THE POLICY AND LEGISLATIVE FRAMEWORK TO REGULATE THE USAGE OF NON-PERSONAL DATA

–Prof. (Dr.) Sairam Bhat*, Gayathri Gireesh**

INTRODUCTION

In the backdrop of the Digital Personal Data Protection Act 2023, the regulation of Non-Personal Data also gains importance. The vast amount of data defined as NPD has to be regulated in terms of law and policy. The present article examines the regulatory framework for the usage of Non-Personal Data.

India introduced the “Data Accessibility & Use Policy” (DAU Policy) in February 2022 to regulate the usage of non-personal data (NPD). India is the world’s most populous country[1] with a whopping 622 million active internet users[2] and this humongous number of people explores the vast possibilities of the population having online access. An important aspect is to manage the information, which stands crucial owing to the increasing use, that it violates individual privacy, and it is incessantly used by corporations to obtain leverage in the competitive global markets. There is a phenomenal upsurge in online services, and this has necessitated the need to make comprehensive data protection laws and to regulate the interoperability of data. This brings in the concern about the right to privacy and has received momentum after the landmark decision of the Supreme Court in K.S. Puttaswamy v. Union of India[3] where the court recognized even informational privacy as a part of the Right to Privacy under Article 21 of the Constitution of India. In furtherance of the same the Parliament passed the Digital Personal Data Protection Act 2023 [PDP] which defines personal data as information that relates to an identified or identifiable individual. This law regulates and governs only digital personal data.

Hence, on the other side, as a matter of scope and ambit, the Non-Personal Data [NPD] also needs to be governed and monitored for its effective usage. Such data governance is to be done by governing the data which is already present in the public domain in the respective Ministries and Departments, and which is uploaded across government platforms. Such data to be eligible to be used for monetization should be the data that people share with Government bodies with fully informed consent or that is legally sanctioned to be collected by the State for an explicit purpose such as tax collection, or public welfare. The current DAU Policy was in continuation of the Expert Committee report submitted by Mr. Kris Gopalakrishnan.[4]

THE NECESSITY OF THE POLICY ON THE USAGE OF NON-PERSONAL DATA

With the increasing role of e-governance, the data harnessed by the Government and its agencies is emerging as a protagonist in providing accessible and expedient services to all individuals. The crucial elements to devising the policy on Non-Personal Data are the absence of data infrastructure, data skills and data-driven online behavior for research and public policy. The expert Committee headed by Kris Gopalakrishnan was constituted by the Ministry of Electronics and Information Technology for matters exclusively relating to non-personal data. The committee had the mandate to formulate policies involving aspects like –

• The origin of the data which means whether the information procured was personal or non-personal.
• The data non-related to any natural person which may be in the form of the supply chain, or the probabilities of the weather forecast and such nature
• The concept of public non-personal data initiated for the purpose of publicly funded government schemes.
• The community non-personal data includes which are collected by the local governments for the implementation of welfare schemes.
• The private non-personal data collected and processed by the private entities for instance those collected for the purposes of consumer behavior.

The committee also suggested a framework for crucial aspects such as data sharing and for safeguards framework to be formulated for usage. The framework for safeguards revolves basically around the anonymization and deanonymization of information. There must be formulation of certain procedures to address the concept of “possible reidentification” which does not violate the principles of privacy. For such reidentification, the committee clearly ascertained those categories of information like health care, caste based which are at the risk of re-identification. Certain group data and national security aspects are also at risk of re-identification. The other two important recommendations are: -data trustee, for example, the Ministry of HRD is called the trustee for student or University-related information and data business: – the new category of business which has information processing beyond a certain threshold.

The DAU policy focuses on –

• Setting up the Institutional framework of having an India Data Office under the MeITY
• Making Data open by default between the different government ministries and organizations (with specified restrictions)
• Data Anonymization and privacy aspects.

THE DATA ACCESSIBILITY & USE POLICY, 2022[5]

The important objectives & and purposes of the DAU are maximizing the access and use of non-personal data available with the public sector The detailed discussion on data monetization made in the Economic Survey of 2019[6] where the government came up with the idea that since government data is “of the people, generated by the people and hence, it should be used for the welfare of the people.” Public welfare is to be brought in by monetizing the information produced by Government agencies by providing it to authorized agencies in an authorized manner. A similar initiative to integrate data has been taken up by the Government in various specific fields like the National Scholarship Portal, E-MNREGA Portal, etc.

