India’s data protection regime is still in its nascent stage of evolution, where the proposed changes in the Data Protection Bill, 2021 (“2021 Bill”) are yet to materialize. The 2021 Bill reflects an attempt to regulate the most nuanced aspects of data protection by following an inclusive approach – that is, regulation of personal and non-personal data through a single legislation.
The evolution of specific data protection regime in India can be traced back to the inclusion of right to privacy within the ambit of fundamental rights by the Supreme Court in the celebrated case of Justice K.S Puttaswamy v. Union of India, which recognized the robust data protection regime of the European Union, and expedited the drafting of Personal Data Protection Bill, 2019 (“2019 Bill”). To augment the efficacy of the 2019 Bill, the Joint Parliamentary Committee (“JPC”) amended its regulatory design and proposed the 2021 Bill.
Presently, the 2019 Bill stands withdrawn to materialize the recommendations of JPC. The withdrawal engenders the drafting of a “comprehensive legal framework” which inter alia includes the simultaneous regulation of personal and non-personal data, as recommended by JPC.
As non-personal data was not sought to be explicitly regulated by the previous versions of the 2019 Bill, the decision to regulate non-personal data appears to be at a disjunct with the evolution of data protection in India. Such apparent disjunct needs to be thoroughly analyzed, particularly in the light of the nature of non-personal data and its regulatory design proposed in the 2021 Bill.
Non-Personal Data: Meaning and Significance
Comprehension of the meaning of non-personal data can appear as challenging, especially when the language of its definition is couched in an inclusive manner in the 2021 Bill, in a similar fashion as European Union (EU)’s General Data Protection Regulation (“GDPR”), from which it draws a major fraction of its substance.
It is noteworthy that the Indian government, through the Report by Committee of Experts on Non-Personal Data Governance Framework 2020 (“NPDG Report”) has reflected its intention of regulating non-personal data in the past. While the recommendations of the NPDG Report do not find complete acceptance in the 2021 Bill, it is an imperative source of assistance in determining the nature, expanse and significance of non-personal data. The NPDG Report describes non-personal data in two limbs. The first limb covers data that does not have any relation with determination of the identity of natural persons (information derived from publicly installed sensors, weather report etc.), while the second limb concerns the datasets that are anonymized versions of personal data (anonymized health reports, blurred photographs etc.).
As can be reasonably inferred, the use of non-personal data does not violate the privacy of citizenry. Consequently, the need to regulate non-personal data does not arise from the necessity to protect the right to privacy, but to facilitate personal data protection. Recognizing data as an asset, the NPDG Report aimed at regulating non-personal data to reduce the possibility of risk of reidentification of anonymized data, and to provide for a framework of rights exercisable by creators of such data. However, it did not provide a holistic regulatory apparatus to materialize such rights.
Acknowledging the need to regulate non-personal data, JPC adopted an inclusive approach and brought the regulation of non-personal data within the framework of the 2021 Bill. The reasons provided by JPC for such inclusion relate to the impossibility of distinguishing personal and non-personal data (because of which personal data masked as non-personal might skip the regulatory sight) and the unviability of regulating the two types of data through different regulatory bodies. Therefore, the intention of JPC concerning regulation of non-personal data is derived from the need to facilitate the protection of personal data.
Nature of Regulation of Non-Personal Data in other jurisdictions vis-à-vis India
Considering jurisdictions that have regulations governing non-personal data, EU occupies the central stage. “Framework for the free flow of non-personal data in the European Union” regulates non-personal data with the limited intent to facilitate free flow and portability of such data within member states of EU. As another example, EU’s Digital Markets Act considers the presence of non-personal data as one of the essential parameters to ascertain the degree of network affects and other data driven advantages available to platforms.
Further, the Security of Critical Infrastructure Act of Australia seeks to regulate the information concerning the occurrence of significant events affecting critical infrastructure assets. The Act aims at protecting critical infrastructure assets from any kind of harm by regulating the non-personal information concerning such assets.
The commonality drawn from such Acts indicates that the regulation of non-personal data is limited, and is either undertaken to facilitate personal data protection or is designed in a manner to enable the materialization of regulations concerning domains that are distinct from data privacy.
While the general practice concerning data protection internationally doesn’t seem to reflect regulation of personal and non-personal data through a single legislation, the 2021 Bill comes as a novel regulatory mechanism. The 2021 Bill regulates non-personal data in a limited form, and does not impose stringent restrictions on processing such data.
The regulations concerning non-personal data have not been legislated entirely, and the substantive regulations of the 2021 Bill concerning personal data have been kept intact, without application of such regulations to non-personal data. While such exclusion potentially represents the active choice of JPC to refrain from regulating personal and non-personal data with equal rigor, the regulatory grip of the 2021 Bill on non-personal data cannot be ascertained unless the 2021 Bill includes substantive provisions regulating non-personal data.
The way forward
As is evident from internationally accepted practices and JPC’s intended regulatory design concerning non-personal data, the regulation of such data is supposed to be carried out in a limited manner, to ensure that India’s economic advancement is not compromised by the magnitude of compliances.
Further, as non-personal data protection is not aimed at precluding the breach of right to privacy, the legislature should acknowledge the significance of data as an asset. Consequently, the provisions regulating non-personal data in the 2021 Bill should be directed towards striking a balance between economic development and data protection, in alignment with internationally accepted regulatory design concerning non-personal data.
Hopefully, this issue will be addressed in some detail in the new bill, that fits into the “comprehensive legal framework”, likely to be introduced in the Winter Session of Parliament.
Gaurav G Arora, Partner, JSA
Aditi Richa Tiwari, Student of Law