Naavi.org

(This is a continuation of the previous article)

Non Personal Data Regulatory Authority

One of the key recommendations of the Kris Gopalakrishna Committee (KGC) that has been presently highlighted by the media reports is the recommendation to set up a separate regulator namely “Non-Personal Data Regulatory Authority” (NPDRA).

The NPDRA will be different from the DPA under the PDPA and while the DPA is more oriented towards “Securing Personal Data for the protection of Privacy of individuals”, the NPDRA will be focussing on how to harness the Non Personal Data for national benefit.

Hence the kind of persons who manage this authority has to be more “Progress oriented” than “Caution oriented”. They need to be more “Technology Oriented” than “Legal Oriented”.

The regulator should be able to effectively implement the measures to register and regulate Non Personal Data Fiduciaries, Processors, Data Trustees, Data Trusts etc. It will have to work in harmony with other regulators like DPA and CCI as well as the sectoral regulators. It will have both the “Enabling role” and the “Enforcement Role”.

As expected the NPDRA will be a body of persons with members with relevant industry experience.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Data Sharing

The essential part of the recommendations of the Kris Gopalakrishna Committee (KGC) is to ensure an effective “Data Sharing” mechanism in which “Non Personal Data” is recognized for its potential value and harnessed for the benefit of the people.

Data sharing  as recommended by KGC refers to the provision of “controlled access” to private sector data, public sector data and community data to individuals and organisations for “defined purposes” and with “appropriate safeguards” in place.

The Committee has preferred an “Open Access” to “Meta data” and “Regulated access” to underlying data of Data Businesses with establishment of appropriate mechanisms to support data requests and data sharing.

One of the key recommendations there fore is the definition of the Data Sharing purpose. The Committee recognizes three purposes namely

a) Sovereign Purpose

b) Core Public Interest Purpose

c) Economic Purpose

Sovereign Purpose

Under this concept, data may be requested for national security, law enforcement, legal or regulatory purposes.

Core Public Interest Purpose

Under this concept, data may be requested for Community uses/benefits for public goods, research and innovation, for policy development, better delivery of public-services, etc.

It is recognized that certain data held with the private sector, when combined with public sector data or otherwise, may be useful for policy making, improving public service, devising public programs, infrastructure etc which needs to be enabled through law.

It is recommended that the Country should specify a new class of data at a national level “High -Value Dataset” like health, geospatial and/or transport data and such data should be used for research purposes.

GKC has specifically mentioned that Health Sector is a pilot use-case for Non-Personal Data Governance Framework and anonymized health data should be shared for the specified purposes.

Economic Purpose

GKC makes yet another interesting recommendation that Data may be requested in order to encourage competition and provide a level playing field or encourage innovation through start-up activities (economic welfare purpose), or for a fair
monetary consideration as part of a well-regulated data market, etc.

Considering the noises being made by some legal professionals and activists about Section 91 of the PDPB 2019 which empowered such a possibility for public policy, this recommendation would be considered as one of the key recommendations under KGC which may go into a big debate.

Data Sharing Mechanisms

The GKC recommends that the implementation of this sharing mechanism would require setting up data and cloud innovation labs and research centers to develop, test and implement new digital solutions, which should be an attractive thought for IT companies. It is recommended that such data should be available as training data for AI/ML systems.

The Data Sharing Mechanisms are expected to provide access to meta data about data collected by different Data Businesses. This is expected to help identification of opportunities to develop innovative solutions, products and services.

Such a mechanism has to involve a “Data Request Mechanism”, “Data Custodian”, “Data Disclosure Mechanism” , “Safeguards” , “Handling of complaints of non disclosure by data custodians”, “Appropriate Checks and Blances” etc as part of a new regulation.

It is expected that “Experts” would be recognized to evaluate data probing tools, and guide the industry regulation. They would focus on Cloud vulnerabilities, Cloud security systems etc.

The current crop of CISOs may find a new area of specialization to develop their careers threatened by the advent of DPOs under the PDPA.

An Academic-Industry Advisory body has also been hinted at by the GKC.

GKC has also hinted that there could be liabilities associated with the implementation of the regulations, for which a Non-Personal Data Regulatory Authority is envisaged.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Data Business

Kris Gopalakrishna Committee (KGC) has defined a new line of Business Activity called “Data Business”. It has also suggested a new regulatory authority and a comprehensive regulation on collection , storage, processing and managing of data.

This proposition is a highly significant recommendation that could be a game changer in the industry.

While Personal Data Protection Act itself is a gold mine of opportunity, yet to be realised, the Data Business suggested by KGC will be another major development that holds lot of promise for those business entities which have the right long term vision.

To put it simply, while every business uses data for it’s internal purpose, over a period some companies acquire so much of data where data management itself can become a business opportunity and law recognizes it as a business to be regulated.