Kinds of Data to be regulated

The dataset to be regulated will be decided by concerned Ministries, Departments, or organizations. Through the DAU policy, these entities will regulate the NPD and information created, generated, collected, or archived by the Government of India directly or through its instrumentalities. The NPD means “data which is not personal data”[7] which suggests the idea that any data set incapable of disclosing the personal details of an individual, falls within the domain of NPD. Such NPD includes information collected by ULBs, public health information reports, pollution reports, demographic feature reports of an area, etc. This policy also permits data anonymization i.e., using personal data in the form of NPD by anonymizing the personal data so that data principle remains unknown. The Government is working on a toolkit for such licensing and data-sharing mechanisms.[8]

The data generated by the government will be made available to private entities at certain fees that will be decided by the India Data Officer (IDO) as per protocols of enumerated in the DAU Policy. The same will be laid down after proper consultation and deliberation upon it. Once such data is made accessible to non-governmental bodies, private entities will undoubtedly expand their scope of business by integrating their private data with Government data. At the same time, this data integration of government & and private entities will also act as a benefit for the citizens at large. By analyzing consumer behavior, private entities will provide need-specific solutions to citizens, who may thereby get quality services. Data integration will be beneficial for new start-ups, who may find it easier to gauge the marketplace and its demand before launching the business venture, thereby reducing the chances of failure of blooming business setups. Similarly, it will also aid innovation as corporate sector will be more familiar with the needs of the people.

Further Government entities possessing NPD are responsible not only for collecting, storing and retrieving the information but also for classifying the dataset so eligible into three primary categories:

• Open data: A dataset is said to be open if it is free to use, reuse, and redistribute to any person willing to access such data. These sorts of data will be accessible free of cost. e.g: Census, Pollution report, etc.
• Restricted data: A dataset that is available for sharing only within a restricted system like after obtaining requisite registration, licenses, or permission from authorities in exchange for certain monetary consideration paid by the data seekers.
• Non-shareable data: It includes that chunk of NPD which cannot be shared with any private entity and is solely guarded by government agencies. e.g.: blueprints of vital infrastructures like Banks, Raj Bhawan, Minister residences, etc.

Sharing method of non-personal datasets

Under this policy, the sharing aspect of NPD will be regulated by the IDO which will from time-to-time will lay down protocols for data sharing to be complied with by various stakeholders. According to DAU Policy, most of the datasets are to be kept within open categories to promote innovation and research development. The data standards and data quality will also be notified by the IDO which will have to be followed by the Government bodies handling NPD. The data retention time limit of NPD hosted by Government bodies will be decided by the concerned Ministry or Departments as per the protocols of the DQGI Framework notified by the NITI Aayog. This data which is being made accessible under DAU Policy will continue to remain the property of Government agencies even after the data usage rights are granted to other entities and thus, these entities utilizing government-hosted NPD must mandatorily cite the source and must ensure compliance to guidelines for legal, security, IPR, copyrights and privacy requirements.

INSTITUTIONAL FRAMEWORK OF DAU POLICY

An” India Data Management Office (IDMO)” shall be set up under the Digital India Corporation (” DIC”) under MeITY. The IDMO shall formulate all data datasets metadata rules, norms, and guidelines in discussion with Ministries and State Governments. It will be created with an objective to streamline and consolidate data access and sharing of NPD repositories across the government and its other instrumentalities. It shall also be responsible for framing, managing and periodically reviewing and revising the Policy. The IDMO shall be responsible for developing rules, standards, and guidelines under this Policy and shall be published periodically. It will coordinate closely with line Ministries, States, and other schematic programs to identify and accelerate access to NPD housed with these custodians[9] and will also be responsible for enforcement of this policy. Every Ministry shall have the Data Management Units (DMU) headed by the Chief Data Officer (CDO) and shall work in proximity with IDMO for the implementation policy.

CHALLENGES FOR REGULATING THE NPD

Digital transformation of government contracts and orders is the primary challenge. Digitization of Government contracts and orders is now a common practice that has given way to new public record management system. This digital maturity is being instilled into the Government system in a gradual manner and the main aim behind is cost reduction and improving citizen/customer/vendor experience and aiding decision-making. The Government is relying more and more on digital technologies to further its welfare motives. In India, the digital initiatives are undertaken by the Government through its flagship programme called “Digital India” which aims to bolster usage of digital platforms and methods to provide more wholesome e-governance to its citizens.

However, this digital maturity lies in insufficient funding, cyber security concerns, too many considerations to be met, absence of skills in developing, storing, and handling breach. The solution to these problems lies in firstly, bringing in Uniform Policies for Central and State Governmental Procedures as well as Inter-States Regulations;[10] secondly, providing proper skill training in cyber security; thirdly by ramping up the digital infrastructure and lastly by optimally utilizing the already available technology.

Secondly, data Identification Process & Strategies is the Crucial Challenge. Data Identification plays a crucial role when it comes to dealing with any policy related to data management. Under the PDP Act, 2022 the data fiduciaries are under obligation to classify any data as “personal data”. All personal data needs to be categorized as critical, sensitive or general based on which usage rights are to be defined.

