A Brief Breakdown of the NPD Committee Report
By: Mohit Chawdhry
The governance of the data economy in India has been marked by many changes in the past few years. Broadly, the regulation of data has been distinguished by the kind of data to be protected, namely, personal data and non-personal data.
Personal data is any information that relates to an identified or identifiable living individual like name, gender, an identification card number etc. In India, efforts to regulate personal data of individuals followed from the landmark Supreme Court decision of Justice K. S. Puttaswamy v. Union of India, which affirmed that the Constitution of India guaranteed to each individual a fundamental right to privacy. Subsequently, the Government came out with the draft Personal Data Protection Bill, 2019, (PDP Bill) loosely based on the benchmark European Union data protection law, the General Data Protection Regulation (GDPR). The Bill was subsequently referred to a Joint Committee of the Parliament for consideration, where it is presently pending.
The second kind of data called ‘non-personal data’ (NPD) refers to all data which is not ‘personal data’ (as defined under the PDP Bill), or data which is without any personally identifiable information. This may include for instance data on weather conditions, data from sensors installed on industrial machines, data from public infrastructures etc. NPD can also refer to data which was initially personal data but which is aggregated and to which certain data- transformation techniques are applied, to the extent that individual- specific events are no longer identifiable, can be qualified as anonymous data.
To this extent, the Government released a report on the ‘Non-Personal Data Governance Framework’ (NPD Report) on July 12, 2020. The NPD Report was drafted by the Expert Committee on Non-Personal Data, headed by Kris Gopalakrishnan. In the subsequent months, there has been significant debate regarding the utility and plausibility of various suggestions made by the committee. This blog post provides a quick overview of the most significant suggestions and their associated concerns.
Privacy is one area where the Committee has suggested a major change to the status-quo. It introduced a group dimension to privacy, in the form of ‘community privacy’. This was a departure from the focus of other data protection statutes on the individual. ‘Community privacy’ was recommended to be managed on behalf the relevant community by a data trustee, which could be a Ministry/Department of the Government, a research institution or even an NGO. While this exploration of group privacy in the Indian context must be commended, its translation into workable policy is sorely lacking. The definition of ‘community’ in the Report was so broad that virtually any group of persons partaking in common economic or social activity could be grouped as a community. Further, not every individual member of such a ‘community’ may be aware of their participation in the community. The Report also failed to elaborate on why government organisations and research organisations were best suited to manage community privacy and what would happen in a situation where a government body was a data trustee as well as a collector and user of the same data.
Another aspect of privacy that the Committee dealt with is anonymization. Anonymization is the process of removing any personal identifiers from data such that it can no longer be traced back to an individual. The concept of anonymization is important because the Report relied on it to differentiate between personal and non-personal data. The Report noted for instance that personal data which goes through the process of anonymization becomes non-personal data. As a result, it would be subject to the regime proposed in the Report as opposed to the Personal Data Protection Bill. While this sounds simple enough, no current standard of anonymization is irreversible. This means that even personal data which has been anonymized can pose a significant privacy risk to individual users. The Report acknowledged this and stated that when a ‘deanonymization event’ occurss, the person to whom the data originally related, i.e. when it was personal data before anonymization, would be able to take recourse. Given this, it is entirely unclear why anonymised personal data should not be within the jurisdiction of the Personal Data Protection Bill which has the specific mandate of protecting privacy.
(ii) Data Sharing and Competition
The second major area of focus was the creation of a robust data-sharing regime, which would help spur innovation and also check monopolistic tendencies of major global technology companies. The Report suggested that data pertaining to the community collected by NGOs, private companies and the Government, should be mandatorily shared with data trustees and the Government. This would mean that Uber, for example, would have to share its commute data with the Government. Also suggested in the Report was the creation of a parallel classification of businesses, known as ‘data business’ – that is any business which crossed certain thresholds in terms of its data use would be required to share meta and raw data underlying it data on a mandatory basis. It would also have to inform the Government of how it uses this data, where it is stored, the schema used for analysis etc.
An obvious problem with the above suggestions is that it ignores the existing regime of laws, such as Copyright and Trade Law that provide protection to datasets created by businesses. Such protections can possibly extend to raw and metadata as well. A second concern lies in the assumption that making the above-stated data will by itself spur innovation and check monopolistic practices. However, the ability to extract information out of that data, through processing and analysis, is equally if not more important than the data itself. The effective processing of data requires the requisite infrastructure, for storage and processing, and skills.
The report did not adequately address how infrastructure and skilling can be augmented to enable Indian entrepreneurs to compete on an equal footing with global corporations. Finally, the prescription of a threshold level of data use can act as a deterrent to Indian start-ups from scaling their operations due to the fear that their data will have to be mandatorily shared if they become ‘big’.
Mohit Chawdhry is a Research Assistant at Esya Centre.
 European Commission, What is Personal Data, see <https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en>  Justice K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1  Ministry of Electronics and Information Technology, Report by the Committee of Experts on Non-Personal Data Governance Framework, Office Memorandum No. 24(4)/2019-CLES dated 13.09.2019, pp. 13.  Ibid  Ibid 3  The argument is that any data collected by a company is ordered and structured way particular to that company. This could, in effect, meet the thresholds for protection under Copyright.  Something that several in the Indian tech-start up space would vouch for. For example, see Sameer Nigam and Saket Gupta.  Esya Centre, Response to the Report by the Committee of Experts on Non-Personal Data Governance Framework, September 2020, Issue No. 104, at <https://static1.squarespace.com/static/5bcef7b429f2cc38df3862f5/t/5f6c8db09e4de8715a94cac0/1600949684368/Issue_104_Response_to_Report_by_NPD_Committee.pdf>