KGC recommends that entities who process large quantities of data have to be recognized as being in “Data Business” irrespective of their core business.  At this stage KGC recommends that the “Data Business” should be regulated separately by a regulator with various regulatory measures such as  regulating collection, storing, processing and sharing of Personal data, as  being addressed in a personal data protection act.

We can therefore expect a mirror image of the PDPA in the form of “Data Governance Act” (DGA) which regulates the “Non Personal Data”.

This business will be an independent industry sector and cuts across different industry sectors regulated by sectoral regulators.

“Data Business Discovery” is an important milestone for industries when they will be required to register with the regulator and become compliant with the law.

The idea suggests that “Companies who are today not recognized as either a Personal Data Company or even an IT Company may suddenly find themselves as a Data Business company” and would be subjected to new regulations.

Some of the “Data Business Companies” may also be “Personal Data Fiduciaries/Processors” under the PDPA.

Such companies may simultaneously also be “Non Personal Data Fiduciaries/Processors”.

In such cases, the Company will have with one set of regulations under PDPA being managed by a Data Protection Officer and another set of regulations under DGA managed by a Data Governance Officer (DGO).

We will therefore have DPOs and DGOs as new designations for professionals in many companies.

While DPOs will have more people from the IT/IS background, DGOs will have more from the MBA type who have to manage Data as an asset and ensure that after giving away the Personal data to the custody of the DPO, manage the Non Personal Data for the company’s benefit under the new regulation.

Just as some of the CEOs were feeling relieved after appointing a DPO and entrusting him with the responsibilities of Personal Data Protection, they are suddenly confronted with the Data Governance Act which needs to be managed by a DGO failing which there could be adverse consequences.

At this time we donot know what would be the compliance requirements and consequences of non compliance but we can definitely expect that the regulations will have some teeth of its own for industries to contend with.

The Data Business companies will be required to share some data with the Government and negotiate with the Government if any price can be extracted. IoT companies and service organizations in Smart City projects will have a wealth of data which can be packaged and converted into value products.

AI and Big Data companies will have to contend with the regulatory measures that may define the do’s and dont’s  and make the industry interesting.

The ISPs and MSPs will be another set companies who will be prominent players  “Data Business” with a collection of “Meta Data” that would be considered “Non Personal Data”.

Technology people will have a lot to work on Differential Privacy and Anonymization with related professional opportunities.

All in all the concept of “Data Business” is exciting and we look forward to a new world of opportunities opening up.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Ownership of Data

KGC has articulated a legal basis for establishing rights over “Data”.

Apart from recognizing the “Data Sovereignty” concept where the State has a primary right of ownership of assets collected in/from India which applies to Non Personal Data (NPD) also, the KGC has iterated that the term “Ownership” holds full meaning only in terms of physical assets and in respect of knowledge and data, it should be applied to the st of primary “Economic” and “Statutory rights” over the intangible asset. Hence the notion of “Beneficial Ownership/interest” has been adopted by the Committee as regards NPD.

As a result the committee recommends that

a) In case of Non Personal Data derived from the personal data of an individual, the data principal for personal data will continue to be the data principal of the NPD, which should be utilized in the est interest of that individual.

b) The rights over community Non Personal data collected in India should vest with the trustee of that data community, with the community being the beneficial owner and suchd data should be utilized in the best interest of that community.

This recommendation will create a slight conflict of concept since, NPD which is “Anonymized” is not “Personal Data” and there is no way it can be or should be linked to the Data Principal whether it is for his benefit or not.

The process of anonymization should cut the umbilical cord between the Data Principal’s identity associated with the data and the anonymized data set should be left free to be harnessed by the industry. Any attempt to link it with the beneficiary will defeat the very purpose of anonymization.

Otherwise, the KGC speaking about the Community NPD recommends that the benefits accrue not only to the organizations that collect such data but also equally to the community that typically produces the raw/factual data that is being captured. Accordingly the committee suggests that such data (Community NPD) may be shared in instances where there are defined grounds or purposes for sharing of NPD with Citizens, Startups, Indian companies, Government etc.

KGC also highlights the role of the Data Trustee in ensuring that the community interests are protected.

In the light of the above, KGC has placed the recommendation that

a) Data derived from public efforts should be considered as national resource.

b) Sharing of data benefits should be recognized among multiple parties.

c) Legal basis should be established to enable collection and use of community data by private data custodians or public organisations.

d) Raw/factual data sets comprising of anonymised user-information data collected by private data cusodians like telecom/ecommerce operators may be considered as community data

e) raw data should be maintained under open license free standard

f) There must be appropriate incentives to recognize and reward collectors of community data

g) As the processing value-add ver the raw data increases appropriate mechanisms may be leveraged for data sharing. (P.S: Here the recommendation appears to be closely aligned with the concept of “Additive value hypothesis” discussed in the Naavi’s theory of data.)

