In September 2019, an Expert Committee was constituted by the Ministry of Electronics & Information Technology (MeitY) to deliberate on issues related to Non-Personal Data ("NPD"). The committee released two reports, one in May 2020 and thereafter a revised report in December 2020, relating to the creation of a governance framework for NPD. The task assigned to the Committee was to study various issues relating to NPD and to make specific suggestions for consideration of the Central Government on the regulation of NPD.
There is no wrangle that Non-Personal Data (NPD) is of high value, especially in a highly connected economy where every device and individual interact constantly with each other. The growth of the Internet of Things through smart devices and sensor-based equipment and infrastructure has created different and diverse kinds of NPD which can help in creating new products and act as a feeding source for generating Artificial Intelligence. Undoubtedly this rich source of input for the fourth or fifth-generation economy must be appropriately regulated and there must be a governance mechanism put in place at the earliest. It is admirable that India has taken a lead and initiative for deep thinking on the policy side to set an appropriate governance framework.
The Governance Structure
The Committee is recommending a Non-Personal Data Authority (NPDA) to regulate this field. From the Report, the players and the governance structure are as below:
This architecture validates the conversion of Personal Data or personally identifiable data into NPD by anonymization and thereby, giving large digital companies the opportunity to conduct a rich horizontal business relating to the trading of data. The Committee has identified Data Trustees and Data Custodians as the key constituents in the NPD ecosystem. The scheme envisages the creation of High-value Datasets (HVDs) by Data Trustees which can be accessed by anyone on payment of a nominal fee. These HVDs are created by improving and enhancing the data requested and obtained from Data Custodians. The Data Trustee can approach the NPDA in the instance of a refusal to share data by the Custodian, which will then evaluate its necessity and either mandate the sharing or dismiss the plea.
While the overall scheme is promising, issues regarding how a Data Trustee would charge for the data sharing and what incentives would it give to Data Custodians are bound to emerge. Of course, these details would be put in place when the law is enacted, and the rules are made. The report recommends that data businesses up to a certain threshold would be required to register in India in order to create a similar parameter as envisaged in the data protection bill with respect to significant data fiduciaries. The roles and responsibilities of the data custodian and data processor with regard to community data have also been defined. However, the concept of a Data Trustee is deceptive as a Data Trustee is primarily involved in Data Business rather than the trusteeship which is expected from the nomenclature. Though it is understood that Data Trustees have a responsibility to do the business ethically while ensuring anonymity, naming them as Trustees simply because they have a duty to care appears to be a misnomer. Data custodians are essentially the creators of the NPD related databases, they are therefore the authors of a database and copyright owners and not akin to data fiduciary/ data controller in a personal data regime.
The entire framework for NPD is a parallel structure mimicking the proposed legal regime relating to personal data. In personal data protection law, the privacy of the data subject is the critical aspect, however, in the case of anonymised and non-personal data, privacy is a lesser concern. In the case of NPD, equitable sharing and commercialization are the major aspects to be kept in mind. In the case of non-personal data, the individual data element has no value, the value lies in the quality and relevance of the data set and the databases created. The Report has not adequately differentiated between non-personal data and non-personal data sets. The Report gives more emphasis on non-personal data and the legal issues relating to the handling, sharing and trading of such data. On the contrary, I believe, individual data has insignificant economic value, the value lies in aggregated data set created based on defined and intelligent parameters. The extent of information gained through the aggregation of data is the value driver for companies. I believe, the perceived business opportunity is relating to non-personal data sets or databases.
