India's Non-Personal Data (NPD) framework

Knowledge repo, archives and collaborations

Make a submission

Up next

Regulatory Overlap Issues in the NPD Committee Report

SU

Setu Bandh Upadhyay

@sbu

The updated report by the committee of experts has a range of regulatory overlap issues. These issues not only affect the data sharing and data governance, but can also have potentially overarching effects. Following are the few of these issues:

Ambiguities and Overlaps with Personal Data Protection Bill 2019 (PDP Bill)

• The committee has tried to address the overlaps between the previous report and the PDP Bill giving requisite clarifications on mixed datasets and applicability of the PDP Bill in case of re-identified data. Moreover, the committee also suggests that overlapping clauses should be removed from the ambit of the PDP Bill. However, the committee here assumes that this would be considered by the JPC which is now formulating the new draft for the PDP Bill.
• There are parallel yet conflicting narratives evolving around the PDPB 2019 and NPD. In an earlier press reporting on the PDPB, it was indicated that JPC is contemplating also include NPD within the ambit of data protection, while the current NPD report suggests that clause within the PDPB which may create an overlap with the NPD governance framework should be removed. This necessitates for both the committees to work together.
• The report is also not clear on when the non-personal data is used to derive personal data, which jurisdiction does that data come under. And if some personal data is used to derive non-personal data, when does the NPD jurisdiction start. This may create a confusing and overlapping mandate with the Data Protection Authority, in cases of re-identification.
• While the committee has stated that sharing amongst private entities is not in the scope of its jurisdiction, the ambiguities surrounding the data sharing mandates and compliance requirements for data businesses remain ambiguous and unfounded. Further, the parameters to define and classify data businesses are not specified, indicating the data business category is synonymous with the “significant data fiduciary” in the Personal Data Protection Bill. A data business can be a data processor or data custodian.
• The committee has talked about Anonymisation by giving a primer on anonymity in the annexure of the report, which is a great first step in ensuring privacy of the consumers. However, the report fails to identify the problems and challenges that data anonymisation and re-identification are plagued with. It’s been shown by multiple studies that data can be re-identified, even without brute force operations. The report also fails to provide exhaustive technical standards or a policy roadmap in which a standard anonymisation can potentially work.
• The committee’s approach towards regulation of non-personal data is without foundations. That is, the committee first has to question whether India is at a level of policy and market maturity that we even need to regulate non personal data. The committee must then assess if there are any market failures which call for a policy intervention. Further, before drafting a report, the committee must consider reaching out to all relevant stakeholders and make their methodology public. The report has cited the regulation of data by the European Union. However, the report does not take into consideration the kind of market maturity the European firms have over data, further, Europe has been a leader in understanding and regulating data with policies as old as 25 years. The EU has achieved that level of policy maturity on the basis of multiple previous regulations, including comprehensive personal data regulation, among others. The committee, therefore, must consider the level of policy vacuum India has had when it comes to regulating data, and must recourse based on that analysis and understanding.

Interface with Constitutional Mandates

• The committee has suggested conflicting views on how it seeks to understand and treat non personal data. To suggest a community-based approach, the report cites constitutional and judicial precedents, thereby equating data with material resources that should be distributed for the common good. The committee has in places assumed data as a tangible physical resource, equating data with the likes of land and oil, to justify the way the data must be shared, used, and owned. Further raising issues on the simultaneous overlapping ownership rights and privileges. This assumption is bringing in confusion and overlap of different approaches and regulations when it comes to deriving the value of data.

Interface with Intellectual Property Rights Regime

• The report states that the copyright protection under the Indian law would not apply to high-value datasets, as no skill or creativity will be required in the compilation of such datasets given that even the fields of data will be predetermined. However, it should be noted that every dataset may have different levels of originality and creativity and in some cases, the ‘fields of data’ may also be innovative. This can potentially bring challenges due to contradictory messages and a narrow view taken by the committee.
• Although Indian law does not give protection to trade secrets, India is a signatory to the TRIPS agreement and is obligated to protect the secrecy of commercially valuable information, under Article 39. While the report identifies that certain raw NPD may be covered under trade secrets, the onus of establishing such coverage is on the data custodians. The report also talks about how the evocation of eminent domain should be actively discouraged, it is clear that committee has left the clause to claim eminent domain over trade secrets from data custodians. The committee must therefore ensure that the framework is aligned with other policies that the government is pushing for, such as foreign trade policy.
• The report states that there is no applicability of the Competition Act in the context of the current framework. The report fails to consider that the CCI may also have the power to prescribe data sharing for public economic benefits under the essential facilities doctrine. The report prescribes for the expropriation of data for economic benefits such as starting of new businesses and developing new value-added services. The committee must revaluate taking such a narrow view and give proper credit to the CCI, without infringing on its jurisdiction or diminishing its role as a key regulator.

Suggestions and Solutions to avoid regulatory overlaps

• Broadly, the committee should be urged to take a broader and more progressive vies when it comes to jurisdictions and the applicability of different laws and policy in the context of non-personal data. The committee must also take a liberal and settled view in the global context on how to treat data, and what kind of rights, and responsibilities are to be associated with it. Given the fact that several other jurisdictions are defining the public data, it’s likely that international trade agreements will come with a caveat of liberal use and view of data in the future.
• Avoiding umbrella regulations and leaving no room for sectoral regulations on data sharing would be the first step to avoid the kinds of regulatory overlaps that might make it complicated to simplify in the future. The committee must consider leaving room for possible sectoral policies while also specifying where the jurisdiction of the NPD framework will end, the committee can do that with a deliberative process to with other regulators with concurrent jurisdictions. Popular in competition law, concurrent power refers to the application of competition law in a regulated industry by either the industry or sectoral regulator and the competition authorities.
• A collaborative approach is another possible solution to deal with regulatory overlaps. Authorities can jointly have data sharing under their jurisdiction. Economic regulators have long used this model, the UK being the primary example. An authority comprising of all the concerned bodies and regulators (in this case the DPA, NPDA, CCI) can be formed to decide and adjudicate on the separation and limitation of each of their jurisdictions. This authority can also be empowered to resolve matters which cannot fall under any one of the regulations.

Setu Bandh Upadhyay

CUTS International

Comments