Naavi.org

(This is the continuation and  summary article in the series)

The Kris Gopalakrishna Committee was constituted on 13th September 2019 with a brief terms of reference to study the various issues relating to Non Personal data and make specific suggestions. It was headed by Shri Kris Gopalakrishna, Co-Founder Infosys and contained 7 other members.

The Committte’s recommendations were released on July 12th and public comments have been solicited upto August 13.

The task entrusted to the committee was complex and the committee has come up with a comprehensive set of suggestions which are very promising. These are early days though as the recommendations will be churned again and again until it is implemented. But the road map has been set and the journey has begun.

In order to enable more people understanding the import of the recommendations and respond with their comments to the Government, I have tried to provide through a series of 8 articles preceding this, a glance at the recommendations. By no means these are complete and require refinement.

However, we must recognize that this is the fore runner to a new regulation of immense importance to the industry in India. It is of interest not only to Jio or Google or FaceBook, but also the entire IT industry, the public, the Government etc.

We often say “Data is Oil” and recognize its economic potential. A time has come now to look at the regulation that can ensure that the harnessing of “Data” as a “National Asset”.

We are now on the threshold of passing the “Personal Data Protection Act” which will regulate that part of the Data Universe that has the identity of an individual. Now a new “Non Personal Data Regulation Act” will address the regulation of the rest of the Data universe.

The law is yet to be framed. Even the Bill is not ready. But the die is cast. In due course an Act will be come into being. The industry has to gear itself to this new development.

The development will have a profound impact on the businesses because it will drag the many establishments including several Government agencies into a hitherto not present regulatory environment.  It will give raise to new opportunities in the area of technology which innovative technology start ups can harness.

The professional work force which was slowly coming to terms with the Data Protection Act will now have another disruption to contend with. As I have already been hinting at, the Non Personal Data Governance will bring in a new professional namely, “Data Governance Officer” in a corporate set up who will discharge a new function different from what the DPO or CISO or CTO or CCO or CRO discharges. This will be a new breed of “Data Management Experts” who will be “Techno Management Experts” who will come out of the Business Schools having both management skills and Technology skills.

As is customary, Naavi starts his journey into this world of Data Governance and will try to facilitate other professionals to join in.

Currently Naavi is focussed on the Foundation of Data Protection Professionals in India (FDPPI) and the “Foundation of Data Governance Professionals in India” will be a natural extension.

I invite other professionals to start thinking in this direction as we address both Personal Data and Non Personal Data management as a common objective.

For the time being however, let us concentrate on studying the recommendations of the Committee and formulate our comments to be submitted to the Government. With the Government requiring to complete its obligations on passing the PDPB 2019 at the earliest, the Non Personal Data Regulation Act may take some time to emerge. But let us use this interim period to learn more on this subject and prepare ourselves for the new era.

I have tried to provide below a list of articles that have appeared on this site in the past for immediate reference. I look forward to comments from others to collate more thoughts on this subject.

Naavi

Earlier Articles

September 16 2019:

Views of Kris Gopalakrishna.. What do they indicate for the Privacy regulation in India?
Views of Kris Gopalakrishna…on Privacy…2 Leveraging data for the benefit of the individuals

Views of Kris Gopalakrishna…on Privacy…3

September 2019-July 2020

Kris Gopalakrishna clarifies the role of Data Governance Committee-September 16,2019

What is Data Governance Framework ?-September 14, 2019
Committee on Data Governance…: Is it relating to Anoymized Personal Data or Non Personal Data?-September 14, 2019
What is Community Privacy? and who has the right of disposal?-September 23, 2019

Churning Expected in Corporate Data Governance hierarchy-26th September, 2019

The Consortium of “PDPA opposing companies” puts Kris Gopalakrishna under radar-March 8, 2020

July 2020

Differential Privacy and PDPA 2020-July 10, 2020

Data Governance Regulator may be designated by the Kris Gopalakrishna committee-July 11, 2020

Kris Gopalakrishna Committee submits reports-July 12, 2020

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-1

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-2

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-3
Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-4

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-5

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-6

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-7

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-8

New Regulations… New Opportunities…New Responsibilities

(This is a continuation of the previous article)

Technology Architecture

The Kris Gopalakrishna Committee (KGC) has also added key guiding principles on technology that can be used for creating and functioning of shared data directories, data bases and for digital implementation of rules and regulations related to data sharing briefly indicated below.

Mechanisms for Accessing data

All sharable Non-Personal Data and datasets created or maintained should have a REST (Representational State Transfer) API for accessing the data.

Data sandboxes can be created where experiments can be run, algorithms can be deployed and only output being shared, without sharing the data.

Distributed for Data Security

data storage in a distributed format so that there is no single point of leakage; sharing to be undertaken using APIs only, such that all requests can be tracked and logged; all requests for data must be operated after registering with the company for data access etc.

Even when data is stored in a distributed or federated form, as appropriate, there could be coordinated management of them like would be required for data trusts and data infrastructures for important Non-Personal Data in different sectors.