High-value Datasets (HVDs)
The Report extensively deals with High-value Datasets (HVDs). It is identified as a dataset beneficial to the community at large and to be shared with the public. The report contemplates fifteen or more such HVDs. The data trustee would be an organization, either a government body or a section 8 company that would control these data sets. The trustee can charge nominal fees for every request for data set by the Data Requester. The data-sharing mechanism, though stated to benefit the community, would most likely lead to an enterprise for monetary gains by Data Trustees. A Data Requester would have to pay a fee for every access request and hence, it is likely to emerge into a full commercial market for non-personal data. Data Trustee is not likely to remain as mere trustee of the data, but rather an aggregator of data and trader of such datasets. Hence, the attribution of ethical behaviour to the business and terming them as Data Trustees seems to be quite inappropriate.
Framework Under Copyright Law Adequate to Manage NPD Datasets
Further, an evident drawback in the report is that it has not adequately considered whether any of the existing frameworks can be adopted or entrusted with the above-mentioned task without creating additional institutions and establishments. The Report has not taken into account why the existing legal framework cannot be used to achieve the same objectives more efficiently. The Copyrights Act has recognised computer databases as a work eligible for copyright. §.2(o) of the Indian Copyright Act defines computer databases and compilations as a literary item which can be copyrighted. A compilation of non-personal data set/ database is thus eligible to have copyright registration. Any work whether literary, musical, cinematographic, audio-visual, etc., which has copyright and having commercial value can be managed by Copyright Societies registered under §.33 of the Indian Copyright Act. Such Societies are collective agencies of the Copyright owners and authors managing copyright with respect to a single class of work and are bestowed with the exclusive power to issue and grant licenses for the use of copyrighted works. Copyright Societies issue licenses and collect fees in accordance with their Scheme of Tariffs. The fees collected are distributed among the owners of the work subject to retaining an amount not exceeding fifteen percent of the collection for administrative expenses incurred by the society. The management of a society, the grant of licence, the revenue sharing model, etc. are all clearly set out in the Copyright Rules. Such a structure can be simply used to commercialize datasets made by Custodians as well as HVDs made by Data Trustees without establishing a new regulatory mechanism.
The Registrar of Copyright has the power to recognize copyright societies. Hence, a copyright society for non-personal databases could easily be created under the present copyright regime. There can be enabling provisions added to the Copyright Law to have separate Copyright societies for different kinds of data sets contemplated as HVD's. The Compulsory licensing system available under the copyright law can be used to force data base owners/custodians to share the data to create HVD. Against the orders of the registrar of copyright, an appeal before the Intellectual property Appellate Board is available. Orders of the appellate board can be further challenged before the High Court. The Appellate board has the power to decide royalties to the owners and other aspects relating to the administration of the copyright. Thus, the mechanism established under the Copyright Act containing a comprehensive framework can readily be used for managing computer databases relating to NPD.
When a computer database is an approved kind of literary work, capable of entrusting copyright to its creator, there is no compelling reason that necessitates the creation of a separate governing framework. It is perfectly possible under the existing law to create a copyright society for the benefit of owners of the compilation or creators of computer databases. Such a society can have defined mechanisms on how to value the datasets, how to share such datasets, how to achieve transparency and accountability in the functioning of the NPD mechanism. I feel the present copyright law itself can be used for the sharing or commercialization of non-personal datasets by encouraging to have a single copyright society for computer databases or if required separate societies for different kinds of NPD. It does not require a separate institutional mechanism or legal framework.
Merely because NPD has the potential to identify the person relating to whom the data belongs (through de-anonymization), does not warrant the creation of a new separate regulator as proposed. Every business is expected to have some distinct ethical values and norms to be followed. In the case of NPD, the privacy of individuals and security of data are an additional expected behaviour. However, this peculiarity of NPD does not make the activity wholly distinct from the one related to commercialization or equitable sharing of other copyrighted works. From a practical perspective, it is much easier to follow the tried and tested framework of Copyright law to manage NPD datasets than creating a new framework and setting up new institutions.
Rajesh Vellakkat is a Partner at Fox Mandal. Rajesh's expertise lies in providing strategic advice on Intellectual Property, Information Technology Laws, Data privacy and E-Commerce as well as Investment and Securities law. Views are personal.