Context

Recently, a government committee has suggested that non-personal data generated in the country be allowed to be harnessed by various domestic companies and entities.

About

• The 9 member committee headed by the Infosys co-founder Kris Gopalakrishnan released the draft report and has kept time till August 13 for the public to send suggestions.
• The committee has also suggested setting up a new authority that would be empowered to monitor the use and mining of such non-personal data.
• The government committee, in its report, has classified non-personal data depending on the source of the data and whether it is anonymised in a way that no individual can be re-identified from the data set, into three categories, namely public non-personal data, community non-personal data, and private non-personal data.

Definition of Non-Personal Data

• In its most basic form, it is any set of data that does not contain personally identifiable information. This in essence means that no individual or living person can be identified by looking at such data.

Public, Community, and Private Non-Personal Data

• All the data collected by the government and its agencies such as census, data collected by municipal corporations on the total tax receipts in a particular period, or any information collected during execution of all publicly funded works have been kept under the umbrella of public non-personal data.
• Any data identifiers about a set of people who have either the same geographic location, religion, job, or other common social interests will form the community's non-personal data.
  • For example, the metadata collected by ride-hailing apps, telecom companies, electricity distribution companies, etc.
• Private non-personal data can be defined as those which are produced by individuals which can be derived from the application of proprietary software or knowledge.
  • For example, while order details collected by a food delivery service will have the name, age, gender, and other contact information of an individual, it will become non-personal data if the identifiers such as name and contact information are taken out.

How sensitive can non-personal data is?

• Unlike personal data, which contains explicit information about a person’s name, age, gender, sexual orientation, biometrics, and other genetic details, non-personal data is more likely to be in an anonymised form.
• However, certain categories such as data related to national security or strategic interests even if provided in anonymised form can be dangerous. Similarly, even if the data is about the health of a community or a group of communities, though it may be in anonymised form it can be still dangerous.

Global standards on non-personal data

• In May 2019, the European Union came out with a regulatory framework for the free flow of non-personal data in the European Union, in which it suggested that member states of the union would cooperate when it came to data sharing.
  • The regulation, however, had not defined what non-personal data constituted of and had simply said all data which is not personal would be under the non-personal data category.
• In several other countries across the world, there are no nationwide data protection laws, whether for personal or non-personal data.

Analysis of India’s non-personal data draft

• The draft is a pioneer in identifying the power, role, and usage of anonymised data, there are certain aspects such as community non-personal data, where the draft could have been clearer.
• According to some experts, the final draft must clearly define the roles for all participants, such as the data principal, the data custodian, and data trustees.
• Regulation must be clear, and concise to provide certainty to its market participants, and must demarcate the roles and responsibilities of participants in the regulatory framework. To address these issues more public consultation and more deliberation are required.