The Committee of Experts on Non-Personal Data Governance (CoE), convened by the Ministry of Electronics and Information Technology (MeitY) in September 2019, issued a draft set of recommendations for public consultation in July, 2020.
NASSCOM, by way of its submission dated 13 September 2020, provided its feedback on the first Draft of the Report to the CoE. In its submission, NASSCOM had urged the CoE to re-consider the scope of mandatory data sharing requirements through the provision of a “dual-list” framework consisting of a negative list of categories of Non-Personal Data (NPD) exempt from mandatory sharing obligations (such as NPD processed by data processors under contract, and foreign NPD) and a narrow principle-based white-list of NPD categories that would be considered for such sharing obligations.
Earlier in January, 2021, the CoE issued its revised Draft Report on NPD Governance for public consultation.
To take a closer look at the revised recommendations of the CoE, and enable the industry to provide informed feedback on the revised report, NASSCOM organised an industry interaction with the members of the CoE on 13 January 2021. During the interaction, Shri Kris Gopalakrishnan, Chairperson of the CoE, provided an overview of the changes that were made to the initially proposed framework. Most notably, the focus of the Report had been shifted to the creation of High-Value Datasets (HVDs) of NPD in India, and the creation of responsible data stewardship mechanisms led by an ecosystem of stakeholders including data custodians, data businesses, data trustees and the proposed Non-Personal Data Authority (NPDA).
To further examine the impact of the revised recommendations of the CoE, NASSCOM conducted an industry consultation session on 27 January 2021. Based on the feedback received during the industry consultation, NASSCOM submitted its feedback on the revised recommendations of the CoE on 31 January 2021.
NASSCOM is pleased to see its recommendations considered favourably in the revised draft of the NPD Report. In particular, the CoE’s revision of the mandatory NPD sharing framework through the proposed High-Value Dataset (HVD) creation initiative is a step in the right direction. We also appreciate, the exclusion of certain categories of NPD from data sharing obligations, such as NPD processed by data processors (Pg. 17, Para 7.5 of the revised Report), and NPD which could disclose trade secrets, or other proprietary information relating to employees, internal processes, and productivity data, and NPD which when shared is likely to violate the privacy of individuals, groups or communities (Pg. 25, Para 8.6 of the revised Report).
NASSCOM believes, the revised recommendations of the CoE form an adequate basis to explore an implementable data sharing framework in India. Accordingly, in its submission, and in the consultation with the industry, NASSCOM’s focus has been explore the pathways to implementation, and identify potential gaps that remain and suggest measures to address them.
Key Highlights of Submission
In its submission NASSCOM highlighted the following gaps that remain in terms of eventual implementation of the framework:
- The need to reconsider the “notice and opt-out” mechanism, and data residency requirements recommended by the CoE in respect of anonymisation of personal data, and treatment of sensitive and critical NPD respectively.
- The need to frame a limited and appropriate list of “public goods” towards which NPD would need to be mandatorily shared towards the creation of HVDs. Grounds such as “creation of new businesses” should be avoided, as they do not meet the definition of “public goods.”
- The need to extend the list of exclusions, based on a holistic evaluation of the framework and the associated risks. Exemptions to foreign NPD, price sensitive NPD, should be explicitly excluded. NPD which if disclosed could undermine fraud detection or information security should also be excluded from the framework.
- The need to enunciate details relating to the roles and responsibilities of stakeholders, and enforcement mechanisms under the proposed framework. These include issues the remain in terms of the regulation and oversight of data trustees, addressing any conflicts of interests, framing clear rules on attribution of liability for harmful processing, and clarity around dispute resolution and settlement under the proposed framework.
Considering the issues highlighted in the submission, NASSCOM has urged the CoE to adopt a phased approach to implementation, which takes a pilot-based approach to gather evidence towards framing the eventual regulatory framework.
NASSCOM’s submission to the CoE is attached below. Please reach out to firstname.lastname@example.org should you have any queries relating to the present submission.
The post NASSCOM Submits Feedback on Revised Draft Report of the Committee of Experts on Non-Personal Data Governance appeared first on NASSCOM Community |The Official Community of Indian IT Industry.