On December 16, 2020, the Indian Ministry of Electronics and Information Technology (MeitY) Committee of Experts (the “Committee”) published a revised report on the Non-Personal Data Governance Framework (the “NPDF”) for India (the “NPDF”). Revised Committee Report “).
As previously reported, the committee released the first version of the NPDF for public consultation in July 2020. One of the goals of the NPDF is to create a framework to unlock the economic, social and public value of using data. Creating incentives for innovation and new products, services and startups in India; and addressing privacy concerns, including re-identifying anonymized data.
The committee received over 1,500 responses to the consultation and based on this feedback has made several changes to the NPDF. Hunton Andrews Kurth’s Center for Information Policy Leadership responded to this request for feedback in September 2020.
Key takeaways from the revised committee report include:
- Interaction with the proposed personal data protection bill: The revised committee report includes a section on the interface between the NPDF and the Personal Data Protection Act 2019 (the “PDPB”). It is confirmed that the NPDF applies to all data that are not personal data within the scope of the PDPB or that do not contain personal data. It is also clarified that mixed data sets, which are inextricably linked with personal and non-personal data, are regulated by the PDPB.
- Treatment of newly identified data: The revised committee report states that non-personal data will continue to be regulated by the NPDF as long as it is non-personal data. If the persons whose data form the anonymized data set are identified again (e.g.Due to the failure of anonymization technologies, the link with other information or other means of conscious re-identification, the data falls under the responsibility of the PDPB.
- Consent to anonymize data: The Committee’s revised report clarifies the need for data collectors to allow individuals to opt out of anonymizing their data. The opt-out works prospectively and does not affect the anonymization that was carried out before the opt-out.
- Importance of a “data business”: The revised committee report explains the parameters that can be taken into account in determining the thresholds an organization would need to meet to qualify as a “data business”. This includes gross sales, the number of consumers, households or devices, and the percentage of sales from customer information. The report also suggests that the thresholds should be aligned with the thresholds for classifying a data trustee as a “significant data trustee” under the PDPB.
- Mandatory requirements for data exchange: The revised committee report revises the scope of the requirement that organizations share anonymized records. According to the revised framework, such records may only need to be released for non-profit purposes (e.For example, policy making, public service improvement, public program, infrastructure development and support for a wide range of societal goals including science, health, urban planning, etc.). What is important is that the original requirement to share data with other companies for commercial purposes has been effectively removed. The revised framework states that for business data exchange (ie between two or more for-profit companies), such data exchange already exists and the Committee therefore does not make recommendations regarding such exchange.
The committee accepts comments on the revised NPDF until January 31, 2021.