Regulatory Updates0Data Protection Bill and Regulations

Personal Data Protection Concept. Padlock over Computer Keyboard with Blue Locked Personal Data Key extreme closeup. 3d Rendering

The incredible explosion in the amount of data being generated, collected and shared is a phenomenon that has changed how businesses, and society in general, operate on multiple fronts from online marketplaces, internet search platforms and social media. Businesses now have the ability to analyse larger volumes of data more quickly and more regularly, applying new tools and techniques powered by automated machine processing or artificial intelligence.

India, now the largest consumer of mobile data in the world, has woken up and acknowledged the importance of data, its uses and security. Following the steps of global heavyweights and pushed against the wall in light of multiple data breaches in recent times, the Government and judiciary have been taking a more proactive stance on protecting consumer rights organizations’ interest.

In India, The Personal Data Protection Bill 2019 was tabled in the Indian Parliament by the Minister of Electronics and Information Technology (MeitY) on 11th December 2019. As of March, 2020 the Bill is being analyzed by a Joint Parliamentary Committee in consultation with experts and stakeholders. 

The Data Protection Bill will have huge commercial and political consequences for India. According to Ernst and Young, emerging technologies in India will create $1 trillion in economic value by 2025. Much of this value will be founded on the creation, use, and sale of data, and the DPB will have immense implications as firms scramble to meet new privacy regulations.

Under the Bill, a Data Principal is an individual whose personal data is being processed.  The entity or individual who decides the means and purposes of data processing is known as Data Fiduciary. The bill establishes a number of conditions for companies to follow, and for large international tech firms that wish to operate in Indian territory. For one, it would require digital firms to obtain permission from users before collecting their data. It also declares that users who provide data are, in effect, the owners of their own data. This has major implications, suggesting that users are able to control the data their online selves produce, and may request firms to delete it, just as European internet-users are able to exercise a “right to be forgotten” and have evidence of their online presence removed. The Bill also proposes a Data Protection Authority of India which shall take steps to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill and promote awareness about data protection. Orders of the Authority can be appealed to an Appellate Tribunal. However in certain instances the central government has the power to exempt any agency of the Government from applicability of the Act if it is necessary for the interest of sovereignty and integrity of India, the security of the State, and friendly relations with foreign states.

Recently, a government committee headed by Infosys co-founder Kris Gopalakrishnan has suggested that non-personal data generated in India be allowed to be harnessed by various domestic companies and entities.The committee has also suggested a separate national legislation and a separate authority to oversee non-personal data. It also recommended mandatory sharing of non-personal data, as it may be useful for Indian entrepreneurs to develop new and innovative services or products to benefit citizens.

Non-personal data is any set of data which does not contain personally identifiable information. This means that no individual or living person can be identified by looking at such data. For example, order details collected by a food delivery service will have the name, age, gender, and other contact information of an individual, it will become non-personal data if the identifiers such as name and contact information are taken out. The government committee, which submitted its report in December 2020, has classified non-personal data into three main categories, namely public non-personal data, community non-personal data and private non-personal data.

Public non-personal data: It involves all the data collected by the government and its agencies during execution of all publicly funded works. e.g. census, data collected by municipal corporations on the total tax receipts.

Community non-personal data: It involves any data identifiers about a set of people who have either the same geographic location, religion, job, or other common social interests. e.g. The metadata collected by ride-hailing apps, telecom companies, electricity distribution companies.

Private non-personal data: It can be defined as those which are produced by individuals which can be derived from application of proprietary software or knowledge. e.g data generated by companies like Google, Amazon etc.

These data sets will help to map consumer biases and ensure targeted delivery of services. It will unlock the doors of economic value and innovation in the country. 

Unlike personal data, non-personal data is more likely to be in an anonymised (without particulars or details) form. However, in certain categories such as data related to national security or strategic interests such as locations of government laboratories or research facilities, even if the data provided in anonymised form can be dangerous. Possibilities of such harm are obviously much higher if the original personal data is of a sensitive nature. Therefore, the non-personal data arising from sensitive personal data may be considered as sensitive non-personal data.

The contention here is that these data sets will heavily favour big tech companies. Only big tech companies possess the capital and infrastructure to create such large volumes of data. Others will find it difficult to match the capabilities of these technology giants. In such a scenario, there is a challenge of demarcation between non-personal data that cannot be shared, and non-copyright non-personal data that can be used as a public resource.There is no clarity over the grievance redressal mechanism in the committee’s report.

Like many other countries, India too will have to define non-personal data in a manner that protects intellectual property rights, serves genuine public interest and promotes innovation. India can learn from France’s National Strategy on Artificial Intelligence policy, which encourages economic players to share and pool their data with the state acting as a trusted third party. France’s policy even empowers public authorities to impose openness on certain data because of its societal benefits. India can also look towards the European Union’s Regulation on the Free Flow of Non-Personal Data, which recognises the free flow of non-personal data as a prerequisite of a competitive economy.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top