Gopalakrishnan Committee On Non-Personal Data Governance Framework


  • On 12th July, 2020, Kris Gopalakrishnan committee on Non-Personal Data Governance framework (NPD Committee) submitted its report to the government.

Background

  • The Committee was constituted by the Ministry of Electronics and Information Technology (MeitY) on 13th September, 2019 under the Chairmanship of Kris Gopalakrishnan (Co-Founder, Infosys).
  • It was formed based on the recommendations of the Justice BN Srikrishna committee on protection of personal data (PDP).

Need for a Governance Framework

  • The NPD committee noted that India is a large data market due to second highest population, with the second highest number of smartphone users and increasing internet penetration levels.
  • Some companies with the largest data pools have ‘outsized, unbeatable techno-economic advantages’ owing to first mover’s advantage, network effects and enormous data volumes which have been collected over years. These act as entry barriers for startups and new companies.
  • Therefore, the NPD committee felt that the possibility of data monopolies resulting in power imbalance between few companies having access to large datasets accumulated in an unregulated environment on one side and Indian citizens, MSMEs and startups and Indian government on the other should not be risked.

Key Recommendations

Definition of NPD

  • NPD is defined as ‘data that is not personal data, or when it is without any personally identifiable information’. Three categories of NPD have been recommended:
  • Public NPD: Data collected or generated by any government agency, and includes data collected during execution of all publicly funded works.
  • Private NPD: NPD collected by entities/persons other than governments through assets and processes privately owned by the entity/person. It includes derived/observed data collected through private effort, such as through use of algorithms or proprietary knowledge.
  • Community NPD: Data that pertains to a community of natural persons. It can include NPD about animate and inanimate things or phenomena. Such data shall not include private NPD. Examples cited include data collected by municipal corporations and public electric utilities. It also includes user information collected by telecom companies, e-commerce players, and ride-hailing platforms.

Sensitive NPD

  • It has recommended classification of NPD into general NPD, sensitive NPD and critical NPD- just like the classification of personal data under the PDP Bill.
  • The classification of NPD will be on the basis of the category of the underlying PD under the PDP Bill.
  • For example, all health-related NPD will be classified as sensitive NPD, as health data qualifies as SPD under the PDP Bill.

Consent Requirement

  • At the time of collecting the data principal’s PD, the entity must take the data principal’s consent for- (a) anonymising the data principal’s data, and (b) for usage of anonymised data.

Different roles in the NPD ecosystem

The following different roles have been proposed in the NPD ecosystem-

  • Data principal: This is essentially the entity/individual to whom the collected data pertains. It will vary depending on the category of NPD. For example, in case of census data, the citizens will be the data principal. In case of vendor registration or vendor product information, the vendor will be the data principal.
  • Data custodian: The entity that undertakes collection, storage and processing of data, keeping in mind best interest of the data principal. It has a ‘duty of care’ to the concerned community to which the NPD pertains; this ‘duty of care’ will be defined through a defined set of obligations.
  • Data trustee: The data principal or community will exercise its rights through a data trustee. The NPD legislative framework will provide guidelines for who can act as an appropriate data trustee for a group/community. For a lot of community data, the corresponding govt. entity or community body may act as a data trustee.

Ownership of data

  • The committee adopted the notion of ‘beneficial ownership/interest’ of data, as many actors may have simultaneous ownership rights and privileges to data, due to the non-rivalrous nature of data.
  • Public NPD will be treated as a ‘national resource’.

Introducing a new category of ‘data businesses’

  • Entities involved in data collection or processing will be classified as ‘data businesses’ based on a certain threshold of data collected/processed.
  • If the data collection exceeds a certain threshold, the ‘data business’ entity will have to submit meta-data about data user and community from which data is collected, with details such as classification, closest schema, volume etc.

Sharing of NPD

  • There are various grounds specified for sharing of data, including national security, law enforcement, community use, policy development and better delivery of public services.
  • India should specify a new class of ‘high value’ or ‘special public interest’ datasets, which can include health, geospatial and transportation data.

NPD Regulatory Authority

  • The Authority will have the power to address market failures in terms of lack of information about the quantum and nature of actual NPD assets held by an entity, or harms arising from processing activities, including re-identification or discrimination.
  • It will also ensure a ‘level playing field’ with fair and effective competition in digital and data markets.

Suggestions Ensuring Compliance with Data Sharing

  • The report suggests various ‘checks and balances’ for ensuring compliance with data sharing and other requirements.
  • Other than the local storage requirements based on sensitivity of NPD, the report provides for an ‘expert probing’ measure.
  • The report also suggests that ‘data spaces’ can be created to promote intensive data-based research by various stakeholders.
  • It suggests setting up ‘data and cloud innovation labs and research centres’, which will act as physical environments/field validation centres where organizations will test and implement digital solutions.
  • The committee has also suggested an illustrative three-tiered system architecture covering safeguards, technology and compliance to enable data sharing. This includes the suggestion of a ‘Policy Switch’, which would enable a single digital clearing house for regulatory management of NPD.

Significance

  • The meta-data sharing by Data Business will spur innovation at an unprecedented scale in the country.
  • One of the associated key objectives is to promote and encourage the development of domestic industry and startups that can scale their data-based businesses.
  • The report suggests a data-sharing regulation to shift data’s “economic benefits for citizens and communities in India” as well as help the government in policy making and service delivery.
  • The recommendations, if implemented, will help businesses create value of their data having an economic good, not just information.
  • The regulation of NPD will ensure: (a) provision of certainty for existing businesses; (b) creation incentives for new businesses; and (c) release of enormous untapped social and public value from data.

BN Srikrishna Committee on Protection of Personal Data

  • The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
  • The Committee has submitted its Report and a draft Personal Data Protection Bill in July, 2018.
  • The Committee had examined a wide gamut of issues in relation to protection of personal data which found reflection in the draft Personal Data Protection Bill.
  • It also took cognizance of community data as relating to a group dimension of privacy and an extension of data protection framework.
  • It also felt that all such community data is relevant for understanding public behaviour, preferences and making decisions for the benefit of the community.