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Key Roles

As a means of developing a robust Non Personal Data eco-system, KGC recommends  a set of roles/stake-holders and data infrastructures.

The Key roles defined as per the recommendation are

1. 1. Data Principal
   2. Data Custodian
   3. Data Trustees
   4. Data Trusts

Data Principal

KGC recognizes that in the case of Personal Data, the term Data Principal refers to a natural person only. But in the context of Non personal data, it uses the term in relation to the type of NPD namely Public, Community and Private data as well as on different possible kinds of subjects of data.

Accordingly, Government, Companies and organizations can also be considered as “Data Principals” under the NPD regulation.

Data Custodian

Data Custodian is an entity that undertakes collection, storage, processing, use etc of data in a manner that is in the best interest of the data principal.

The GKC considers the Data Custodian as a “Data Fiduciary of NPD” and emphasizes the “Duty to Care” that is expected from the Custodian in the interest of the Data Principal.

This recommendation seals the interpretation of the term “Data Fiduciary” even in the PDPB by inference.

It is expected that the regulation will define the framework for collection and processing of NPD on the lines of “Notice”, “Consent”, “Obligations” “Compliance”, etc. In a way this may translate into a law similar to the PDPB but related to NPD.

Data Trustees

KGC has also picked up another concept used in PDPB namely the “Consent manager” and envisages a role for a “Data Trustee” who will assist the Data Principals to exercise their rights.

KGC leaves it to the detailed regulation to determine who will exercise the rights to constitute and appoint a Data Trustee to represent a group.

GKC also recognizes the need for mandatory data sharing in certain instances as envisaged  under Section 91 of the PDPB.

Data Trusts

In addition to Data Trustees, an institutional structure identified as “Data Trust” comprising of specific rules and protocols for containing and sharing a given set of data is also recommended.

While Data Trustees are appointed by Data Principals, the Data Trusts may be manged by public authorities constituted by the Government to which Data Principals may voluntarily share data.

Though the terms “Data Principal”, “Data Trust” and “Data Trustees” have the potential for confusion and alternate terminologies could be considered, the concepts are interesting and captures the needs of the ec0-system.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

The Kris Gopalakrishna Committee (KGC) considers that data is valuable and must be regulated in an appropriate manner for which a clear definition of Non-Personal Data (NPD) and the Key roles in the NPD eco system must be articulated.

Definition of Non Personal Data

The KGC has identified that Data can be categorized in many different ways

Category I: Personal Data

a) Arising from the subject of data

b) In relation to its purpose

c) Sector to which it belongs

d) Level of processing

e) Based on the extent of involvement of stakeholders

Category II: Non Personal Data

Non Personal Data where data is not “Personal Data” as defined under the PDPB/PDPA

Category III: Non Personal data according to Origin

a) Data that never related to an identified or indientifiable natural person

b) Data which were initially personal data but were ater made anonymous

Category IV: Different types of Anonymous Data

Based on the types of anonymization techniques

Considering the need o have a clear single definition of Non Personal data,(NPD)  the Committee has recommended three kinds of NPD

1. Public NPD
2. Community NPD
3. Private NPD

The Committee has also further categorized NPD into

a) Non-Sensitive NPD

b) Sensitive NPD

i) relating to national security or strategic interests

ii) related to sensitivity of business and confidentiality

iii) Anonymous data bearing the risk of re-identification

Public NPD consists of data such as data generated by Government excluding those which have been afforded confidential treatment under law, and includes land records, public health information, vehicle registration data etc

Community NPD consists of data generated by any group of people bound by common interests and purposes including anonymised personal data, electricity usage, telephone usage etc, excluding the derived insights (profiling).

Private Non Personal data includes inferred or derived data, global data set pertaining to non-Indians etc

It is interesting to note that the GKC brought the concept of “Sensitivity” to Non Personal Data also to take care of such data that is related to national security and strategic interests, bearing the risk of collective harm to a group, etc.

GKC also recognized the limitations of Anonymization techniques and flagged the possibility of re-identification of anonymized data in terms of classifying them as “Sensitive NPD”.

GKC recommends

“that Non-Personal Data inherits the sensitivity characteristic of the underlying Personal Data from which the Non-Personal Data is derived”

In the light of the above GKC recommends

Consent should be obtained from data principals even for “Anonymisation”.

This suggestion may be incorporated in the PDPB. Even if PDPB does not consider it necessary to add this in the current version and leave it to the new act which may be drafted for regulation of NPD,

this would be adopted as one of the implementation specifications under the PDPSI (Personal Data Protection Standard of India)

(…Continued)