KOLKATA: Regulators across the world have kept their eyes on people's data. The Indian government is also outlining the route to control the flow of data. An expert committee appointed by the government has recommended a new regulatory authority for non-personal data along with creating a new “data business” classification. The committee is chaired by Infosys co-founder Kris Gopalakrishnan and includes industry, government and academic experts.
What is non-personal data?
Non-personal data is without any personally identifiable information. The committee has further broken down that into data that never related to an identified or identifiable natural person and data which were initially personal data, but were later made anonymous as non-personal data. The committee has defined three categories of non-personal data – public non-personal data , community non-personal data and private non-personal data.
The committee has also defined a new concept of ‘sensitivity of non-personal data’, as even non-personal data could be sensitive from the following perspectives –
1) It relates to national security or strategic interests
2) It is business sensitive or confidential information
3) It is anonymised data, that bears a risk of re-identification
The report has stated that the non-personal data authority will ensure that data is shared for sovereign, social welfare, economic welfare and regulatory and competition purposes and thus spurring innovation in the country
The authority will also play an enforcing role ensuring all stakeholders follow the rules and regulations laid, provide data appropriately when data requests are made, undertaking exante evaluations of the risk of re-identification of anonymised personal data and so on.
As per the committee, the regulatory authority will need specialised knowledge (of data governance, technology, latest research and innovation in the space of non-personal data, etc.) and will have to keep pace with the rapidly evolving technological landscape. “Unlike the DPA which is focussed on prevention of personal harm, this authority will focus on unlocking value in non personal data for India,” it states.
The laws, regulations and rules of the Indian state apply to all the data collected in/from India or by Indian entities. It has suggested to create a new category of the business called ‘data business’ that ’collects, process, store, or otherwise manages data and meets certain data threshold criteria as organisations are deriving new or additional economic value from data. It has also added that is a horizontal classification and not an independent industry sector. Many existing businesses in various sectors, collecting data beyond a threshold level, will get categorised as a data business.
“Just like the economic rights to natural resources arising from a community are considered to primarily belong to it, the value of social resources of community non-personal data should primarily accrue to it (instead of the default whereby data custodians take up the entire value of such data),” the report adds.
It has also suggested to create a data-sharing framework such that community data is available for social/public/economic value creation. However, it has also added that adequate measures would have to be developed in order to ensure that any data-sharing framework does not dilute the protections afforded by the Personal Data Protection Bill, 2019. Data sharing may be requested for sovereign purpose , core public interest purpose, economic purpose.
“It is reported that Google and Facebook together control about 60 per cent of the internet advertising market in the USA. It is also estimated that Amazon had a 37 per cent share of the online ecommerce market in the USA in 2019. This is reflected in the very large market capitalisation of these corporations,” the report mentions while talking about data imbalance. It has cited the example of social media, search, mapbased services, online retail, ride-hailing platforms, digital healthcare, credit rating as data-based businesses.