economic interactions (Community), including information collected by ride-hailing platforms, electricity units, municipal corporations, telecommunication companies and e-Commerce entities.

The Report recognizes natural persons, entities and communities to whom non-personal data (prior to anonymization or aggregation) relates as ‘data principals’ and entities which undertake collection, storage and processing of non-personal data as ‘data custodians’. It also enables communities or groups of data principals to exercise their rights through ‘data trustees’.

3) Data localization requirements for sensitive and critical non-personal data

The Report classifies individuals to whom the data relates before it is being anonymized, as the ‘owners’ of private non-personal data and it recommends obtaining consent of the data principal (at the time of collection) for anonymization and use thereafter.

Private non-personal data is also further sub-classified based on a sensitivity spectrum, taking into account considerations of national security, collective harm, invasion to collective privacy, business sensitive information and anonymized data. Private non-personal data is, thus, categorized into ‘sensitive non-personal data’ and ‘critical non-personal data’. Sensitive personal data[6] and critical personal data[7] which have been anonymized will be considered to be ‘sensitive non-personal data’ and ‘critical non-personal data’ respectively. The Report recommends localization of sensitive non-personal data and critical non-personal data, in line with the requirements applicable to localization[8] of sensitive personal data and critical personal data under the PDP Bill.

4) Guidance on anonymization

Though an offshoot to regulation of non-personal data, the Report provides new insight into the regulatory perspective on anonymization of personal data in India. From a lack of an anonymization standard under the current information technology law[9], to an indicative list of de-identifiers for ‘totally anonymized data’ applicable to health records, the regulatory viewpoint on anonymization has been vastly inconsistent. Recently, a protocol released by the MEITY in relation to the Aarogya Setu, a contact tracing mobile application, indicated a high anonymization standard, based on ‘means likely to be used to identify’ individuals, generally similar to the General Data Protection Regulation.

Against this background, the Report recognizes the residual risk of re-identification associated with anonymized information and considers anonymized sensitive personal data and critical personal data as sensitive NPD and critical NPD respectively. While the Report suggests techniques and tools for anonymization, as part of an anonymization primer, the introduction of data localization requirements and classification of non-personal data in a similar manner to personal data may deter in practice the use of anonymized information.

5) Data sharing and registration obligations

The Report recognizes ‘data businesses’ as a horizontal category of businesses involved in data collection and processing. Based on specific threshold requirements, the Report proposes a compliance regime to govern such data businesses, including registration and mandatory disclosure of specific information to the NPDA. Interestingly, a similar requirement for ‘data fiduciaries’ is included in the PDP Bill[10]. Accordingly, they would need to submit to the proposed Data Protection Authority any personal data anonymized or other non-personal data to enable better targeting of delivery of service or formulation of evidence-based policies to the Government.

The Report on regulating non-personal data is also proposing that data custodians may be required to share non-personal metadata about users and communities, to be stored digitally in meta-data directories in India and made available on an open-access basis to encourage development of novel products and services.

The Report contemplates three broad purposes for data sharing:

  1. a) Non-personal data shared for sovereign purposes may be used by the Government, regulators and law enforcement authorities, inter alia, for cyber security, crime and investigation, public health and in sectoral developments.
  2. b) Non-personal data shared for core public interest purposes may be used for general and community use, research and innovation, delivery of public services, policy development etc.
  3. c) Non-personal data shared for economic purposes may be used by business entities for research, innovation and doing business. It may also be leveraged as training data for AI/ML systems.

A ‘checks-and-balances’ system is proposed for ensuring compliance with data sharing and other requirements based on measures such as expert probing for vulnerabilities. The Report also recommends establishments of data spaces, data trusts and cloud innovation labs and research centers which may act as physical environments to test and implement digital solutions and promote intensive data-based research. It also includes guiding principles for a technology architecture to digitally implement rules for data sharing, ranging from mechanisms for accessing data through data trusts, standardized data exchange processes, techniques to prevent re-identification of anonymized information and distributed storage for data security.

The Report recommends a three-tiered system architecture including legal safeguards, technology and compliance to enable data sharing, in addition to a policy switch which enables a single digital clearing house for regulatory management of non-personal data.

Finally, the Report proposes classification of high value or special public interest data sets, for instance, geospatial, telecommunications and health data. However, it does not specifically indicate any implications of such classification.

Compliance with processing of non-personal data requirements would be ensured by a newly created NPDA. The Report recognizes the need to harmonize guidance issued by the NPDA in line with sectoral regulations. The NPDA is sketched out to have an enabling role (to ensure a level playing field) in addition to enforcement (to address market failures),

6) Conclusion: More to come

The Committee is currently inviting public comments[11] and is likely to hold public consultations on the policy options proposed. While there is no clear timeline around framing and enacting a data governance framework for non-personal data, it is likely that the PDP Bill would be enacted by the Parliament prior to it. The PDP Bill may also be relevant in setting context for the forthcoming non-personal data framework, given the ability of the Government to solicit non-personal and anonymized personal data.

While the Report is helpful in setting context for the forthcoming regulations for non-personal data and in proposing a data governance regime, the Government is likely to evaluate its content, hold wider consultations and consider other policy aspects prior to formulating a comprehensive data framework governing non-personal data in India.

[1] Justice K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1

[2] Modern Dental College & Research Centre & Ors v. State of Madhya Pradesh & Ors, AIR 2016 SC 2601

[3] Justice K. S. Puttaswamy v. Union of India, (2019) 1 SCC 1

[4] Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; Section 3(28), Personal Data Protection Bill, 2019

[5] Section 3(3), Personal Data Protection Bill, 2019

[6] Section 3(36), Personal Data Protection Bill, 2019

[7] Section 33, Personal Data Protection Bill, 2019

[8] Section 34, Personal Data Protection Bill, 2019

[9] Rule 2(1)(i), The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)

[10] Section 91, Personal Data Protection Bill, 2019

[11] MyGov ‘Share your Inputs on the Draft Non-Personal Data Governance Framework’, available at https://www.mygov.in/task/share-your-inputs-draft-non-personal-data-governance-framework/