The NPD Revised Report, and what is different: A Primer
The MEITY-appointed Committee of Experts (CoE) on Non-Personal Data (NPD) has shared their revised report with a call for feedback by January 27th. This report is a revised version based on extensive feedback received by the CoE to the earlier version of the report (v1).
Overall, the revised report has significantly scoped down the remit of the framework and the purported purpose of mandatory data sharing. While v1 came down hard on the “monopolizing effect of Big Tech” and “imbalance in data and digital industry” as one of the central reasons for the proposed framework, the revised report is distinctly mellow on that front. The CoE has not entirely done away with the idea of mandatory data sharing but recommended the creation of High-Value Datasets (HVDs) that would be a public good and benefit the community at large.
The revised version eliminates mandatory data sharing between business and recognizes that frameworks to facilitate such sharing already exist. The recommendations are limited to the following specific purposes only:
- Sovereign purposes: Requests that can be made by the Government only for “national security or legal purposes”.
- Public good purposes: Requests that can be made by the Government or any other registered data business, for purposes that specifically benefits the public good, research and innovation, policy development or better delivery of public services.
For the above-mentioned purposes, government agencies may request data businesses for NPD through data trustees or if the NDPA ascertains the need for any HVD as valid, it will direct a data business to share this NPD with the data trustee.
As opposed to v1 of the report that called for mandatory sharing of raw datasets, the CoE has now explicitly recognized that databases of companies are covered under the Copyright Act since they deploy skill and creativity in the very act of compilation. The revised report also explicitly excludes proprietary information, trade secrets and instances where NPD sharing could cause privacy harm from the framework. Therefore, data sharing may be mandated only for designated HVDs, where the fields for data to be shared are also pre-determined.
In addition to data businesses, custodians and trustees, data processors are also recognized as a separate entity in the revised report. They are defined as companies (CSPs, SAAS providers, IT/ITES providers etc) that process NPD on behalf of a data custodian. Such businesses would not be liable to share the data of their customers under the NPD framework.
The CoE recommends the creation of a separate legislation for NPD based on their recommendations. To this end, they suggest the deletion of Section 91 of the Personal Data Protection Bill which empowers the government to direct processors and fiduciaries to share NPD. This would ensure clear demarcation of roles and responsibilities for data governance in India. NPD would be under the purview of the NPDA but reidentified NPD would fall under the ambit of the Data Protection Authority as established by the PDPB. Mixed datasets that have inextricably linked personal and non-personal data would be governed by the PDPB.