The Prayas ePathshala

Exams आसान है !

26 September 2024 – The Indian Express

Facebook
LinkedIn
WhatsApp

Information & Data Sharing Regulations in India

  • It is impossible to overstate how crucial digitization is to India’s ambition of building an economy worth USD 5 trillion. A NASSCOM analysis estimates that by 2025, data and artificial intelligence (AI) might boost India’s GDP by between USD 450 to $500 billion.
  • Nonetheless, a large amount of citizen data is being generated as a result of the government’s quick digitization of its operations. Usually, this data is divided into two categories: non-personal data (NPD), which does not include personal information, and personal data (personal), which includes information that can be used to identify specific individuals.
  • Applying AI and high-value advanced analytics to NPD in important economic areas can aid in the prediction of socially and economically sound results. The capacity of infrastructure and citizen use patterns, employment trends, transportation and housing patterns, weather and disaster forecasts, and infrastructure capacity are just a few of the junctures where such data-driven insights can better guide government and public services.

Non-personal data: What is it?  

  • Non-personal data is any type of data that is not considered personal. When it comes to its source, non-personal data can be information that has never been linked to a living person (like weather or supply chain data) or information that was once personal but has been anonymized (by using specific methods to make sure the people to whom the information relates cannot be identified).

Categories:   

  • Public Non-Personal Data: Information gathered or created by the government while working on projects with public funding. Public non-personal data includes, for instance, anonymized land records or automobile registration information.
  • Community Non-Personal Data: Facts or raw data, gathered from a group of real people, without any kind of processing. For instance, datasets gathered by public electricity utilities or municipal organisations.
  • Private Non-Personal Data: Information gathered or produced by private organisations using their own procedures (proprietary information, algorithms, or insights).
  • The majority of citizen data that the government collects is called NPD, and it has the ability to be used for “public good.” Integration of NPD in the delivery of public services is widely supported as a means of fostering synergies and developing scalable solutions.
  • To address the issue of restricted data access within India’s AI ecosystem, the National Strategy for Artificial Intelligence, for example, considers requiring firms to share aggregated data and making some types of government data available for the “public good.”
  • In other places, the 2018–2019 Economic Survey of India compared data to a natural resource and said that, after being anonymized, personal information becomes a “public good” that has to be used for the sake of the public.
  • The National Data Governance Framework Policy (NPD Framework), which was hailed as the first component of the digital architecture being developed to maximise data-driven governance, was subsequently released by the Ministry of Electronics and Information Technology (MeiTY).
  • Additionally, it suggests creating the “India Data Management Office (IDMO)” under the Digital India Corporation, whose duties include creating, overseeing, and routinely evaluating and updating the policy.

What Kinds of Concerns Are There About Non-Personal Data?  

  • Non-personal data is more likely to be in an anonymized form than personal data, which typically contains explicit information about an individual’s name, age, gender, sexual orientation, fingerprints, and other genetic features.
  • Even when given in anonymized form, some categories of data, such as those pertaining to national security or strategic interests, including the locations of government laboratories or research centres, might nonetheless be dangerous.
  • Similar to this, even if the data is anonymous and pertains to the health of a community or group of communities, it may still be hazardous.
  • Regulating NPD, unfortunately, is glaringly absent, unlike Personal Data. To yet, the executive level has not put as much work into creating governance policies for the same.
  • The importance of successfully regulating non-personal data in India in a manner similar to that of personal data was emphasised in the “Report by the Committee of Experts on Non-Personal Data Governance Framework,” which exposed the absence of effective regulation.
  • The tasks of each stakeholder, including the data principal, data custodian, and data trustees, must be explicitly defined in the final draft of the non-personal data governance framework, according to experts.
  • Significant concerns have been raised by a government committee led by Kris Gopalakrishnan, the co-founder of Infosys, which proposed in 2020 to allow various domestic enterprises and institutions to utilise non-personal data created in the nation.
  • Big tech corporations will be disproportionately favoured by the data sets. Large tech corporations are the only ones with the resources and infrastructure needed to produce such massive amounts of data. It will be challenging for others to match these IT giants’ skills.
  • A firm distinction is untenable due to the reality of mixed datasets and the unavoidable overlap between the two.
  • Similar to how the General Data Protection Regulation (GDPR) is used in Europe, the text of the Digital Personal Data Protection (DPDP) Act, 2023 suggests that mixed datasets may be covered by personal data protection laws.
  • While it is conceivable for data to be both non-human and non-personal, this distinction becomes hazy when the data comes from a specific person, particularly in light of the difficulties associated with anonymization.
  • Given the required data sharing envisioned in the DPDP Act 2023, it is troubling that this issue appears to be disregarded in the proposed legal framework, even though it is a source of controversy within the GDPR framework.
  • The DPDP Act of 2023 and the NPD Framework do not establish an enforceable framework for NPD in India. Because to this, enormous repositories of NPD remain uncontrolled and are only partially supported by guidelines for its exchange, use, and distribution.
  • Such disjointed accumulation leads to less-than-ideal policy and legal judgements, as well as less-than-ideal sectoral and national policies.
  • The unrestricted exchange of non-personal data (NPD) across government agencies, private entities, and individuals may expose certain parts of NPD to privacy violations. Big Tech and other actors with capability may unfairly profit from this.
  • Inadequate examination of significant public trends may lead to poor decision-making. The inefficiency of this data interchange lies in its inability to fully unleash the potential of multidisciplinary policy and legislation formulation.
  • The NPD Framework’s problems:  
  • Despite being a groundbreaking step, the NPD Framework has a number of shortcomings. It lays out broad, abstract goals and ideals for NPD governance, but it doesn’t provide any concrete, doable advice on how to get there.
  • Legislation is anticipated, but practical operationalization is disregarded, leaving open questions about the rights and responsibilities of stakeholders across several sectors.
  • Furthermore, there is no discussion of suitable legal frameworks for data exchange or methods for data pricing. These issues are made worse by the lack of uniform governance instruments.

