NASSCOM Submits Feedback on Draft Report of the Committee of Experts on Non-Personal Data Governance
Blog: NASSCOM Official Blog
As you might be aware, NASSCOM recently concluded an extensive industry consultation process on the Draft Report of the Committee of Experts on Non-Personal Data Governance (NPD Committee). Based on the feed back received from the industry, and as a part of the public consultation on the draft Report of NPD Committee, NASSCOM submitted the industry’s feedback on the draft Report on 12 September 2020.
At the outset, NASSCOM recognises the pioneering work undertaken by the NPD Committee towards setting out the broad parameters of a governance framework for guiding the way non-personal data (NPD) can be leveraged towards the benefit of citizens, businesses and communities within India. NASSCOM appreciates the NPD Committee’s emphasis on:
- The need for a separate legislative framework for governing both voluntary and mandatory mechanisms of sharing NPD;
- The need for Open Government Data and leveraging vast amounts of public NPD collected by the Government and its agencies, or on behalf of the Government and its agencies during publicly funded projects;
- The need for defining limited instances of mandatory sharing of NPD subject to adequate and appropriate safeguards that recognise the proprietary nature of NPD and while ensuring wider public interest is served through an appropriately governed NPD ecosystem;
- The need for a separate regulatory and adjudicatory mechanism for determining disputes arising out of requests for mandatory sharing of NPD;
- The need to ensure processing of NPD in a manner that is in the best-interest of citizens and communities within India and does not in any way lead to direct or indirect harms to citizens and communities within India.
However, NASSCOM notes that there remain certain gaps in the draft Report, which might require further detailing and re-consideration, in order to strengthen the governance framework envisaged by the NPD Committee – which was set up with the mandate of identifying relevant market failures in NPD markets, and address the same through a suitable regulatory framework.
In this regard, NASSCOM notes that the draft Report appears to identity (i) lack of adequate data sharing as a negative externality and (ii) the need to pre-empt irreversible tipping of ‘data businesses’ towards dominant position to address potential gaps in the ex-post regulation of abuse of dominance. It seeks to address these issues by enabling mandatory data sharing.
As an outcome, mandatory data sharing should boost the Indian start-up ecosystem, drive new product and service innovation and reduce the risk of abuse of dominant position by intermediaries and other data led businesses. Such outcomes would be desirable.
Conversely, mandating data sharing could reduce the incentives to invest in collection and processing of data, the very thing that is sought to be encouraged. It could put the Indian start-ups at a disadvantage in their ability to raise funds or compete, as they would eventually need to share their data. The data sharing obligations could generally place India at a disadvantage given that such obligations may not exist in other jurisdictions. Such outcomes would be undesirable.
Therefore, NASSCOM’s submission seeks to identify and illustrated the potential for such undesirable outcomes based on feedback received from the industry and provide suggestions that can strengthen the draft Report to guard against such undesirable outcomes while strengthening the case for achieving the desirable outcomes.
In particular, NASSCOM has recommended that the scope of NPD being considered for mandatory sharing be limited to certain limited categories of NPD, with high social, economic and public value, as may be identified by the Committee based on well-established use-cases. To this end, NASSCOM has suggested that a “white list” (i.e. categories of NPD within the scope of mandatory sharing obligations) be defined such that the NPD included therein will cause significant prejudice to public interest or create significant impediments to the discharge of sovereign functions of State, if access to such NPD is denied.
Additionally, NASSCOM has also recommended the creation of a “negative list” of NPD that may be explicitly excluded from the scope of regulation, including all foreign data, price sensitive data, and algorithms and source code.
Further, it has also been suggested that appropriate dispute resolution and appeal mechanisms be put in place with regard to mandatory NPD sharing instances of denial of access to NPD can be referred to an adjudicatory authority to determine the validity of the request (in terms of scope) or denial of access (in terms of potential for significant commercial or competitive harm that could arise from sharing such NPD).
Other suggestions inter alia extend to re-considering and addressing overlaps between the draft Report’s recommendations, and the framework set forth in the Personal Data Protection Bill, 2019, clearly defining thresholds for qualification of an entity as a “data business”, streamlining meta-data sharing obligations, and placing a greater emphasis on voluntary Business-to-Business (B2B), Government-to-Business (G2B) and Business-to-Government (B2G) sharing of NPD.
The full feedback submitted by NASSCOM is attached.