The Report by the Committee of Experts on Non-Personal Data Governance Framework (‘Report’) has, among other things, proposed the establishment of a new and specialised regulator called the Non-Personal Data Authority (‘NPDA’). The creation of a new regulator was favoured by the Committee to stay abreast of emerging technological developments in the data economy. The Report envisages that the NPDA will perform both enabling and enforcing functions, by tapping into the latent value of non-personal data as well as protecting individuals from the occurrence of collective harms. In this piece, we will analyse the Committee’s rationale for setting up a new regulator, and discuss concerns around potential conflicts with existing and upcoming regulators.
In proposing to set up a new regulator, the Committee furnished the following rationale. First, non-personal data regulation is a novel area that demands dedicated expertise; second, the proactive nature of the proposed NPDA would distinguish it from existing regulatory authorities; and third, the NPDA would be required to implement the provisions contained in a prospective legislation regulating non-personal data, to enforce discipline in the market and spur innovation.
Setting aside the merits of the rationale advanced in the Report, the proposed structure and functions of the regulator stoke fears of turf wars with both existing regulators such as the Telecom Regulatory Authority of India (‘TRAI’), as well as potential regulators such as the Data Protection Authority (‘DPA’). Such jurisdictional conflicts may not only lead to regulatory impasse, it may also impose unreasonable costs on private players and make the exercising of individual data protection rights burdensome. In this regard, we have identified two concerns that require attention.
Our first concern is the potential for overregulation in the context of non-personal data. In outlining the nature and tasks of the NPDA, the Report briefly alludes to sectoral regulators and permits them to ‘build additional data regulations’ in a horizontal fashion. By suggesting that sectoral regulators could enforce additional regulations, the Report risks a multi-axis regulatory framework for non-personal data. For instance, anonymized information concerning SIM card data may be regulated by both the NPDA and the TRAI.
Here, entities would have to fulfill regulatory requirements at the level of TRAI as well as the NPDA, in order to share non-personal data. The costs of such compliance can have debilitating effects on small businesses, and more importantly, result in conflict among regulators over issues of data governance.
Second, the performance of quasi-judicial functions by the NPDA may hinder the possibility of a streamlined framework for resolving data related disputes. According to the Report, one of the tasks of the NPDA is to enable data sharing requests and supervise data sharing arrangements. In pursuance of the same, the Report notes that the regulator shall adjudicate disputes arising out of data sharing requests, thus indicating that the NPDA shall act as a ‘court of first instance’ on questions of data sharing.
In understanding the role of the NPDA as a dispute resolution body on data-sharing, the Report neglects that such disputes could involve the processing of both personal and non-personal data. By positing itself as an adjudication body for data sharing disputes, the NPDA may set on a collision course with the DPA to be established under the Personal Data Protection Bill, 2019. For instance, in a dispute involving the re-identification of shared non-personal data, a litigant would have to move the NPDA to nullify the data sharing agreement that risked re-identification, while also moving the DPA to prosecute the offender for re-identification. Instead, an approach involving adjudication before a single dispute resolution authority would be a cost-efficient and speedy method for disposing such matters. This move would also aid in deal-making activity, thus providing a much needed boost to the economy in the aftermath of Covid-19.
Given the globally unchartered waters India’s proposed non-personal data regulation framework is wading into, it is essential for the Committee to proceed with caution. As a first step to improve upon this framework, the Committee should consult with the Joint Parliamentary Committee on the PDP Bill before the operationalisation of either regime. This would minimize conflict between the two and develop clarity on the standards to be imposed by the proposed non-personal data legislation.
Further, the Report has recognised the need to harmonise the role of the NPDA with that of other regulators. However, the Report does not delve into the manner of achieving harmonisation. We recommend that on its creation, the NPDA should adopt an attitude of regulatory restraint in its initial functioning, and focus on establishing channels of communication with other relevant regulators. An inability to do so at the outset could fuel turf wars and stifle market-led innovation.
Contributed by: Sohini Banerjee, Research Fellow; KS Roshan Menon, Research Scholar
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that: