Non-personal data broadly refers to data that standalone or in combination with other data does not directly or indirectly result in identification of a natural person (NPD). These data sets could include aggregated, derived, anonymous, and community data. They have enormous economic value for organizations. NPD often drives innovation, gives organizations a competitive edge, helps formulation of unique market and business strategies and creation of intellectual property. The Personal Data Protection Bill, 2018 did not include any provision concerning NPD processing and protection. However, Clause 91 of the Personal Data Protection Bill, 2019 (2019 Bill) empowers the central government to access NPD for policy reasons (as discussed at #4 below). Ever since its inclusion, Clause 91 has been extensively debated by stakeholders on whether and why the government reserves access rights in a law that primarily should aim at safeguarding data principal’s privacy rights while balancing it with interests of a digital economy.
In this post, we aim to understand the contours of Clause 91 in a global backdrop and analyse its potential impact.
1. Current regime: So far, India does not have comprehensive law regulating processing, use and reuse of NPD. Vast pools of NPD are contractually protected as trade secrets, know-how, and other forms of proprietary and confidential information. Government’s right to access and reuse such data is limited to a reactive access for the purposes of implementing applicable laws1 national security, public order and state sovereignty. Additionally, the government is empowered to intercept communications and access personal information under various laws including Code on Criminal Procedure, and Indian Post Office, Telegraph and Information Technology acts. Exercise of government’s access rights are often subject to judicial scrutiny and must necessarily follow due process of law that provides substantive and procedural safeguards. Thus, per se the government does not have unfettered access to an entities’ corpus of NPD.
2. Case for access rights: Over the past few years, several reasons have been advanced in favor of NPD access rights. Governments across the world acknowledge that data driven innovation, invention and policy measures can do significant public good. For instance, aggregated commuter data can help governments deliver better transport infrastructure, implement safer traffic regulations and reduce carbon footprint. It is also argued that NPD should flow seamlessly between jurisdictions, governments, and businesses to set up a data-agile economy that reinforces fair competition. Another school of thought believes that NPD (like community data) when combined with technological tools and other information can result in identification of a specific community and its unique requirements, which consequently, will allow better delivery and targeting of private and public services. As a result, many jurisdictions have started looking closely at how best to regulate processing of NPD, so as to maximise the benefits arising therefrom.
3.Global perspective: To give the reader a flavour of how other jurisdictions are regulating NPD, we briefly look at the European Union (EU) and French regulations. EU adopted a framework for free flow of NPD on November 14, 2018 (EU Regulation)2. It states that any data that does not qualify as personal data under EU General Data Protection Regulations (EU GDPR) is NPD. Some illustrations cited in recital notes include anonymised data used for big data analytics, data on precision farming, and data on maintenance needs for industrial machines. The EU Regulation provides that where personal and NPD are inextricably linked, the regulations contained in EU GDPR shall be followed for the entire data set. The underlying objective is to enable NPD mobility within EU without compromising on data subject’s privacy rights. To this effect, EU Regulation prevents members states from imposing localization requirements, unless such restrictions are proportionate and essential for public security. Where any member state attempts to impose or retain localization mandate, it is obligated to publish such requirements on a national information portal and undergo assessment as per EU laws. In order to safeguard a state’s concern around inspection rights and regulatory control in a delocalized data ecosystem, EU Regulation vests the competent authority with the power to request or obtain access to data, irrespective where they are being stored and processed in the EU. In turn, organizations are required to provide access in a timely and effective manner. The EU Regulation further advocates the need for creating a principle-based framework that enables cooperation between member states and self-regulation for non-personal data flow. In nutshell, the focus is on easing compliance rigours as are applicable to personal data, eliminating state localization and promoting a culture of cooperation through self-regulation.
Further, certain countries have emphasized the need for free access rights by businesses to government open data sets as a catalyst for providing data-oriented public services and promoting knowledge-based economy. For instance, the French government in 2016 introduced a legislation on public interest data3. It enables open and free access by any person to certain government held data, including data held by public or private entities that are entrusted with a public service mandate – land registry, public administrative documents, case law data, energy consumption, scientific and research articles, algorithmic processing of an administrative decision, cartographic data, municipality codes, APIs developed by government, etc. The French law allows companies to reuse government data as valuable benchmark data for provision of new kinds of services other than the public service for which data was originally used. Further, it imposes an open data publication obligation for entities engaged in government subsidy agreements to make data arising from subsidised activity accessible by all. However, the access right and open data publication is required to be balanced with privacy rights, medical secrecy, trade secrets, economic and financial information, commercial and industrial strategies, national security and public safety secret concerns. In light of this, it can be inferred that foreign governments are keen on setting a precedent where private entities have free access to NPD processed by government entities and agencies. This quite naturally creates a trustworthy governance model where businesses are incentivised to reuse open data sets for the larger good.
In similar vein, the European Commission on February 19, 2020 sent its communication “European Strategy for Data” to the EU Parliament, Council and Committees proposing the need for a framework that establishes fair, practical, and clear access rules for NPD4. It proposes putting in place a new law, Data Act by 2021 that will regulate data sharing from and by governments and businesses. While formulating the ideals around use of privately held data by government (business to government or B2G), it emphasizes the need for (i) creation of national structures for B2G data sharing, (ii) development of appropriate incentives for businesses to share data, (iii) exploration of a regulatory framework to govern public sector’s reuse of privately held data. It also contemplates B2B data sharing to address issues relating to co-generated data. This ambitious proposal is envisaged to balance out contracting powers, enable access under fair, transparent, reasonable, proportionate and non-discriminatory conditions, and evaluate IPR framework.
