“If there are two different authorities, that is one for the personal data and other for non-personal data, then there is every likelihood of confusion, turf wars and ultimately the data principals suffering; if there is a breach or if there is a complaint who to go to,” said MP Amar Patnaik, member of the Joint Parliamentary Committee on the Personal Data Protection Bill 2019, in an exclusive interview with MediaNama’s Editor Nikhil Pahwa.
The interview served as the keynote address at MediaNama’s event on ‘Regulating Non-Personal Data’ held on February 18, 2022. This event was organised with support from Google, PhonePe, Amazon, Meta, and Microsoft. To support future MediaNama discussions, please let us know here.
Here’s a transcript of the interview that provides key insights and recommendations from Dr. Patnaik on how the government should deal with non-personal data.
Nikhil Pahwa: What was the thinking of the committee that led the bill to expand its coverage to non-personal data?
Dr. Amar Patnaik: Yeah so if you look at the report which was submitted by the committee then you would find that it is mentioned why the unanimous decision in the committee was, initially there were discussions hovering around the need for doing it and whether it is possible to do it, but then there was almost an anonymity as to what should be done with the non-personal data and this is mentioned in that report as to why non-personal data has also been included in this bill and the bill’s definition has been changed from Personal Data Protection Bill to a Data Protection Bill meaning thereby that both personal and non-personal data shall be regulated by this particular bill or the act when it gets passed in the parliament.
The main reason for this, again it is mentioned in the report, is the fact that it is very difficult to distinguish between personal and non-personal data in tight jackets all through the process of collection of data, its future – even storage is possible- but once it starts getting processed and data getting used for various use cases, it is very difficult to separate both these two, compartmentalize and use them separately.
“There is a possibility and that happens all the time that no data packet is completely – no, I think majority of the data packets are not completely only personal data, of data principals, or only have non-personal data. It could happen that it is mostly the case when they are joined together in a mixed data packet.” — Dr. Patnaik
Having said so it is also a fact that non-personal data can get generated without using personal data and completely standing on its own for various services or various modeling that can give benefits to citizens. But the basic idea was that once non-personal data, at any stage, can get re-identified to the data principals then it falls under the ambit of the personal data.
The data while getting processed at different stages, goes through a number of iterations and re-iterations so the best way that was thought was that let there be one data protection authority who is responsible for the data principal. Let there be two verticals separately for personal data and non-personal data following different regulations, but a single data protection authority to give trust and confidence to the data principle that whether it is personal data or non-personal data if his personal data is breached, and the rigours of the Personal Data Protection Bill has to kick in then we are there for you.
That is one then the second thing you have to understand that there are several sectoral regulators who are also independently collecting data and processing them, many of which would be personal and again non-personal. Already there is complexity built in that in which case the data protection authority needs to have an MOU. (Memorandum of Understanding) You imagine a situation where there was another authority again, non-personal data who would also be signing MoUs with these sectoral regulators, the entire ecosystem becomes very complex and very difficult from the data principals point of view.
So, we thought that a kind of centralized authority where the data principal can approach in case the data is breached or in case there is any right that he wants to establish, then it will be — and that is why we have tried to take both these aspects, both the non-personal and personal data under the umbrella of one legislation- having provided the entire regulation relating to non-personal data currently being almost not there because the government has not yet formulated a principle on basis of which it has to be regulated.
Currently, it is discussing the Kris Gopalakrishnan Committee report, and therefore the guidelines of how to regulate non-personal data- I’m in favor of a light-touch regulation- has not emerged. Once that emerges, then it would also be a codified part of this legislation and in case there are incongruities or discordance between these two, then it will get revealed in the same act itself and so it can be taken care of at the same time. Ultimately, you will have one great data protection regulation, just as the EU. EU has only one single data protection regulation, and many countries do have. So, that is the thought that went behind the recommendation that has been made in the JPC.
Nikhil Pahwa: Essentially the bill gives legal sanction to non-personal data regulation- but a school of thinking is that NPD is intellectual property (IP) and that is already covered by IP laws. Was not legislating on it also considered because even if there is re-identification or layering or there is harm, the Personal Data Protection Bill would have anyway covered those situations?
Dr. Amar Patnaik: No, but the point is even in the report, on the non-personal data that we are discussing, there are three categories of data that they have mentioned and these categories, in some sense are also protecting the data principals right over his own non-personal data, besides community data and other kinds of data. So there could have been a non-personal data protection authority without legislation, as you were saying, but it would be as good or as bad as the self-regulating authority without any powers to give relief, to the data principals, or to the community, in case of any complaint.
Unless you have a legislation, you cannot give powers and therefore, by keeping the non-personal data under this bill, all that would happen is that the supposed that non-personal data protection authority, if it becomes a vertical, would actually be empowered to protect the equity of the data principals, which is the essence in the data as an asset, which is the essence of the report on non-personal data.
