Author: Sri Lekha
The Kris Gopalkrishnan Committee, in July 2020, suggested a framework for regulation of Non-Personal Data (‘NPD’) vide its Report on NPD Governance Framework (the ‘Report’). Pursuant to comments/suggestions from public thereto, a revised Report was released in December 2020 inviting suggestions/feedback till January 31, 2020.
Some of the notable changes/additions in the revised Report include addressing the interface between regulation of NPD and the Personal Data Protection (‘PDP’) Bill. The Report clarifies that mixed datasets comprising of both personal data and NPD will be governed by the PDP Bill. It suggests deleting Sections 91(3) and 93(x) of the PDP Bill which deal with a regulatory framework covering even NPD with a view “to ensure that the two frameworks are mutually exclusive…”. Further to the recommendation that consent should be obtained for anonymisation/use of personal data, the Report suggests that the Data Custodians should give notice and offer an option to the Data Principals – (i) to opt out of anonymization; or (ii) revoke consent (where personal data is to yet to be anonymized). It clarifies that cases concerning re-identification of NPD will strictly fall within the purview of the PDB Bill.
The Report defines ‘Data trustee’ as “…Government…or a non-profit Private organization…responsible for the creation, maintenance, data-sharing of High-value Datasets…”. It defines High Value Dataset (HVD) as “…a dataset that is beneficial to the community at large and shared as a public good…” and proposes mechanisms for creation and sharing of HVD which, inter alia, includes creation of an Innovation Advisory Body. Further, it specifies parameters for gauging the threshold limit to be set for mandatory registration of Data Businesses (viz. organizations meeting a threshold of data collection/processal) as gross revenue, number of consumers/households/devices handled and % of revenues from consumer information. It specifies that registration as ‘Data Businesses’ below the set threshold limit will be voluntary. It lists purposes for data sharing as sovereign (viz. for national security, legal etc.), public good (viz. research, innovation etc.) and business purposes. With respect to mandatory data sharing, it states “Outside of a Public Good purpose, private entity to private entity mandatory data sharing is not considered…”. It further specifies that NPD which likely to violate privacy or involves trade secrets/proprietary information will not be included for sharing.
The Report also, inter alia, analyses NPD framework from the perspective of Property Law, Copyright Law, Trade Secrets Law, IT Act, 2000, Competition law and the Indian Constitution.
The Report of Committee can be accessed here: https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf
Disclaimer: Views, opinions, interpretations are solely those of the author, not of the firm (ALG India Law Offices LLP) nor reflective thereof. Author submissions are not checked for plagiarism or any other aspect before being posted.
Copyright: ALG India Law Offices LLP