India: Proposed Data Regulation Overhaul Includes New Draft Rules for Processing Non-Personal Data

β€˜Non-personal data’ has been defined in the Report as any data that is not personal data[4], or is without any personally identifiable information. This includes personal data that has been anonymized[5] and aggregated data in which individual specific events are no longer identifiable, apart from data that was never personally identifiable. The Report classifies non-personal data into:Public non-personal data: collected or generated by government agencies and in execution of all publicly funded works;Private non-personal data: collected by entities or persons other than the Government and includes derived or observed data collected through private efforts, through use of algorithms or proprietary knowledge; andCommunity non-personal data that relates to any group of people that are bound by common interests and purposes, and involved in social and/or economic interactions (Community), including information collected by ride-hailing platforms, electricity units, municipal corporations, telecommunication companies and e-Commerce entities.The Report contemplates three broad purposes for data sharing:a) Non-personal data shared for sovereign purposes may be used by the Government, regulators and law enforcement authorities, inter alia, for cyber security, crime and investigation, public health and in sectoral developments.b) Non-personal data shared for core public interest purposes may be used for general and community use, research and innovation, delivery of public services, policy development etc.c) Non-personal data shared for economic purposes may be used by business entities for research, innovation and doing business. It may also be leveraged as training data for AI/ML systems.This contribution will set out the general background of data related regulatory efforts in India (1), and then it will look closely to the proposed rules for processing non-personal data: (2) its definition and classification, (3) the data localization requirement for sensitive and critical non-personal data, (4) guidance on anonymization, and (5) proposed data sharing obligations for organizations.

Metadata
Provider: 
Future of Privacy ForumFuture of Privacy Forum
URL: 
https://fpf.org/2020/08/07/india-proposed-data-regulation-overhaul-includes-new-draft-rules-for-processing-non-personal-data/https://fpf.org/2020/08/07/india-proposed-data-regulation-overhaul-includes-new-draft-rules-for-processing-non-personal-data/
Retrieved on: 
Friday, August 7, 2020
Information
Tags: 
Data security, Anonymity, Information privacy, Data protection, Information, Privacy, Data management, Data re-identification, Data anonymization, Personal data, Personal, Inc., Pseudonymization
Summary
Key Points: 
  • β€˜Non-personal data’ has been defined in the Report as any data that is not personal data[4], or is without any personally identifiable information. This includes personal data that has been anonymized[5] and aggregated data in which individual specific events are no longer identifiable, apart from data that was never personally identifiable. The Report classifies non-personal data into:
    • Public non-personal data: collected or generated by government agencies and in execution of all publicly funded works;
    • Private non-personal data: collected by entities or persons other than the Government and includes derived or observed data collected through private efforts, through use of algorithms or proprietary knowledge; and
    • Community non-personal data that relates to any group of people that are bound by common interests and purposes, and involved in social and/or economic interactions (Community), including information collected by ride-hailing platforms, electricity units, municipal corporations, telecommunication companies and e-Commerce entities.
  • The Report contemplates three broad purposes for data sharing:
    1. a) Non-personal data shared for sovereign purposes may be used by the Government, regulators and law enforcement authorities, inter alia, for cyber security, crime and investigation, public health and in sectoral developments.
    2. b) Non-personal data shared for core public interest purposes may be used for general and community use, research and innovation, delivery of public services, policy development etc.
    3. c) Non-personal data shared for economic purposes may be used by business entities for research, innovation and doing business. It may also be leveraged as training data for AI/ML systems.
    • This contribution will set out the general background of data related regulatory efforts in India (1), and then it will look closely to the proposed rules for processing non-personal data: (2) its definition and classification, (3) the data localization requirement for sensitive and critical non-personal data, (4) guidance on anonymization, and (5) proposed data sharing obligations for organizations.
    • The government recognizes the need for a data governance framework to act as a catalyst for the growth of data economy in India.
    • It also makes a clarion call for a comprehensive non-personal data regulation in India, to complement the future law dedicated to personal data.
    • The Report recognizes natural persons, entities and communities to whom non-personal data (prior to anonymization or aggregation) relates as data principals and entities which undertake collection, storage and processing of non-personal data as data custodians.
    • Private non-personal data is, thus, categorized into sensitive non-personal data and critical non-personal data.
    • Sensitive personal data[6] and critical personal data[7] which have been anonymized will be considered to be sensitive non-personal data and critical non-personal data respectively.
    • The Report recommends localization of sensitive non-personal data and critical non-personal data, in line with the requirements applicable to localization[8] of sensitive personal data and critical personal data under the PDP Bill.
    • 5) Data sharing and registration obligations The Report recognizes data businesses as a horizontal category of businesses involved in data collection and processing.
    • It also includes guiding principles for a technology architecture to digitally implement rules for data sharing, ranging from mechanisms for accessing data through data trusts, standardized data exchange processes, techniques to prevent re-identification of anonymized information and distributed storage for data security.
    • The PDP Bill may also be relevant in setting context for the forthcoming non-personal data framework, given the ability of the Government to solicit non-personal and anonymized personal data.
    • Copyright: 
    2020 Future of Privacy Forum. All Rights Reserved.