In the USA, the data categorization has been effectuated by an authority called National Institute of Standards & Publication which issues various schemes under its NIST Special Publication 800-53[11] and provides data categorization mechanisms. It has rolled out schemes like FIPS 199 which is the Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels.[12] Similarly, in the EU such categorization is effectuated by Data Protection Impact Assessment (DPIA)[13] which mandates an inventory of all processes that involve the collection, storage, use or deletion of personal data, as well as an assessment of the value or confidentiality of the information and the potential violation of privacy rights or distress individuals might suffer in the event of a security breach.

United Kingdom: – The UK has various schemes[14] that allow government data to be used by method of licensing for public good like Open Parliament License.[15] It enables Information Providers i.e., UK Parliament in this case to license the use and re-use of their Information under a common open license. The UK licensing system does not monetize the granting of such license and data access is provided royalty-free, worldwide, and non-exclusive manner.

Thirdly, high-value datasets (HVD) as defined in the policy need proper assessment and evaluation. HVD are those that are beneficial to the public at large i.e. if such datasets are made publicly accessible then such data will be highly likely to result in the upgradation of benefits currently being provided to the public at large. For instance, data related to public health, public insurance, public schools, etc. Owing to the wide potential lying in these datasets, these datasets are more likely to reap more monetization value to the information provider and consequently are tagged as “high value” datasets. The Kris Gopalakrishnan Committee has highlighted that HVDs can provide tremendous benefit to the public like it can aid in research and education, in achieving a wide range of social and economic objectives, creating new and high-quality jobs as well.[16]

The DAU Policy allows the IDO to locate and classify high-value datasets. Such power has been conferred to IDO without providing any guiding factor to locate HVD. Unlike DAU policy, the Committee had highlighted that such HVDs should be managed by the Data Trustees which can be any Government or NGO, which will regulate data sharing of HVD.

Lastly, climate risk assessment in data management is another challenge. With increasing data, we are more inclined to set up data centres to collect, store and effectively retrieve such data. Data centres are used by businesses, educational establishments and Governments, to give web hosting, the storehouse of proprietary information, and the processing of business deals.[17] With increasing penetration of internet technology across jurisdictions, the relevance of data centres has exponentially increased.   These data centres use magnificent machinery for regulating the data, but these types of machinery may pose environmental risks. In a study, it was found that data centres contribute 2% of the total global greenhouse gas emissions. As per a recent EPA report, e-waste generated from these data centres accounts for 2% of solid waste and 70% of toxic waste.[18] Apart from having harmful emissions, the data centre also consumes a major chunk of energy, for instance in India, data centres consume 2% of India’s total power generated[19] and since in India burning fossil fuels as the primary method to retrieve energy, we can say that considerable amount of fossil fuels are exhausted to power up our data centres.

There is no specifically dedicated laws or policy regulating environmental risks posed by the data. However, there are a few mechanisms available for rating the energy efficiency of buildings (such as the Indian Green Building Council, Energy Conservation Building Code (ECBC), Star Rating – Standards and Labelling, Green Rating for Integrated Habitat Assessment, and Star Rating for equipment. Additionally, the Perform, Achieve and Trade (PAT) scheme of the GOI assigns mandatory emission reduction targets for the high energy-consuming industries, known as Designated Consumers.[20] India should take lessons from other jurisdictions like the EU (like the European Code of Conduct by The European Commission for Data Centres)[21] and the USA (like California T-24: Building Energy Efficiency Standards for Data Centres)[22] which have specifically dedicated guidelines to deal with emissions from data centres.[23]

To conclude, the idea of monetizing of NPD is commendable with features such as deanonymization and reidentification. What continue to be debatable is that whether data is ‘public good’, tradable and capable of monetization. Further, the use of non-personal data has to be streamlined, strengthened in a legislative framework, so as to ensure processing of the information for public welfare only.

———————————————

* Prof. (Dr.) Sairam Bhat, Professor of Law & Coordinator, CEERA-NLSIU

** Gayathri Gireesh, Consultant Advocate, CEERA-NLSIU

*** Research Inputs from Balabadruni Naga Satwik, Judicial Cleark, High Court of Andhra Pradesh.

[1] Sara Hertog, Patrick Gerland & John Wilmoth, UN DESA Policy Brief No. 153: India Overtakes China as the World’s Most Populous Country, United Nations (Apr. 24, 2023), https://www.un.org/development/desa/dpad/publication/un-desa-policy-brief-no-153-india-overtakes-china-as-the-worlds-most-populous-country/.

[2] Ministry of Electronics and Information Technology, India Data Accessibility and Use Policy (June. 04, 2022), https://www.meity.gov.in/writereaddata/files/Background%20Note%20for%20India%20Data%20Accessibility%20and%20Use%20Policy.pdf.

