The revised recommendations on the Kris Gopalakrishna Committee on Non Personal Data reiterates the significant role that the Non Personal Data Authority.
It may be noted that the Committee has ab-initio been influenced by the industry to include a recommendation that it must be created with “Industry Participation” . This recommendation has to be taken with circumspection.
While NPDA has to consult industry and have persons with industry experience in its constitution, “Regulation” has to be segregated from the industry. If industry organizations become part of the regulatory agency, the regulatory functions will be corrupted.
Hence the committee’s suggestion “NPDA must be created with industry participation” needs to be rejected.
The NPDA’s Enabling functions include
a) Ensuring unlocking of economic benefit from non-personal data
b) Creating a data sharing framework
c) Managing the meta data directory of data businesses in India
NPDA’s Enforcing functions include
a) Establishing rights over Indian Non-Personal data in the digital world
b) Address privacy, re-identification of anonymized personal data, prevent misuse of personal data
c) Adjudication when a data custodian refuses to share data with the data trustee.
In defining the enforcing functions, mention of “Privacy” indicates a deliberate attempt to create overlapping powers against the Data Protection Authority being created under PDPB 2019.
While the report says that the roles of NPDA should be harmonized with the CCI and DPA, there is an element of overlapping of regulatory functions which need to be consciously avoided.
As regards “Privacy”, the DPA under PDPB 2019 should be given the unambiguous authority. When there is a doubt the NPDA should refer the Privacy issue including the re-identification of anonymized personal data or misuse of personal data to the DPA for necessary adjudication and corrective action as may be required.
This has to be kept in mind when the new Non Personal Data Regulation Act is framed.