What Steps Must Be Taken in Order to Use NFD Effectively?  

  • To close the current deficiencies, a critical assessment of the NPD Framework will be helpful. This will support MeiTY’s efforts to control NPD and assist in establishing data exchanges as appropriate channels for achieving cross-sector NPD interoperability.
  • A significant portion of public-welfare services can be digitalized and automated by developing a regulatory framework for data transfers in India. This lessens the administrative load, promotes inter-sectoral integration, strengthens the protections for the use and sharing of NPD, and increases the participatory aspect of the digitization of civic operations.
  • Data exchanges are scalable ecosystems that energise many participants. This helps businesses attain economies of scale and gives them a fertile field for implementing advanced analytics for outcome-oriented decision making.
  • Telangana has built an agriculture data exchange in India, while the India Urban Data Exchange was founded by the Ministry of Housing & Urban Affairs in collaboration with the Indian Institute of Science.
  • In order to put some elements of the National Geospatial Policy into practice, the Department of Science & Technology also intends to build up data exchanges.
  • Creating a framework for data exchange structure regulation in India is crucial given the increasing interest in these systems. This review will assist MeiTY and other organisations in their efforts to regulate Non-Personal Data (NPD) in India and will be in line with international talks on data exchange regulations.
  • The European Union (EU) proposed in 2019 a regulatory framework for the free movement of non-personal data within the EU, implying that data exchange among union members would be collaborative.
  • The EU had subsequently declared that member states would be free to share such data and that they would have to notify the “commission of any draft act which introduces a new data localization requirement or makes modifications to an existing data localization requirement.”
  • Suggestions from the Expert Committee:  
  • The report was submitted in July 2020 by the Expert Committee that the MeiTY had established to look at a number of issues pertaining to non-personal data.  The Committee suggested the following actions:
  • Creating Roles in the NPD Governance Framework: The entity to which the non-personal data pertains is known as the data principal. This entity could be a person, a group of people, or a business. Data trustees are representative entities that allow data principals to exercise rights over their data.
  • The Committee suggested creating a new company category in the nation called “data business.”  Organisations (including governmental bodies) that gather, handle, or retain data in excess of a regulatoryly defined level will be categorised as data enterprises.
  • This regulatory body will be created to implement the governance framework for non-personal data. It will be made up of professionals in domains including technology and data governance.
  • The Authority will be in charge of establishing policies on the hazards connected to non-personal data and data sharing.
  • Any entity may submit a request for data sharing if it has the following reasons: (i) a sovereign purpose (like national security or legal obligations); (ii) a public interest purpose (like creating policies or improving service delivery); or (iii) an economic purpose (like levelling the playing field or receiving payment).
  • The Committee suggested that requests for public, communal, or private data—limited to unprocessed, factual information gathered by a private organization—be made without charge.
  • According to the Committee, a community has rights to non-personal data. A community is defined as any collection of individuals who interact socially or economically and who are united by shared goals and interests.
  • The community may consist of physical members or be fully virtual.
  • A public or commercial organisation that collects, stores, processes, and uses data is known as a data custodian. It will be the data custodian’s responsibility to minimise harm to the affected community.
  • A business that handles non-personal data on behalf of a data custodian is known as a data processor. Under the approach, data processors will not be regarded as data custodians.
  • NPD is a promising “public good” that might improve public services, but because it is uncontrolled, there are hazards associated with it, such as de-anonymization and unfair benefits for some businesses. Due to the lack of operational clarity and enforceability in the present governance system, which includes the National Data Governance system Policy, NPD is mostly unregulated, which limits its potential benefits.
  • A thorough legislative framework for data exchanges is necessary to address these issues and fully utilise NPD. India can improve the digitization of public-welfare tasks by creating a framework for regulating data flows.

Select Course