The issues involving non-personal data throws up interesting questions. Which also shapes the topic for an interesting debate - who does data actually belong to The jury is out there.
In September 2019, the Ministry of Electronics and Information technology (MEITY) issued a memorandum to set up a Committee of Experts to deliberate of the Data Governance Frameworks under the Chairmanship of Kris Gopalakrishnan, one of the co-founders of Infosys. Other members of the committee include Ms Debjani Ghosh, President NASSCOM, Dr Neeta Verma, DG, National Informatics Centre, among others. There are eight members in total. The need for setting up this committee emerged from the findings of the Justice B.N. Krishna Committee, which submitted a report and the Draft Personal Protection Bill in 2018. This committee highlighted the importance of community data (not included in the purview of the Personal Data Protection Bill). It recommended that the Government considers a suitable law that facilitates the collective protection of privacy. Recognising this community/aggregated data, the Kris Gopalakrishnan Committee has been set up to study the issues related to Non-Personal Data and make suggestions on its regulation.
In July 2020, the committee released its report on Non-Personal Data Governance Framework at a media briefing inviting public comments on the recommendations (till 13th August 2020). Reaction to the report since its release is mixed. A recent press report suggests that US-based tech giants including Amazon, Facebook and Google are planning to push back. In a draft letter for the Indian Government, the group of companies, along with the U.S.-India Business Council (who will represent the tech giants), referred to some of the recommendations asking for the sharing of data as an “anathema” to promoting competition and investments. On the other side, in an interview published by an Indian publication, Kris Gopalakrishnan, the Chair of this committee said, “we need to ask that one question: who does that data belong to ”.
But before picking sides, let's look at the background and the rationale behind the recommendations presented in the report. At the outset, the report recognises that “Given the increasing importance and value generation capacity of the data economy, governments around the world realise the need to enable and regulate all aspects of data, both Personal and Non-Personal Data”. It also highlights the emergence of a few dominant players and an imbalanced market where Google and Facebook together control about 60% of the USA's advertising market.
The report continues to say that this imbalance has led to outsized benefits for only a few stakeholders and has squeezed out new entrants who face significant entry barriers. The main point that the committee highlights is the economic and social value of a Data Market, and the need to recognise and harness it. It goes on to make a case for Data Regulation based on 4 points:
1. Creation of economic value from the use of Data 2. Creating certainty and incentives for innovation and encouraging start-ups 3. Creation of a data-sharing framework for social and economic value creation 4. Address privacy concerns for communities
For the basic definition of Non-Personal, the report refers to the European Commission's “Guidance on the Regulation on a framework for the free flow of Non-Personal Data in the European Union”, 2019. It goes further to define three categories of Non-Personal Data. These are:
1. Public Non-Personal Data (e.g. data generated by governments) 2. Community Non-Personal Data (the report defines this as “anonymised personal data, and non-personal data about inanimate and animate things or phenomena - whether natural, social or artefactual, whose source or subject pertains to a community of natural persons”) 3. Private Non-Personal Data (observed data that results from individual activities)
Furthermore, the report also states that Non-Personal data could be sensitive from the following perspectives 1. National security 2. Business-sensitive information, and 3. Risk of re-identification of anonymised data.
Detailed explanations regarding the participants in the data economy, legalities around the ownership of data and the definition of Data Business are shared as well. E.g. the report calls for defining the ownership of Non-personal data collected about the people of India.
While making the point for establishing legal rights over Non-Personal Data, the report makes an important point about the non-rivalrous nature of data. Multiple custodians can share Non-rivalrous data and for it to be beneficial for the creation of a wide range of new products and services.
The European Union has also recognised this aspect in its “Guidance on private sector data sharing”. The committee has highlighted that the legal framework must consider this as a factor to incentivise custodians to collect data. On the back of all these inputs and considerations, the Committee recommends that a Non-Personal Data Authority be set up to ensure proper regulations of the various stakeholders of Non-Personal Data.
One can now appreciate the detail into which the report has gone into to make sense of this new perspective on data. Arguments in favour of regulating Non-Personal Data include reducing barriers to entry, helping local authorities make better, data-driven decisions and many more. However, from the perspective of a “Data Business”, the addition of new regulatory requirements/hurdles could be seen as an irritant. Sharing the proprietary datasets with the broader market could also be a matter of concern.
However, there is no denying that, if handled correctly, it could reap significant social and economic benefits as intended by the Committee. One can hope that based on the public consultations (which ended August 13th), the Committee and the industry can come to a common understanding and use this initiative for the greater good. It is indeed a sensitive matter, and the outcome depends on the iterations that come out as this report potentially evolves into a Bill.