Creating a standardized data exchange approach for data collation and exchange.

Prevent de-anonymization by using the best of the breed differential privacy algorithm.

A system architecture to enable the implementation of the guidelines has also been provided by the Committee.

(To be continued)

Naavi

(This is a continuation of the previous article)

Non Personal Data Regulatory Authority

One of the key recommendations of the Kris Gopalakrishna Committee (KGC) that has been presently highlighted by the media reports is the recommendation to set up a separate regulator namely “Non-Personal Data Regulatory Authority” (NPDRA).

The NPDRA will be different from the DPA under the PDPA and while the DPA is more oriented towards “Securing Personal Data for the protection of Privacy of individuals”, the NPDRA will be focussing on how to harness the Non Personal Data for national benefit.

Hence the kind of persons who manage this authority has to be more “Progress oriented” than “Caution oriented”. They need to be more “Technology Oriented” than “Legal Oriented”.

The regulator should be able to effectively implement the measures to register and regulate Non Personal Data Fiduciaries, Processors, Data Trustees, Data Trusts etc. It will have to work in harmony with other regulators like DPA and CCI as well as the sectoral regulators. It will have both the “Enabling role” and the “Enforcement Role”.

As expected the NPDRA will be a body of persons with members with relevant industry experience.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Data Sharing

The essential part of the recommendations of the Kris Gopalakrishna Committee (KGC) is to ensure an effective “Data Sharing” mechanism in which “Non Personal Data” is recognized for its potential value and harnessed for the benefit of the people.

Data sharing  as recommended by KGC refers to the provision of “controlled access” to private sector data, public sector data and community data to individuals and organisations for “defined purposes” and with “appropriate safeguards” in place.

The Committee has preferred an “Open Access” to “Meta data” and “Regulated access” to underlying data of Data Businesses with establishment of appropriate mechanisms to support data requests and data sharing.

One of the key recommendations there fore is the definition of the Data Sharing purpose. The Committee recognizes three purposes namely

a) Sovereign Purpose

b) Core Public Interest Purpose

c) Economic Purpose

Sovereign Purpose

Under this concept, data may be requested for national security, law enforcement, legal or regulatory purposes.

Core Public Interest Purpose

Under this concept, data may be requested for Community uses/benefits for public goods, research and innovation, for policy development, better delivery of public-services, etc.

It is recognized that certain data held with the private sector, when combined with public sector data or otherwise, may be useful for policy making, improving public service, devising public programs, infrastructure etc which needs to be enabled through law.

It is recommended that the Country should specify a new class of data at a national level “High -Value Dataset” like health, geospatial and/or transport data and such data should be used for research purposes.

GKC has specifically mentioned that Health Sector is a pilot use-case for Non-Personal Data Governance Framework and anonymized health data should be shared for the specified purposes.

Economic Purpose

GKC makes yet another interesting recommendation that Data may be requested in order to encourage competition and provide a level playing field or encourage innovation through start-up activities (economic welfare purpose), or for a fair
monetary consideration as part of a well-regulated data market, etc.

Considering the noises being made by some legal professionals and activists about Section 91 of the PDPB 2019 which empowered such a possibility for public policy, this recommendation would be considered as one of the key recommendations under KGC which may go into a big debate.

Data Sharing Mechanisms

The GKC recommends that the implementation of this sharing mechanism would require setting up data and cloud innovation labs and research centers to develop, test and implement new digital solutions, which should be an attractive thought for IT companies. It is recommended that such data should be available as training data for AI/ML systems.

The Data Sharing Mechanisms are expected to provide access to meta data about data collected by different Data Businesses. This is expected to help identification of opportunities to develop innovative solutions, products and services.

Such a mechanism has to involve a “Data Request Mechanism”, “Data Custodian”, “Data Disclosure Mechanism” , “Safeguards” , “Handling of complaints of non disclosure by data custodians”, “Appropriate Checks and Blances” etc as part of a new regulation.

It is expected that “Experts” would be recognized to evaluate data probing tools, and guide the industry regulation. They would focus on Cloud vulnerabilities, Cloud security systems etc.

The current crop of CISOs may find a new area of specialization to develop their careers threatened by the advent of DPOs under the PDPA.

An Academic-Industry Advisory body has also been hinted at by the GKC.

GKC has also hinted that there could be liabilities associated with the implementation of the regulations, for which a Non-Personal Data Regulatory Authority is envisaged.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Data Business

Kris Gopalakrishna Committee (KGC) has defined a new line of Business Activity called “Data Business”. It has also suggested a new regulatory authority and a comprehensive regulation on collection , storage, processing and managing of data.

This proposition is a highly significant recommendation that could be a game changer in the industry.

While Personal Data Protection Act itself is a gold mine of opportunity, yet to be realised, the Data Business suggested by KGC will be another major development that holds lot of promise for those business entities which have the right long term vision.

