Is India ready for the regulation of Non-Personal Data under the Personal Data Protection Bill, 2019?

The Joint Parliamentary Committee on the Personal Data Protection Bill (PDP), 2019 is inching closer to finalising its report on the bill. Of particular interest is the discussion on widening the ambit of the bill to include non-personal data (NPD). According to media reports, the committee is deliberating over whether one law should regulate both personal and non-personal data – even though the purposes of such regulation are virtually opposite to each other. The idea of including non-personal data in the same bill is to create a composite data protection authority for the entire data economy and devolve enough powers so that regulation can keep pace with technology development. Following these changes, this bill could be renamed as the Data Protection Bill, 2021.

In the same context though, concerns arise over mandatory sharing provisions and the governance of non-personal data. In the second edition of ‘Reshaping the Data Landscape: The Data Protection Bill, 2019’, an expert panel looked into data governance, compliance costs for companies (especially startups), individual privacy rights and community benefits, international data governance frameworks, risk of overregulation, ambiguities in the bill and more. This panel — moderated by Rohit Kumar, Co-founder, The Quantum Hub and hosted by YourStory — featured Gaurav Gogoi - MP, Lok Sabha and Member, Joint Parliamentary Committee on PDP Bill, 2019; Subhashish Bhadra, Principal, Omidyar Network India; Nadika Nadja, Researcher, HasGeek and Sreenidhi Srinivasan, Principal Associate, Ikigai Law.

Here are some key takeaways from the discussion.

Iterations and amendments to the PDP Bill

Mr. Gogoi, who is a member of the Joint Parliamentary Committee that is deliberating on the bill, stated that it was hard to craft a perfect piece of legislation in the first iteration. He reflected that the government understands that the bill is a landmark step, which is trying to fill a vacuum in India’s data governance. The lack of a data protection framework hampers different businesses and sectors in the country, and arguably puts India at a comparative disadvantage as other major countries already have data protection laws. It is important that the bill comes into effect soon, which can then be amended and modified as needed.

Omidyar’s Subhashish too spoke about first creating an institutional architecture that is transparent and consultative in nature, allowing stakeholders to work together to find the right answers. “How do we make sure that the institutional architecture we are setting up has enough transparency, has enough consultative-ness built into it from day one, because sitting today, neither me nor a tech entrepreneur and even the honourable members of the Parliament would know how this entire data economy is going to play out,” he said.

Common principles on data governance

Mr. Gogoi spoke of the considerations that the committee is taking into account, when drafting their recommendations. He stressed that the Data Protection Authority (DPA) — the apex body which will oversee the implementation of the protections provided by the bill — will have to work with its global counterparts to ensure that these regulations match global standards of data governance. This will, in essence, create a set of common principles on data governance around the world.

Sreenidhi spoke about NPD frameworks in the EU and Japan, which follow a more voluntary-based approach to data sharing. Australia, on the other hand, approaches NPD based on the needs of different sectors instead of a blanket imposition, for e.g., mandatory data sharing provisions for the automobiles sector. However, she also stated how the PDP Bill was one of the most comprehensive bills in terms of scale and scope, and that other countries were approaching data governance in “pockets”.

Compliance costs for Indian businesses

One of the key points discussed in the panel was the compliance costs that would be borne by companies. Nadika discussed the impact and response of smaller companies to the bill and its clauses, especially Clause 91 of the Bill, which deals with NPD. She stated that smaller organisations would be hit harder, as the technical processes to share data are expensive.

Mr. Gogoi stated that while the government and the committee are mindful of these costs, they were also looking at ways to ease the compliance burden, particularly for small businesses. However, he pointed out that this was a shift that would cause pain, and the only way to circumvent this was to see if the regulator could thrust the burden of compliance primarily on larger companies.

“To have a robust data sharing ecosystem, industry imbalances needed to be addressed such as pursuing data licensing agreements, capacity building to derive useful insights from data, etc,” stated Sreenidhi. With regards to these issues, she believed that the authority under the bill must consider supporting smaller companies.

Subhashish also pointed out that overregulation could cause significant damage to innovation and the startup ecosystem in the country. “It is vital to not overregulate given India is coming out of an economic crisis of the pandemic,” he said.

Multiple regulators or one bill for all?

When it came to the regulation of NPD, Mr. Gogoi stated that the DPA can issue codes of practice eventually. Having multiple regulators for different sets of data could lead to uncertainty and confusion for businesses. A single body, he stated, would bring in more regulatory certainty. He shared, “Within data, within the same domain, you should not be looking at two regulators. For instance, a mobile company should not be looking at two mobile regulators. It’s the same when it comes to data.”

Sreenidhi, on the other hand, said that the objectives for governing personal and non-personal data might be at odds. Given that the discussion of both were at very different stages, she said, “The PDP is at a far more mature stage of discussion, it’s been around for four years, and has seen two rounds of consultation on the legal provisions. On NPD, the only real legal provision we’ve seen is Clause 91, which doesn’t provide a clear indication.”