Overview of the IT Act: Gopalakrishna Committee Recommendations

The Gopalakrishnan committee is a committee of experts on the concept of non-personal data (NPD) constituted by the Ministry of Electronics & Information Technology (MeitY). The stated goals for the committee were (i). To study various issues relating to non-personal data (NPD). (ii). to make specific suggestions for consideration of the Central Government on the regulation of non-personal data.

The Gopalakrishnan Committee on the Non-personal data framework presented in this committee is;  

Define the roles of non-personal data (NPD)

Articulation of the legal basis for the rights of NPD

Specification of the purpose of data sharing

Data business can be defined

Definition of non-personal data:

(i). When the data is not ‘Personal Data’ (as defined under the PDP Bill), or the data is without any Personally Identifiable Information (PII), it is considered Non-Personal Data.

(ii). A general definition of Non-Personal Data according to the data’s origins can be

•  Firstly, data that is never related to an identified or identifiable natural person, such as data on weather conditions, data from sensors installed on industrial machines, data from public infrastructures, and so on.
•  Secondly, data which were initially personal data, but were later made anonymous. Data which are aggregated and to which certain data transformation techniques are applied, to the extent that individual’ specific events are no longer identifiable, can be qualified as anonymous data.

The committee has defined NPD as any data that is not related to an identified or identifiable natural person or is personal data (“PD”) that has been anonymized. It identifies three categories of NPD namely- public, private, and community. NPD can be sensitive, in some circumstances.

Public NPD refers to NPD collected or generated by the government, including data collected or generated in the course of execution of publicly funded works. Private NPD refers to data the source or subject of which “relates to assets and processes that are privately-owned by such person or entity, and includes those aspects of derived and observed data that result from private effort.” Community NPD includes anonymised personal data and NPD about inanimate and animate things or phenomena, whose source pertains to a community of natural persons.

A community is loosely defined in the Report as “any group of people that are bound by common interests and purposes, and involved in social and/or economic interactions.” The raw data without derived insights is called community data here, which would include datasets of user information collected by even private players. As per the report, there can be significant overlaps between community and private NPD and if the two are defined as distinct categories then all user information collected by private players will not necessarily be community data, as it can pertain to or result out of entirely private assets and processes.  

Further, there is some sort of distinction attempted between community data which includes only raw/factual data, and private NPD which would include inferred or derived data as a product of the application of algorithms and proprietary knowledge. Interestingly, there is a vague carve out for private data that notes that “Algorithms / proprietary knowledge may not be considered for data sharing.”  This assumes that only private NPD involves a narrower subset of proprietary knowledge or algorithms that can be exempted from data sharing and that products/insights derived from the application of this proprietary knowledge are not necessarily protected.

Based on the categories introduced above, the committee aims to articulate a legal basis for establishing rights over NPD. The term ownership implies a set of economic and other statutory rights. Since data is an intangible asset, the committee recognizes that many actors may have simultaneous overlapping rights and privileges. The Committee has introduced the principles of ‘best interest’ and ‘beneficial interest’ that will aid in tackling this overlap in ownership of data concerning Community NPD and Private NPD.

The report identifies various stakeholders, including governments, citizens, startups, companies, universities, research labs, NGOs, etc., who may request data from businesses for underlying data for defined purposes. The purposes are defined broadly and allow for leeway for data requests. It is envisioned by the report; that raw/factual data would be shared for predefined purposes.

To address concerns about the use of non-personal data and to enable a data-sharing framework that can tap the economic, social, and public value of the data, the committee envisages setting up a dedicated NPD authority, to ensure that non-personal data is used for commercial and sovereign purposes. NPD Authority is to govern the rules and regulations on non-personal data roles. The data authority must articulate its two roles (enabling and enforcing). It also proposes a separate legislation to govern and regulate Non-Personal Data.

The idea of data sharing of the non-personal governance framework related to the committee has all the above recommendations. However, there can also be other recommendations for these factors like establishing NPD authority, it said. The most important factor here is that the committee recommends the foundation of those types of data authority. The authority in this factor can help to unlock the value of NPD in the continent of India. In this part, two roles of this factor can be seen- the role of Enforcement and the role of Enable. The draft report has also recommended that raw data and factual data needs to be shared.

The report discusses ownership rights over data and establishes a new class of business called “Data businesses.” It also creates a “policy switch” that will act as a digital clearinghouse for all regulatory compliance. The report also recommends legislation to ensure effective regulation, with a Non-Personal Data Authority in place.

The Gopalakrishnan Committee was set up by the Ministry of Electronics and Information Technology and was chaired by Kris Gopalakrishnan, co-founder of Infosys. The committee submitted its draft report in July 2020.