“I think we’d get better protected by having them under one legislation. Your question relating to intellectual property, intellectual property is anyway protected, even under the Personal Data Protection Bill, as long as it is not really identifiable completely to the data principal.” — Dr. Patnaik
There could however be, as you were saying, there could be conflict, there could be areas, but having completely non-legislative ecosystem for non-personal data would not have actually helped it because you think ultimately, it is data of the data principal and the rest of all data fiduciaries who are custodians of data, and therefore to –
Nikhil Pahwa: Sorry to interrupt sir, that’s not necessarily true, right because you also have, for example weather data, which is non-personal data that’s still coming under this particular regulation. So an entity that is perhaps putting in the infrastructure to collect weather data, which is its intellectual property, would also be then governed under this entire mechanism that you’re following.
Dr. Amar Patnaik: No, no even in the PDP bill, there is one particular provision which is beyond the rigors of consent, and that is relating to disaster management and public policies. So, whether data would be considered as a part of disaster management and it will be used for the society and therefore it doesn’t require any kind of consent. So, it is already there.
Nikhil Pahwa: Sir, I was using that as an example but there are other forms of non-personal data that might be collected by a company that are not pertaining to an individual.
Dr. Amar Patnaik: You are right. But if there is any data which is non-personal, which is non-personal data in the way this definition given is anything that is not personal is non-personal so, that would anyway not be covered under the PDP portion of the DP bill. Now there will be two separate sections, two separate broad chapters in the Data Protection Bill, one for personal data, the other for non-personal data. So I don’t think any kind of non-personal data would have this same amount of rigor as a personal data, so it will be very soft.
So, we are waiting for the government. But then the big question is, this is what the committee has recommended, this is what the committee has recommended in the bill and in the report, when it gets discussed in both the Houses of Parliament there could be more changes, the government itself may not even agree to that and may think in terms of having two separate authorities. So let us wait, what happens.
Nikhil Pahwa: Did the committee discuss where such an inclusion of non-personal data would leave the Kris Gopalakrishnan committee’s report? It is also recommending a framework for non-personal data to be regulated like a profitable asset.
Dr. Amar Patnaik: I just mentioned, the Kris Gopalakrishnan Committee report on non-personal data was not discussed in threadbare clause by clause or paragraph by paragraph as we did for the PDP bill, but the overall narrative and the recommendations was known to all the members number one. Number two, yes we are fully aware of the fact and I did mention that that here in this case, the non-personal data Kris Gopalakrishnan Committee report and very rightly, I completely agree that data is treated as an asset, it’s an economic asset, its value should be locked, in fact you just in the name of celebrating informational privacy of citizens, you can’t kill the benefits that can flow to these people from rightful use of this data by making the non-personal data, by using appropriate anonymization as inputs and making them anonymized.
“But the point is that I really don’t think that by putting this bill in the parliament, together with the non-personal data under one umbrella, the Kris Gopalakrishnan Committee report is being pushed under the carpet or pushed to the wall, pushed behind doors.” — Dr. Patnaik
No, not at all because the government will now have to discuss the Kris Gopalakrishnan Committee report and frame legislation rules and that would probably come in as an amendment to the DPB.
That is what our thinking is. As I said, during the time of discussion, the government may choose to move ahead separately, not accepting our logic, but then our logic has been that if you have both under one umbrella, the maximum optimization of protecting privacy and promoting digital economy, which is also in the objective of the PDP bill would actually get fructified.
Nikhil Pahwa: What sort of research was relied upon to ascertain how releasing and essentially allowing others to use such non-personal data would impact the growth and competition in the country?
Dr. Amar Patnaik: So this was debated quite a bit with the committee with many members having different points of view, but then you know the one underlying fact in this entire discussion is the fact that even if we had no law, even if we had no report, the fact has already been proclaimed by the Supreme Court by saying there is a fundamental right. So even if there was no law, if a data principal got affected by breach of personal, non-personal in whatever his own interpretation is, and if you recall, the court would give primacy to his privacy, and therefore, safeguarding the intellectual property I’m not saying it has been completely done away with it is important promotion of digital economy, but not at the expense of information because that’s the fundamental right.
Nikhil Pahwa: Of course I’m not contrasting the two-
Dr. Amar Patnaik: Competition at the cost of privacy can’t happen now, but then if the competition and antitrust laws and all that whatever has to be done, so, there will be separate MoU with the sectoral regulator because that would be the domain of the sectoral regulator. In this case, you would find that the DPA’s job in this entire thing is more on the technology front to protect the privacy of the citizen, whereas the sectoral regulators are actually doing both that is protecting and also promoting the purpose for which they have been created, whether TRAI or CCI or any of the consumer protection, whatever.
So, I don’t think that this bill would in any way deter the growth of digital economy, would rather give stability to the system and predictability so that if there is cross border data flow, if people want to come to India and use the data, they know what the regulation is, they know how to go about it, and as long as they are not compromising the informational privacy, their intellectual property continues to remain theirs and they can actually leverage it.
But in fact, I find that in the Kris Gopalakrishnan Committee report, there may be problems on that front when community asserts its right and says that it is our data and our data therefore, we won’t just (inaudible).
