wordpress blog stats
Connect with us

Hi, what are you looking for?

Expert committee supports having a separate non-personal data regulator: Report

The panel of experts and the IT Ministry appear to take different sides on the issue.

A national non-personal data protection (NPD) authority must be established by the Indian government according to a recommendation by a committee led by Infosys co-founder Kris Gopalakrishnan, Economic Times reported. The recommendation has been made in the draft Bill and the final report submitted to the Ministry of Electronics and Information Technology (MeitY) two months ago, the report added.

The final report also classifies companies that control high amounts of data as “data businesses” and explains what constitutes a “high value data” set; the government or other companies will be able to access these data sets at a price decided by the market forces, as per ET.

The expert committee had come out with a draft in July 2020, and released a revised version on which it invited comments from stakeholders in December 2020. The final report takes into account all the feedback received by the expert committee. The committee’s job was to study use cases of NPD and prescribe a regulatory structure for NPD in the country.

NPD can be defined as data without any Personally Identifiable Information such as:

  • Data not related to individuals/national persons (weather, from industrial sensors, from public infrastructure).
  • Data that has been anonymised or aggregated so that individual data is not identifiable.

An authority on NPD is crucial in implementing the law laid down by the government, however, it is likely that a separate authority for NPD will clash with the authority envisaged in the draft bill for personal data. 

Concerns around the regulatory body

The Indian government has not yet released the copy of the report or acknowledged its receipt publicly so it is difficult to comment on what is the scope of the authority.  

Advertisement. Scroll to continue reading.

Need for regulation not established: Alok Prasanna Kumar, co-founder and lead, Vidhi Centre for Legal Policy Karnataka, in MediaNama’s discussion on the revised report on a Non-Personal Data Governance Framework, was not convinced if the state “should be involved as a regulator yet”. “The concerns (around NPD) raised are valid, it’s just that they don’t necessarily lead to the conclusion that we need a non-personal data authority, or rather, that we need regulation, which will necessarily help us for sovereignty,” Kumar said. 

Conflict with other bodies: Kumar said that the proposed Non-Personal Data authority could be in conflict with other institutions. “One is the proposed Data Protection Authority under the PDP bill. Another is the Competition Commission of India, and the third is the Central Information Commission. A lot of the data that we’re talking about might be sitting with government agencies and it might be possible to get some of this data by filing an RTI application,” Kumar said.

MoS IT bats for a single regulator: “We should not have a proliferation of regulators—a personal data regulator and a non-personal data regulator. There are some businesses that enjoy this kind of arbitrage opportunity that is represented by multiple regulators. I will have no problem if there is a convergence of regulatory entities or institutions for the entire data economy,” said Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, at CyFy 2021 in a session on regulation of the digital ecosystem in India.

It remains to be seen whether these lacunae have been addressed in the final report. 

Understanding the NPD authority

The committee recommended that the focus of the regulatory body for governing Non Personal Data, should be on “unlocking value in non-personal data for India.”

“Unlike CCI”, the committee report says, the Non Personal Data Authority “will be a proactive actor providing early and continued support for Indian digital industry and startups, and ensuring that necessary data is available for the community.”

Advertisement. Scroll to continue reading.

Here are some of the committee’s recommendations regarding the NPDA:

  • Industry Participation: It must be created with industry participation.
  • Regulatory harmonisation: It should be harmonised with other bodies (DPA, CCI etc)
  • Functions: The NPDA will create,
    • An Enforcing framework for:
      1. Establishing the rights of India and its communities over NPD
      2. Address privacy, reidentification of anonymised personal data and prevent misuse of and harms from data
      3. Adjudicate only when a data custodian refuses to share data with data trustee
    • An Enabling framework for:
      1. Unlocking economic benefit from NPD for India and communities
      2. Create a data sharing framework
      3. Manage meta-data directory of data businesses in India
  • Sectoral regulators can build additional data regulations over those developed by the NPDA

MediaNama’s take: Giving a regulator competing goals (unlocking economic benefit from data versus consumer protection – addressing privacy and misuse harms) is a bad idea, and will create complications when the regulator has to balance the risk of privacy and misuse harms when it comes to enabling access to certain datasets.

It will only be clear whether the committee has accounted for these issues once the government releases the final report to the public.

Also read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

I cover several beats such as crypto, telecom, and OTT at MediaNama. I will be loitering at my local theatre and consuming movies by the dozen when I am off work.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