[3] Justice K.S. Puttaswamy v. Union of India, (2019) 1 SCC 1.

[4] The Committee observed that non-personal data should be regulated to: (i) enable a data-sharing framework to tap the economic, social, and public value of such data, and (ii) address concerns of harm arising from the use of such data. Based on the feedback received from this consultation, the Committee released a revised version of the draft for public consultation in December 2020; See Saket Surya, Revised Draft Non-Personal Data Governance Framework, PRS Legislative Research (Jan. 04, 2021), https://prsindia.org/policy/report-summaries/revised-draft-non-personal-data-governance-framework.

[5] Ministry of Electronics and Information Technology, India Data Accessibility and Use Policy (2022), https://www.meity.gov.in/writereaddata/files/India%20Data%20Accessibility%20and%20Use%20Policy.pdf.

[6] Ministry of Finance, Data “Of the People, By the People, For the People”, Vol. 1, Economic Survey 2018-2019, Chapter 4 (2019) https://www.indiabudget.gov.in/budget2019-20/economicsurvey/doc/vol1chapter/echap04_vol1.pdf.

[7] The Digital Personal Data Protection Act, 2023.

[8] A data-sharing toolkit will be provided to all ministries/departments to help assess and optimally manage risk associated with data sharing and release. The framework will help data officers to identify whether the data set qualifies for release, restricted sharing or needs to be on the negative list, identify the appropriate release mechanism and the required degree of anonymization. Ministry of Electronics and Information Technology, India Data Accessibility and Use Policy, 2 (2022), https://www.meity.gov.in/writereaddata/files/India%20Data%20Accessibility%20and%20Use%20Policy.pdf.

[9] Id. at 2.

[10] Mukesh Kumar M., Digital Transformation of Public Service and Service and Administration, Econstor 4 (2020), http://hdl.handle.net/10419/222522.

[11] Joint Task Force, Security and Privacy Controls for Information Systems and Organizations, 800-53, NIST Special Publication REV. 5, (Sept. 12, 2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.

[12] National Institute of Standards and Technology, Gaithersburg, Standards for Security Categorization of Federal Information, and Information Systems, 199. FIPS PUB, (2004), https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf.

[13] The open government data initiative of the USA is called “Data.gov” and was launched in 2009 and is managed by the U.S. General Services Administration, Technology Transformation Service. This platform is launched by the US Federal government under the OPEN Government Data Act, which is Title II of the Foundations for Evidence-Based Policymaking Act. This platform permits open licensing i.e. there is no provision of paying any sort of royalty fee for using the government data, it mandates only citing of data sources. Data Protection Commission, https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments (last visited Aug. 11, 2023).

[14] Open Government License for Public Sector Information: It enables Information Providers in the public sector to license the use and re-use of their Information under a common open license. In this scheme, the National Archives invites public sector bodies owning their own copyright and database rights to permit the use of their Information under this license. The license mechanism is regulated by the UK Government Licensing Framework.

[15] UK Parliament, https://www.parliament.uk/site-information/copyright-parliament/open-parliament-licence (last visited Oct. 2023).

[16] Kris Gopalakrishnan, Data Regulation in India, WTO (Dec. 08, 2020).

[17] Beth Whitehead, et al., Assessing the Environmental Impact of Data Centres Part 1: Background, Energy Use and Metrics, Vol. 82. Building and Environment 151-152 (2014).

[18] The State of Global Environmental Sustainability in Data Centre Design, Data Centers & The Environment, Supermicro (Dec. 2018), https://www.supermicro.com/white_paper/DataCenters_and_theEnvironmentDec2019.pdf.

[19] Micheal Cantor, Future Data Centers Will be Defined by Clean Energy and Sustainable Solutions, CXO Today (Oct. 13, 2021), https://www.cxotoday.com/data-center/future-data-centers-will-be-defined-by-clean-energy-and-sustainable-solutions/.

[20] Sanyukta Raje, et al., Data Center Energy Efficiency Standards in India (2015).

[21] Energy Efficiency, EU Science Hub, https://joint-research-centre.ec.europa.eu/scientific-activities-z/energy-efficiency_en (last visited Aug. 21, 2023).

[22] Building Energy Sufficiency Standards, California Energy Commission, https://www.energy.ca.gov/programs-and-topics/programs/building-energy-efficiency-standards (last visited Aug. 21, 2023).

[23] Data Protection Impact Assessment Template, GDPR.EU, https://gdpr.eu/data-protection-impact-assessment-template/ (last visited Aug. 25, 2023).

Featured Image Sourced From: https://media.product.which.co.uk/prod/images/original/gm-e33a8736-c4d3-40c4-9de4-8de60ba135c4-30-what-counts-personal-data.jpg.