India's controversial draft rules for non-personal data prompt fresh debate

India has broken new ground with a proposal on how to regulate non-personal data — one of the world’s first comprehensive attempts to do this.

While its first effort is arguably a fairly crude one, and much of the proposal is unlikely ever to make its way onto a statute book, it has sparked an international debate about what non-personal data is and what it can or should be used for.

In July, a government-formed committee headed by Infosys co-founder Kris Gopalakrishnan released its draft report on non-personal data regulation, together with a consultation on the recommendations contained within it.

Broadly, the report defines non-personal data and separates it into three classifications: private, public and community.

It sets out a mechanism under which businesses would have to share their data with both start-ups and the government, while recommending the introduction of a new, non-personal data regulator. The report also suggests restrictions on transferring some non-personal data overseas and says that certain types of non-personal data should only be stored in India.

These measures are justified, the report says, because they would boost competition, level the playing field for start-up companies and promote innovation.

The discussion on non-personal data prompted plenty of feedback. By the time the consultation closed earlier this week, more than 1,500 submissions had been filed in response, although only a handful of those have been published.

On the whole, the response to the committee’s recommendations has been one of concern, with the absence of a global precedent and the fear of excessive regulation sparking a call for caution on the part of significant industry players.

Clarity, feasibility and timing

The Information Technology Industry Council, or ITI, whose members include Amazon, Google and Facebook, said the proposals would create a highly burdensome, over-regulated framework that would disincentivize data collection, processing and sharing.

Since non-personal data can also constitute protected trade secrets and could be protected by existing property law, the proposals may also undermine the security of intellectual property, trade secrets, domestic investments as well as the privacy rights of Indian citizen, the ITI argues.

The Software Alliance, also known as BSA, which counts Adobe, Cisco and IBM among its members, said the recommendations for a new law, a new regulator and an architecture for compulsory data sharing were “premature” given the lack of global precedent for sharing non-personal data.

BSA added that the privacy-related issues in the proposals would be better addressed by the personal data protection bill.

Likewise, Mozilla Corporation, part of a US-based technology not-for-profit, said that now was the time to focus on implementing an effective personal-data protection law — something India has yet to achieve. Once that law was in place, the process for regulating non-personal data should start afresh.

“Many of the report’s recommendations leave much to be desired in both clarity and feasibility of implementation,” Mozilla added.

Competition and data portability

While the submissions pointed to concern that the recommendations, as currently framed, would have a negative effect on the business environment in India, the report’s publication has nonetheless sparked a new debate about non-personal data: What it is and how should it be treated?

For example, it’s widely agreed that business-to-business sharing of some types of data or datasets is often a good thing and could spur innovation. And while mandating data sharing may be problematic, the report has at least got stakeholders asking themselves what can be done within the existing regulatory framework to encourage more voluntary data sharing.

The government should conduct an exercise to identify those aggregate and anonymized datasets that would be most valuable to nascent businesses, Mozilla suggested. And it could promote competition in the digital economy by supporting dominant companies to grant potential competitors access to privately held aggregate data on reasonable market terms.

BSA said that the Gopalakrishnan committee should identify ways to make data available for research and development while ensuring that privacy is protected.

“By using simple [application programming interfaces] and interoperable formats, the government could enhance access to and use of data by innovative private sector actors, including Indian start-ups and SMEs,” BSA said.

Data trust

While acknowledging the difficulty smaller businesses face when taking on well-established, large data-driven platforms, the report has also prompted a discussion on whether the introduction of a new regulator is required to level the playing field, or whether existing rules simply need to be reviewed.

There’s an argument to be made that the Competition Commission of India, or CCI, might be better placed to take on the role.

Mozilla’s submission says that competition policy should encourage interoperability and standards-centric design and could also include heightened merger review, together with better enforcement of rules and policies against anti-competitive behavior.

The Gopalakrishnan report also introduces the concept of a “community right” over data and the appointment of a “data trustee” to ensure such data is utilized in the best interests of the community.

A data trust would be an independent intermediary between two parties: the people creating data and the companies collecting that data. The trust would have a fiduciary duty towards its members and would negotiate data use with companies according to terms set by the trust.

This is a relatively new idea, but one that’s beginning to be explored in other jurisdictions.

Navigating the technical and legal aspects of how a data trust would operate isn’t straightforward and the report is light on this kind of detail — deferring instead to a new regulatory framework. But the concept appears promising and one that India may find worthwhile debating.

Data privacy and protection

The report’s call for the introduction of restrictions on cross-border, non-personal data transfers and the imposition of local, non-personal data storage requirements sees it straying from the committee’s stated objective of data sharing as a means by which to boost competition.

Some of those recommendations are justified by the need to guarantee greater privacy and security for the data of Indian citizens. However, those safeguards would already be contained in the pending data-protection law — assuming it is eventually implemented.

That a report with a competition focus would stray into personal-data protection policy areas adds to the confusion created by the raft of Indian policies designed to regulate the digital economy that have been published over the last couple of years.

These policies include intermediary guidelines, the consumer protection rules for e-commerce, the e-commerce policy and the foreign direct investment policy on e-commerce, along with a health-data management policy.

Add to that the central bank’s directives for financial companies and the CCI’s own decisions concerning the digital sector, and a landscape of often contradictory polices emerges, with little discussion about how they may interact with one another.

Most of these proposals have yet to be enacted, meaning that their lack of compatibility remains, for now, academic.

More importantly, however, India’s data-protection centerpiece — the Personal Data Protection Bill, introduced into parliament eight months ago — is expected to take precedence over any other laws that may be introduced subsequently.