To put it simply, while every business uses data for it’s internal purpose, over a period some companies acquire so much of data where data management itself can become a business opportunity and law recognizes it as a business to be regulated.

KGC recommends that entities who process large quantities of data have to be recognized as being in “Data Business” irrespective of their core business.  At this stage KGC recommends that the “Data Business” should be regulated separately by a regulator with various regulatory measures such as  regulating collection, storing, processing and sharing of Personal data, as  being addressed in a personal data protection act.

We can therefore expect a mirror image of the PDPA in the form of “Data Governance Act” (DGA) which regulates the “Non Personal Data”.

This business will be an independent industry sector and cuts across different industry sectors regulated by sectoral regulators.

“Data Business Discovery” is an important milestone for industries when they will be required to register with the regulator and become compliant with the law.

The idea suggests that “Companies who are today not recognized as either a Personal Data Company or even an IT Company may suddenly find themselves as a Data Business company” and would be subjected to new regulations.

Some of the “Data Business Companies” may also be “Personal Data Fiduciaries/Processors” under the PDPA.

Such companies may simultaneously also be “Non Personal Data Fiduciaries/Processors”.

In such cases, the Company will have with one set of regulations under PDPA being managed by a Data Protection Officer and another set of regulations under DGA managed by a Data Governance Officer (DGO).

We will therefore have DPOs and DGOs as new designations for professionals in many companies.

While DPOs will have more people from the IT/IS background, DGOs will have more from the MBA type who have to manage Data as an asset and ensure that after giving away the Personal data to the custody of the DPO, manage the Non Personal Data for the company’s benefit under the new regulation.

Just as some of the CEOs were feeling relieved after appointing a DPO and entrusting him with the responsibilities of Personal Data Protection, they are suddenly confronted with the Data Governance Act which needs to be managed by a DGO failing which there could be adverse consequences.

At this time we donot know what would be the compliance requirements and consequences of non compliance but we can definitely expect that the regulations will have some teeth of its own for industries to contend with.

The Data Business companies will be required to share some data with the Government and negotiate with the Government if any price can be extracted. IoT companies and service organizations in Smart City projects will have a wealth of data which can be packaged and converted into value products.

AI and Big Data companies will have to contend with the regulatory measures that may define the do’s and dont’s  and make the industry interesting.

The ISPs and MSPs will be another set companies who will be prominent players  “Data Business” with a collection of “Meta Data” that would be considered “Non Personal Data”.

Technology people will have a lot to work on Differential Privacy and Anonymization with related professional opportunities.

All in all the concept of “Data Business” is exciting and we look forward to a new world of opportunities opening up.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Ownership of Data

KGC has articulated a legal basis for establishing rights over “Data”.

Apart from recognizing the “Data Sovereignty” concept where the State has a primary right of ownership of assets collected in/from India which applies to Non Personal Data (NPD) also, the KGC has iterated that the term “Ownership” holds full meaning only in terms of physical assets and in respect of knowledge and data, it should be applied to the st of primary “Economic” and “Statutory rights” over the intangible asset. Hence the notion of “Beneficial Ownership/interest” has been adopted by the Committee as regards NPD.

As a result the committee recommends that

a) In case of Non Personal Data derived from the personal data of an individual, the data principal for personal data will continue to be the data principal of the NPD, which should be utilized in the est interest of that individual.

b) The rights over community Non Personal data collected in India should vest with the trustee of that data community, with the community being the beneficial owner and suchd data should be utilized in the best interest of that community.

This recommendation will create a slight conflict of concept since, NPD which is “Anonymized” is not “Personal Data” and there is no way it can be or should be linked to the Data Principal whether it is for his benefit or not.

The process of anonymization should cut the umbilical cord between the Data Principal’s identity associated with the data and the anonymized data set should be left free to be harnessed by the industry. Any attempt to link it with the beneficiary will defeat the very purpose of anonymization.

Otherwise, the KGC speaking about the Community NPD recommends that the benefits accrue not only to the organizations that collect such data but also equally to the community that typically produces the raw/factual data that is being captured. Accordingly the committee suggests that such data (Community NPD) may be shared in instances where there are defined grounds or purposes for sharing of NPD with Citizens, Startups, Indian companies, Government etc.

KGC also highlights the role of the Data Trustee in ensuring that the community interests are protected.

In the light of the above, KGC has placed the recommendation that

a) Data derived from public efforts should be considered as national resource.

b) Sharing of data benefits should be recognized among multiple parties.

c) Legal basis should be established to enable collection and use of community data by private data custodians or public organisations.

d) Raw/factual data sets comprising of anonymised user-information data collected by private data cusodians like telecom/ecommerce operators may be considered as community data

e) raw data should be maintained under open license free standard

f) There must be appropriate incentives to recognize and reward collectors of community data

g) As the processing value-add ver the raw data increases appropriate mechanisms may be leveraged for data sharing. (P.S: Here the recommendation appears to be closely aligned with the concept of “Additive value hypothesis” discussed in the Naavi’s theory of data.)

(To Be Continued)

Naavi