Half-cooked Non-Personal Data Framework needs to be brought to a boil

The recently released draft Non-Personal Data Governance Framework is timely and well-intentioned but underdeveloped and lacking in detail.

Digitalisation with an overture to decarbonisation and democratisation

The Ministry of Electronics and Information Technology’s Report on Non-Personal Data (NPD) Framework is a welcome step in light of the digital revolution that India (and indeed the rest of the world) is going through. It demonstrates proactiveness and political will to act upon the many challenges and opportunities that digitalisation will present.

The NPD framework, in its current form, brings much promise of enabling the informational and economic power of data for “community uses/benefits or public goods, research and innovation, for policy development, better delivery of public services, etc.”. One such core public interest purpose of digitalisation is decarbonisation. It would have been encouraging to see data for climate action cited as an example in the framework. Regardless, its constructs can be used to enable data-driven sustainable development in India. For example, large, periodical, granular, and timely datasets, which are currently unavailable, such as energy consumption by end-use can be “useful for policymaking, improving public service, devising public programs, infrastructures, etc. and, in general, supporting a wide range of societal objectives including science, healthcare, urban planning, etc.”, and can help create and sustain an integrated, clean, and flexible grid. As the framework recommends, the NPD ecosystem has the potential to nurture the generation of “special public interest and high-value” datasets “for harnessing economic and societal benefits”. These datasets will help track the progress of decarbonisation and climate action, guide investment in renewable energy assets and energy efficiency for maximised effect, and most importantly, allow the integration of siloed policy, technological, and market interventions for maximised impact.

Digitalisation and decarbonisation can be scaled up through the democratisation of data. The framework cautions that “data monopolies, in a large consumer market such as India, could lead to the creation of imbalances in bargaining power vis-à-vis few companies with access to large data sets accumulated in a largely unregulated environment, on one side, and Indian citizens, Indian businesses including start-ups, MSMEs and even the Government, on the other.” Access to NPD can “encourage competition and provide a level playing field or encourage innovation through start-up activities”. For example, the large, periodical, granular, and timely datasets of energy consumption by end-use mentioned above can help spur demand for energy technology companies such as energy data analytics (incl. IoT, building energy management companies, etc.), equipment manufacturers, facility managers, ESCOs, etc.

To this extent, the Ministry of Electronics and Information Technology’s effort to put together a governance framework to regulate the NPD ecosystem is applaudable. This is not draft legislation or bill and recommends that there should be separate legislation that governs NPD – perhaps it leaves a bit too much to this follow-up bill to substantiate and clarify. The framework is a good first attempt and touches upon many aspects around the meaning of NPD, the actors of the NPD ecosystem and their roles and responsibilities, data sharing, the regulating authority, etc. However, considering the many inherent complexities and sensitivities around data sharing and use, the framework is unable to reach its full potential and would benefit hugely from a round of revision to create a seamless NPD ecosystem that is able to achieve and exceed its objectives. 

Observations and suggestions

Ambiguity around anonymisation

• Although the framework identifies privacy concerns, including from re-identification of anonymised personal data and the potential for harm from the processing of NPD, it goes on to classify aggregated personal data as NPD without adequate checks and balances.
• The framework cautions against the shortcomings of anonymisation – but it does very little to alleviate these concerns. It does allude to the “duty of care” of data custodians and the need for future regulatory guidelines around “anonymisation standards and requirements”. However, it stops short of fleshing this out sufficiently, especially in light of existing and emerging knowledge around the anonymisation.

Concerns related to community NPD

• The definition of community NPD needs clarification, especially in light of the stakeholders of the NPD ecosystem and their roles. It mentions the examples of the Ministry of Health and Family Welfare as a data trustee of data on diabetes among Indians or Manipur government as a data trustee of data on Meitei language. These examples appear to be in conflict with the definition of the data custodian who “undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal” and should have the ‘best interest’ of and a ‘duty of care’ towards the data principal (i.e. the community in this case). Obviously, the data trustee and the data custodian act in different (though not opposing interests) and must be different entities with clearly defined boundaries; any overlaps should be clearly highlighted with examples.
• Community NPD is described as “a collective or shared asset because many parties have overlapping legitimate contributions to and interests in it” – this does little to clear the fuzziness in the ecosystem around community data; in fact, the fuzziness pervading community NPD is exacerbated here.

Insufficient information on the NPD Authority (NPDA)

• The framework positions providing “certainty for existing businesses and provide incentives for new business creation, as well as to release enormous untapped social and public value from data” as a key reason to regulate the NPD ecosystem. However, whilst defining a new category of businesses, i.e. data business, it leaves the tying of important loose ends to the follow-up legislation; for example, data businesses are defined as any commercial, government, or non-government entity that processes or manages data “beyond a certain data-related threshold”, which is left to be determined by the NPDA.
• Whilst an entire chapter has been dedicated to the roles and responsibilities of the NPDA, which will clearly be at the helm of regulating the NPD ecosystem, few recommendations have been made around the composition of the NPDA, its size, its appointment, its autonomy, and its position vis-à-vis other actors of the ecosystem, such as the data custodian and the data trustee (both of which per the framework can well be the government.)

The NPD governance framework ushers in new promise to develop data-driven pathways to clean and affordable energy for a climate-resilient and energy secure future; however, it must do more to protect the rights and privacy of the people it wishes to benefit.