“So, therefore, when the government brings in some kind of principles and regulations relating to non-personal data, it has to be very clear and it must not kill the goose that lays the golden eggs of protecting intellectual property so that there is different kinds of innovations takes place.” — Dr. Patnaik
The innovation ecosystem has to be protected and therefore, even in the PDP bill, wherever there were no provisions of carve outs for startups and innovations that has been provided, you will see that it will be there in the new bill.
Nikhil Pahwa: Did the committee discuss the Kris Gopalakrishnan Committee’s recommendation to not allow the non-personal data protection authority from restricting foreign countries’ demands for non-personal data?
Dr. Amar Patnaik: As per the original bill, there was only one provision, which is section 91, now re-numbered to Section 92, which had the provision for sovereign demand on all non-personal data in the interest of evidence-based policy-making. So, that would continue to be there. But we should also remember that the biggest data fiduciary probably is the government itself, which does the evidence based making for improving governance. Now, governance again doesn’t only mean government. It is the private sector, it is the communities, it is the citizens, it is SHGs and NGOs, civil society organizations, everybody contributes to the governance climate in the country.
So, my thing is that, my opinion on this is that the sovereign right to take data for the purpose of evidence policy-making would be more applicable and has more meaningful kind of connotation only in case of personal data, and therefore, the exemption provisions have been provided under Section 35.
“As far as non-personal data is concerned I think my prescription would be that the government should come out with something in which non-personal data could be shared freely across public, private and all kinds of sectors, because ultimately innovation and new trajectories of growth and development should come up which will tell the citizens so, that should be kept in mind.” — Dr. Patnaik
Mind you, currently, we don’t have anything except Section 92 in the revised but when the government does finally come out with the principles, it should be kept in mind and these sharing thing whether it’d be free or it’d to be at a cost or whatever, that should again be determined by government.
“On the personal data front, it is much more stricter, very, very strict — I would say that it is tilted in favor of protecting the fundamental rights of privacy of data principals.” — Dr. Patnaik
On the other side, it should be to promote digital economy, and the personal data also should not only be protecting personal privacy of citizens, but also should be promoting digital economy has already been mentioned in the statement or the object of the original bill itself, which has been replicated in the new bill suggested by the data JPC. So I don’t think it will be creating any problem rather, it would marry well, I hope.
Nikhil Pahwa: Sir voluntary or mandatory in terms of data sharing public and private in order to –
Dr. Amar Patnaik: So, I told you that no, I told you that that the government has to decide. My personal opinion is that you should develop a market for it. And a market will find out the most efficient solution and when I say market that means there’s a cost to it and when there is a cost to it, a person would not unnecessarily ask for non-personal data. It will ask only for such non-personal data, which he thinks can give him a product which will give him profits or whatever in the market.
And at the same time, there is a price to it. So an entity, government or non-government, if it wants to use data for giving some benefit to citizens mandatorily, that’s already covered under the PDP bill- the PDP section of the DP bill that we’re suggesting. On the non-personal portion, which is yet to come out, the fine contours of it is yet to be coming out from the government, the government should keep that in mind. However, having said so, it might so happen will the government pay to a private sector to get his data?
“So I think there will still be these issues relating to whether in the larger public interest for giving some benefit, where the government can forcibly take this data.” — Dr. Patnaik
Section 92, the original thinking of government gives a clue, Section 91 earlier that for evidence- based policy-making it can, but my suggestion to government would be that they should try to develop a market for non-personal data because once you develop a market, then the market will take care of it. But there will be inefficiencies in any market, maybe in the data market as well and the government should be ensuring that such frictions between the buyer and the seller decreases as much as possible.
Nikhil Pahwa: In the budget announcement, the government has put a gag on publication of export and import transaction data. So it’s at one level we’re discussing releasing more data for economic growth another level the government seems to be trying to control information that’s already been released by third parties.
Dr. Amar Patnaik: Very surprised, I was very surprised, because if it was mandatory for the government, because if someone wants to disclose voluntarily, and it is not affecting the privacy because the argument that the government would be taking in this case is the fact that it is probably hindering in some way compromising the intellectual, the business commercial data of another entity by some entity, something like that, but giving a gross value would not have created any problem. So I’m sure I think this should be debated when it comes to for any public key that is going to deal with it and the gross data should come. Even sector-wise data should come.
They may not be company-wise, but sector-wise because one company can always say that by revealing these statistics, another company gets unfair advantage, but then what is competition all about? The competition is all about having this data and making the competition frictionless, market frictionless. So I think this is a knee-jerk reaction that has happened and I’m sure that this will come up for a larger discussion in the parliament to questions or in debates and maybe the government will have to look into it. I was very surprised with this kind of prescription, but haven’t really gone into the rationale behind such a decision, which has to be asserted. I haven’t done it so far.
Nikhil Pahwa: But sir sometimes we have different rules for the government, different rules for everyone else, but thank you so much for taking the time to speak with us. I wish you could have joined us for the conference but maybe some other time. Thank you for your time, sir.
- Data Protection Bill 2021: MP Amar Patnaik bats for data regulators at state level
- Data Protection bill 2021: How the JPC wants to deal with non-personal data
Have something to add? Subscribe to MediaNama here and post your comment.