Besides the high-profile Personal Data Protection (PDP) Bill, 2019, the Indian government is considering a framework to regulate non-personal data (NDP). Just as crucial for businesses as PDP is for end-users, the NPD framework could affect the entire value chain from creators of tech services and products to enablers and consumers.
NDP includes data generated through online transactions, orders through delivery platforms or any online service, which is anonymised and stripped off personal identifiers. This data is then utilised to improve quality of service, ML algorithms and other technologies. It’s on the basis of this data — which is usually collected en masse and processed with less caution than personal data — that most businesses offer the latest ‘killer feature’ to win over the market.
India’s IT ministry set up an expert committee chaired by Infosys cofounder Kris Gopalakrishnan in September 2019 to deliberate on a regulatory framework for NPD especially its ‘economic dimension’ and value as a ‘public good’. Though these themes have appeared before in the Indian government’s agendas — like the call to create a self-reliant economy or Aatmanirbhar Bharat or its ‘Vocal For Local’ campaign — the proposed NPD rules are looking to create a centralised data sharing system for all tech businesses, both homegrown or foreign.
The committee released its report on the governance framework for NPD in July 2020. If brought into law in its current form, the framework would require startups to compulsorily share their proprietary data with the government and competitors, in some cases, without remuneration. To understand the implications of this law on tech startups and businesses at large, Ikigai Law will host a virtual roundtable discussion — “Unscramble: Implications Of The Non-Personal Data Framework For Startups” — on September 2, 2020.Register Now
Like the PDP bill, the NPD framework will require companies to remodel their data-related processes. While data sharing obligations seem to apply to businesses collecting data above a certain threshold, all businesses that handle data will be affected by the laundry list of proposed compliance obligations. Many emerging and growth-stage startups may find the proposals disconcerting, especially those whose business models or competitive edge depends on data exclusivity.
What is NPD?
There are three types of NPD, namely, public NPD or data stored with public bodies, community NPD i.e. raw data that relates to a ‘community’ or a group of individuals and private NDP, which is inferred or derived data to form business insights. However, these definitions are unclear and there is potential for overlap.
Overlap With PDP Bill: A Case Of Double Regulation?
Similar to the classification of personal data under the PDP Bill, the committee classifies NPD into general, sensitive, and critical categories. The framework will also require startups to obtain user consent before anonymising even non-personal data. For instance, if a cab aggregator wishes to aggregate passenger travel data from a section of the user base and derive insights, it would need consent from each user in the cohort. Implementing this will not only create practical challenges for companies but will make analytics a lot more complicated for tech companies.
Mandatory Data Sharing: Will It Kill Innovation?
The NPD committee has proposed making data available for socio-economic purposes, and to encourage innovation and competition. To this end, startups will have to share data with the government to enable better governance and policymaking as well as provide data to competitors to build innovative products and services.
While these objectives are commendable, the proposed data sharing mechanism ignores the capital invested by businesses into collecting, constructing and maintaining data sets. It also ignores the value of raw data sets, especially the processing costs of anonymising personal data. Critically, forced sharing of NPD could be in conflict with the business intellectual property rights over such data. This has the potential to create uncertainty, hinder innovation, and could stymie investments towards constructing datasets — even for social impact use-cases.
Why would any tech startup invest time and money in gathering and processing non-personal data when they might as well take advantage of the data-sharing rules and wait for competitors to do so?
Who Sets The Price On Data?
The NPD framework proposes that remuneration for shared data will depend upon the ‘value-add’ to the raw data and the type of NPD. It proposes the following compensation mechanisms:
- Startups must share community NPD, i.e. raw/factual data without any compensation
- If the element of value add is ‘non-trivial’, the sharing would be subject to fair, reasonable, and non-discriminatory (FRAND) terms
- Well-regulated market-based prices for datasets with ‘increasing value-add’
- Market forces, such as privately negotiated contracts, for ‘high value-add’ data sets
However, there is no clarity on how the value addition through data will be determined, how market prices will be regulated, and the role of the government in deciding this price. The committee has also ignored the fact that payment for data on FRAND terms is typically a voluntary exercise.
Local Storage Requirements: Increased Costs For Startups?
Borrowing from the PDP bill, the Gopalakrishnan committee recommended that ‘sensitive’ or ‘critical’ NPD should be stored on local servers within India. Anonymised or aggregated financial data such as bank account numbers, transaction details, payment details, and others, would have to be stored within India. While local storage requirements do not necessarily advance data sharing, privacy, or security goals, restrictions on cross border transfers can potentially impede access to affordable global cloud service providers and the latest innovative technologies.
By restricting access to global markets and technologies, local storage obligations can also adversely impact the profits, productivity, and competitiveness of Indian startups.
How NPD Changes The Data World For Businesses
Tech companies or organisations that meet the currently undefined threshold of collected or processed data will be considered ‘data businesses’ under the proposed framework. Such businesses will be subject to a host of compliance requirements, including registration, monitoring of operations and disclosure obligations. They will have to submit metadata about the data they collect to open-access ‘meta-data’ directories — essentially sharing data on the data they collect. On the basis of the shared metadata, any individual may request the business for their dataset.
Naturally, there is a fear that even small companies and startups processing data could qualify as data businesses, and be subject to excessive compliance and data-sharing framework. This will increase operational and data storage costs and hinder the ability of startups to develop their services.
Instead of advancing the committee’s goal of encouraging Indian startups, the proposed framework could hamper business prospects by imposing mandatory sharing and a higher compliance burden. Given the absence of a global benchmark for NPD regulation, proposing specific legislation and regulator for NPD without adequate consultation may be premature.
The NPD committee is accepting comments till September 13, 2020, and it is imperative for the Indian startup ecosystem to actively engage in this conversation and send inputs to the committee.
To this end, Ikigai Law is inviting all stakeholders from the ecosystem to discuss the impact of the NPD framework in a virtual roundtable titled Unscramble: Implications Of The Non-Personal Data Framework For Startups. Scheduled for September 2, the seats for the discussion are filling up fast, book your slot now.
(The article is co-authored by Vijayant Singh and Saumya Jaju, associates at Ikigai Law)