wordpress blog stats
Connect with us

Hi, what are you looking for?

Data businesses want Union government to wait for PDP bill before rolling out non-personal data framework: EY-IAMAI Report

There seems to be no consensus on whether the NPDG framework should be a part of the PDP Bill or a separate legislation.

non personal data

Many data businesses “have mixed opinions with respect to the need for a separate Non-Personal Data Governance framework (NPDG),” according to a report released by EY and the Internet and Mobile Association of India (IAMAI). The mixed reaction reveals that there is no consensus on whether the NPDG framework should be a part of the PDP Bill or separate legislation, as per the report, a copy of which was reviewed by Medianama. The report made it clear, however, that the PDP Bill (Personal Data Protection) must be implemented first before the government deals with the NPDG framework.

The consultations undertaken during the drafting of the report put forth that jurisdictions of personal data and non-personal data regulation must be outlined to avoid categorising all non-personal data as public resources.

“The committee report makes no distinction between non-personal data (NPD) with data principal and non-personal data without data principal,” read the report.

The report is an important yardstick in gauging the response of stakeholders who will be impacted by a regulatory framework on NPD. It gives an inkling as to what the reaction to the final report on NPD is likely to be when it is released to the public.

Should the Indian government wait for the Personal Data Protection Bill before rolling out the Non Personal Data framework? Leave a comment.

Key takeaways from the EY-IAMAI report

A survey was done by EY with stakeholders in sectors such as e-commerce, technology, fintech & payments, entertainment, gaming, data Repositories, edutech, among others for the report. It also held interviews with corporate lawyers, data-intensive businesses, academicians, think-tanks, research firms, and a competition law expert.

Advertisement. Scroll to continue reading.

A panel discussion was also held around the launch of the report dealing with key aspects of the report and the sentiment around NPD regulation in the industry at large.

Here is a summary of the observations recorded in the 60-page report juxtaposed with comments from the panel discussion:

Data sharing mechanism

The authors write that the mechanism proposed for data sharing must be spelled out and consider the following factors:

  • Purpose of data sharing: The report calls for precision in the purpose of sharing data. It also says that stakeholders want clarity on the definition of terms “public good and sovereign purposes”. Nikhil Narendran, Partner, Trilegal, was wary of the thin line of difference between personal data and non-personal data and revealed that the industry has also confided in him about the same. The report also affirms Nikhil’s thoughts as stakeholders told EY that concepts such as “harm” and “public interest” have not been detailed in the report, and therefore, remain ambiguous and challenging to account for, while implementing the data sharing framework. The open-endedness of “public good purpose” was concerning to many. Many experts held that the arena of public good should not be so broad that it impedes market access and right to business.
  • Measuring trade-offs: A detailed cost-benefit analysis of social benefits emerged as a requirement among stakeholders before the legislation on non-personal data is formalized. Many stakeholders believe that harnessing the available public data on the Open Governance Data (OGD) platform is likely to generate significant social benefits and suggest that the NPDG framework may not be the only solution. It was also pointed out that the NPDG framework may add to the financial burden of start-ups. Shivangi Nadkarni, CEO & Co-Founder, Arrka, said that data is generated by smart devices, websites, apps, digital property, etc. and they are not just personal but non-personal. “It’s very difficult to draw a line between the two because they’re welded together.
  • Responsibilities of a data fiduciary and trustees: The research for the report revealed that stakeholders in general believed that entrusting non-government bodies with high-value datasets will risk data spillovers among competitors causing irreversible damage to companies. Some of the people interviewed said that it was not necessary to have a data trustee to overlook every data exchange or maintain datasets. Forty percent of the respondents indicated they would be uncomfortable to share data with the data trustee. The survey cited by the report found that stakeholders believe that the Non-Personal Data Authority (NPDA) must take over a regulatory role and focus less on administrative functions. Nearly 63.16% said that they expect the NDPA to address issues where personal harm may be caused and 52.63 percent said that they want the body to enable unlocking of economic value of non-personal data through data sharing mechanisms. MN Srinivasu, Co-Founder, Billdesk, explains: “There are a whole set of companies which have built business primarily on payments becoming free with a view to monetizing data over the last decade. I would assume companies in that space would be very apprehensive of this (NPD) because they made something free to benefit from something else. Regulation might upset the economics in that space.”
  • Anonymisation: The report said that there are interpretation issues involved with the term “anonymization” and how they could lead to jurisdictional conflicts when the framework is implemented. The businesses participating in the survey have emphasised the need for a standard anonymization process that may be practiced by all data businesses. MN Srinivasu said during the panel discussion: “I suspect those who have the ability to process and manage data will be the ones most apprehensive because they can understand the complexity of what is being sought from here.” Richa Hukumchand, Chief Innovation Officer, Pixxel, said that anonymisation is important from a protection perspective but also for an innovator because information is not useful if it is not standardized. “It’s crucial for us to standardize so that it could be formed and utilized by building further intelligence on top of it.”
  • Data localisation: The report was non-committal on data localisation as some justified the push towards localisation of non-personal data while others questioned it. Data intensive businesses, the report says, believes that some of the recommendations of the expert committee are theoretical and do not have practical visibility. It also expressed concern that there may be “scope for conflict of interest on the part of data trustees”, and recommended that the “jurisdiction of the NPDA could be outlined in order to ensure synergy between regulation of non-personal data and personal data”.

Understanding the impact on business

The government’s expert committee has discussed regulation of non-personal data in the private sector but only few private players, however, believed that it should apply to the private sector exclusively. It also said that there is still some apprehension regarding mandatory private-to-private entity sharing of data.

There is an opinion among experts that the specific use of public good must be studied closely, as per the report. Forty-seven percent of the respondents felt that a mandated dat-sharing framework would hamper their company’s quality of services while 29 percent were of the opposite opinion.

“…mere access to data would be unlikely to create a level playing field for smaller firms,” the report writes.

 The report’s authors write that the NPDG framework might have consequences on businesses that have commercially sensitive information. Three-quarters of businesses interviewed for the report said that they believe the framework might hamper their growth prospects. The survey conducted for the report of businesses found that about a third of the respondents felt that the NPDG framework would disincentivize firms from expanding their operations in India.

Overlap in legal framework

The findings suggest that the revised report on NPD by the committee of experts does not address issues such as synchronisation with existing laws to ensure that there is no jurisdictional conflict. It also said that a jurisdictional conflict may lead to issues between the Centre and states with respect to regulation of non-personal data based on the Seventh Schedule of the Indian constitution.

Advertisement. Scroll to continue reading.

“Legal experts are of the opinion that India need not necessarily be the flag-bearer of an NPDG framework since there is no precedent based on which such a framework may be formulated.” the report stated.

Nikhil Narendran said that it was important to note that the aspects related to data sharing are different from data protection.“It looks like NPD will probably be clubbed into the Personal Data Protection Act unfortunately. I believe that the incentives are not aligned, and a personal data protection regulator will not be the right entity to govern aspects relating to NPD,” Nikhil Narendran said in response to a moderator question.

What does the report outline for consideration?

The report, in its conclusion, recommended that the lawmakers consider the following issues before drafting the NPDG framework:

  • It highlights that compliance of National Data Sharing and Accessibility Policy by public authorities is critical to unlock the full potential of OGD.
  • The implementation of NPDG framework depends on clarifying key terms and concepts such as ‘harm’, ‘public good’, ‘sovereign purpose’, and, ‘public interest’ while also ensuring alignment and consistency across the PDP Bill and the NPDG framework especially considering that ‘critical personal data’ imposes externalities on non-personal data.
  • The report calls for clearing up the role of risk and impact assessment process in the context of proportionality, transparency and accountability is essential for all stakeholders, namely, data businesses, data trustees and data recipients.
  • The document argues that data trustees may emerge as tools of vested interest. It calls for a pilot in select sectors to ascertain challenges in implementation as well as better assessment of value creation, accretion and distribution.
  • It finally suggests that non-personal data with nexus to a data principal and non- personal data without such a nexus to a particular data principal rather than simply taking away the agency of an individual and vesting the same with a ‘community’ and allowing the state to assert a sovereign right on the same.

Where do things stand with the NPD legislation?

A national non-personal data protection (NPD) authority was recommended by the expert committee led by Infosys co-founder Kris Gopalakrishnan, as per an Economic Times report recently. The final report was submitted to the Ministry of Electronics and Information Technology (MeitY) two months ago, the report said. The government has not released the submission to the public.

The expert committee had come out with a draft in July 2020, and released a revised version in December 2020 in which it invited comments from stakeholders. The final report takes into account all the feedback received by the expert committee. The EY-IAMAI’s report is based on the expert committee’s revised report released in December last year.

There are also indications that the government might be inclined to incorporate provisions on NPD in the PDP Bill itself which is slated to be introduced in the first week of the winter session of Parliament.

Update, November 19, 2021: The report was edited with more details from the EY-IAMAI report.

Also read:

Advertisement. Scroll to continue reading.

Written By

I cover several beats such as crypto, telecom, and OTT at MediaNama. I will be loitering at my local theatre and consuming movies by the dozen when I am off work.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