Based on the above narration, certain global trends can be deciphered. Firstly, there is some consensus that reuse of NPD and open data sets can unlock new services offerings and delivery modes. Secondly, a step by step approach is essential before governments can seek access to privately held NPD or require B2B data sharing. Thirdly, purpose for accessing and reusing NPD should be fair, accountable, proportionate, transparent, reasonable and conditioned to cater to specific requirements for a business’ proprietary information, intellectual property and its economic requirements. Fourthly, governments have to live by example where the data flow is two way, and geared through trustworthy data governance models.
4. What is proposed under the 2019 Bill? : Clause 91 states that
- nothing in the 2019 Bill prevents the central government to frame any policy concerning the digital economy, including measures for its growth, security, integrity and prevention of misuse;
- such policy cannot “govern” personal data;
- government can direct any data fiduciary or processor to provide any anonymised or NPD to enable better targeting of delivery of services or formulation of evidence-based policies;
- in process of issuing such directions, government may consult the Data Protection Authority (DPA);
- government shall make annual disclosures of directions made.
5. Impact : There is a lot of speculations on the potential impact of Clause 91.
- Firstly, the contours of “digital economy policy” or what “policy governs personal data” are unclear. The proposed language creates an impression that government is vested with unfettered powers to process any kind of data and not just NPD (identified, deidentified, anonymised) without regard to requirements under the 2019 Bill for formulating digital economy policies. Assuming that the government may require processing of certain personal data for suitable digital economy policy initiatives, it can do so by seeking exemption from DPA to process personal data for research, archiving and statistical purposes. Thus, the real intent for including a digital policy exemption is unclear. The detailed process has been left to delegated legislation.
- Secondly, the power to access anonymised data can create unique nuances. The 2019 Bill defines anonymized data as data which has been irreversibly processed or converted into a form that cannot result in identification of the data principal. Standards of irreversibility shall be prescribed by the DPA. The current state of technology does not provide for fool proof anonymisation, which means that there still exists a possibility that technological tools can be deployed for reidentification of a data principal. If that be the case, then there is merit to argue that anonymised data is a connected data set with personal data, and accordingly, state’s access and reuse should be within the confines of privacy regulations.
- Thirdly, as indicated earlier, certain NPD like community data could disclose the identity of a particular community when combined with other data sets. For instance, aggregated data on access to subsidised health care can disclose traits of a particular community such as age, employability, economic status, health care requirements and so on. While this sort of analytics can aid formulation of public policies and new health care initiatives, it also can be reused in a manner that adversely affects the identified community and its legitimate expectations of privacy. To this extent, it is important to highlight that Justice Srikrishna in its report as well as MeitY while constituting the expert committee on data governance framework5 recognise that community data must be processed with certain privacy safeguard as it could lead to identification and targeted treatment of a particular community as a whole. Hence, an unfettered access to NPD may adversely impact community interests.
- Fourthly, NPD is a valuable, intangible asset for most businesses. In fact, increasing number of mergers and acquisitions, now view NPD sets as valuation aspects and rightfully, organizations invest significant resources in safeguarding, analysing, and processing them. These data pools often contain valuable business and behavioural analytics that form the basis for R&D, innovation, improvisations, new products and service offerings, strategies and novel intellectual property. For instance, a pharmaceutical company can anonymise healthcare data derived from cancer patients, assess and analyse them to devise additional testing parameters for a new drug, or for framing newer norms and ethics for their clinical trials. All these efforts can provide the pharmaceutical company with a competitive edge over its counterparts. To this extent, it is also essential that the pharmaceutical company maintains the underlying NPD and its findings confidential and protected. This, NPD qualifies as know-how, business secrets, and other forms of confidential information for an organization. The access to such NPD pools ought to be limited and only on a strict “need-to-know” basis, with a back-to-back confidentiality arrangement that ensures further confidentiality. Unauthorised access or absence of rigorous physical and procedural confidentiality standards can pose significant economic, business and competitive risks to owner entities.
- Using the powers under Clause 91, government can cite policy formulation, efficacious provision of services and public interest to demand access to entity’s NPD, irrespective the confidentiality and proprietary nature. At the same time, the 2019 Bill does not provide any guideline on if and how such accessed data will be further accessed, stored, reused and protected. In the current form, it is possible that the government can freely utilize an organization’s data in any manner without following any due process, and since the overarching goal would be dressed as policy initiatives or for the public good, there may be limited judicial scrutiny. Consequently, the power vested with government is without necessary checks and balances.
6. Conclusion: Justice Srikrishna committee in its report observed that NPD is akin to a common natural resource that had relevance for understanding public behaviour, preferences and making decisions for community benefit. It recommended the government to consider formulating laws that would accord privacy protection to community data, intellectual property ownership over such data and accord specific protection to corporate data in the digital economy. Accordingly, MeitY constituted an expert committee to further delve into this aspect. When a specific committee has been entrusted with the responsibility for recommending detailed guidelines on NPD processing, it is unfathomable as to why the 2019 Bill includes Clause 91. Keeping the requirements for NPD processing in a separate law will be efficacious, simplified and structured creating roadmap for a trustworthy data flow ecosystem. In any event, should the clause be retained in the 2019 Bill, it is critical that due process is built in, so as to ensure that business and community interests are well protected by accountability and transparency norms. If not, the premature inclusion could have massive ramifications for India’s digital economy.