The Committee of Experts (CoE), led by Kris Gopalakrishnan, has released a revised report on the Non-Personal Data (NPD) Framework (NPD Version 2) report on 16 December 2020. The revised NPD report is available at https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf
The CoE is inviting comments and responses to the revised report, the deadline for which is 27 January 2021.
Add your submissions - responses, comments, questions - to Version 2 here. The Privacy Mode team will consolidate the responses and share with the CoE in January 2021, when launching responses to Version 1 of the report.
Add submissions on https://hasgeek.com/PrivacyMode/non-personal-data-version-2/sub
Thoughts on Report by the Committee of Experts on Non-Personal Data Governance Framework (Dec 24, 2020)
Overall proposal is looking reasonable and feasible, even though a
lot of details have to be worked out.
Proposal is demonstrating the commitment to the larger direction of
data sovereignity and data markets. Economic value is major goal.
It eliminates major concerns from the previous versions:
(a) missing institutional guarantor of the system
(b) guarantor of the quality of data
(c) anybody and everybody having access to any/every data
(d) flow of information not being tracked
(e) lack of metadata standards
The proposed approach is a combination of Aadhaar-like “switch” and
Account-Aggregator-like standards and coordination mechanisms.
Metadata management and discovery will become a first class
activity. Every organization has to now submit metadata.
Legal and Economic Framework
- Unclear if it will withstand scruitiny but there is a fairly
detailed argument around the legal underpinnings of the NPD
proposal. It helps that Rahul Matthan, Ex-Trilegal is associated
with the committee.
Proposal puts a price (a non-profit to be created etc.) on data by
allowing only data trustees to define and access data.
Organizations cant demand/access any and all data.
Any access to data is only through organizations - which gives
government/law ability impose costs for misbehavior.
It moved the hard part of identifying HVD to thirdparty - which
is the right approach.
- Moved the responsibility of data access to controller - simplifying
the legal/compliance aspects of the processor.
- Data processor may not share data but it still has to submit
metadata. If clients are abroad, the clients may object to sharing
the metadata. Declaration to this effect is a requirement under
GDPR DPA (Data Processor Agreement).