This is the third note of S&R Data+, a multipart series on data and digital governance focused on personal and non-personal data, including with respect to their separate regulatory, legal, and commercial implications. The previous note outlined the build-up to India’s proposed digital governance architecture by analyzing past trends, some of which have coalesced through specific interest configurations towards current developments. In this note, we will discuss possible trajectories for the future in respect of such governance regime.
While the last note covered developments until 2020, we look at more recent trends here, including those that may directly contribute towards the formulation of India’s new data protection and digital framework over the next few months.
In May last year, the Ministry of Electronics and Information Technology (“MeitY”) had released a draft of the National Data Governance Framework Policy for public consultation (“NDGFP”). The NDGFP aims to ensure that non-personal and anonymized data from both government and private entities are accessible by research and innovation ecosystems, including for the purpose of facilitating academic output and initiatives in research and development (“R&D”) by Indian start-ups. Further, the policy aims to provide an institutional framework of rules relating to datasets and metadata, as well as standards, guidelines, and protocols related to the sharing of non-personal data.
In addition, as part of the NDGFP, the government aims to build the India Datasets program (“IDP”) – potentially comprising non-personal datasets housed within government and private entities (including companies), based on data collected from citizens and/or people living in India. Nevertheless, the NDGFP has clarified so far that obligations to share such collected data will mandatorily apply only to government departments and bodies (while private entities may only be encouraged to share such data).
Earlier this year, while presenting the Union Budget for FY 2023-24, Finance Minister Nirmala Sitharaman had indicated that the NDGFP might be finalized soon, thus enabling wide access to anonymized data. Significantly, the May 2022 draft of the NGDFP contained plans to monetize data sharing – which aspect, in turn, received public criticism. For instance, while the India Data Management Office (“IDMO”), as proposed for establishment under the Digital India Corporation under MeitY, may be given powers to design and manage the IDP in terms of processing requests from Indian researchers and start-ups for access to non-personal and/or anonymized datasets, Clause 6.18 of the NGDFP in its current form allows the IDMO to charge user fees for its services.
Proposed DI Act
Further to its goal of championing a ‘Digital India Act’ in lieu of the dated Information Technology Act, 2000 (the “IT Act”), MeitY made presentations before various stakeholders at Bengaluru in March this year. While the associated timelines and consultations (the “DIA Consultations”) with respect to such exercise lacked consistency at first, pursuant to fresh DIA Consultations in May 2023 across New Delhi and Mumbai, it now appears that, pursuant to a few more rounds of engagement with select stakeholders, a draft bill for the proposed statute (the “Proposed DI Act”) may be ready in a few months’ time. According to media reports, the government may frame rules for sharing non-personal data under this law – such as in respect of data captured by invasive gadgets like spy camera glasses and wearable devices/technologies. Accordingly, dedicated provisions to regulate such devices/technologies may be introduced in the Proposed DI Act, including those related to compliance with ‘Know-Your-Customer’ (KYC) requirements as a pre-condition to obtain approvals for sale. Meanwhile, although the revised version of a MeitY-constituted expert committee’s first report on a national framework for data governance (such committee, the “DG Committee,” and such reports, the “First DGC Report” and the “Revised DGC Report,” respectively) is yet to be acted upon despite being submitted almost three years ago, it is possible that certain of its key findings will be accounted for in the Proposed DI Act, especially with respect to the sharing of non-personal data.
Absent specific information or formal clarifications issued by MeitY other than through sporadic media statements and the recent DIA Consultations between March and May 2023, certain overarching principles of the Proposed DI Act in its current conceptualization appear to include: (1) an open internet, (2) online safety, (3) a revised intermediary framework, and (4) no/limited safe harbor.
In terms of promoting an open internet, the Proposed DI Act may facilitate: (i) online diversity by improving choices and competition among consumers and digital actors, respectively; (ii) the ease of doing business along with corresponding compliances; as well as (iii) fair access to digital markets for start-ups and similar entities. Accordingly, provisions in respect of interoperability (i.e., the property that allows for sharing and use of resources between different systems, components, and/or machines, including data exchanges), fair trade practices (including for dominant market players), and non-discriminatory access, may be introduced with respect to digital services. In this regard, it is possible that the proposed law may recognize the role of ‘digital gatekeepers’, including in terms of consequences stemming from the actions of digital actors online – for instance, in respect of creating or limiting entry barriers, and establishing a level-playing field.
All of this appears to be consistent with the Revised DGC Report, where the DG Committee had identified the realization of economic value from the use of non-personal data as a key priority. In other words, in terms of asserting India’s data sovereignty, the Proposed DI Act may focus on generating economic benefits for citizens and communities, including by unlocking the social, public, as well as the economic value of data. Thus, pursuant to the DG Committee’s recommendations, the Proposed DI Act may ensure that the benefits from processing non-personal data accrue not just to the organizations that collect such data, but also to the country as a whole, as well as the community that produces the data. Further, the DG Committee had stressed the importance of creating incentives for innovation, including in respect of new products, services, and start-ups. Nevertheless, addressing privacy concerns, including from the re-identification of anonymized personal data, as well as preventing collective harms arising from the processing of non-personal data, may remain key focus areas.
The Proposed DI Act may introduce separate provisions for protecting users against unsafe content, online harm, and various cybercrimes – including by ‘age gating’ children from addictive technologies and from certain online/digital platforms – especially those which may seek to collect/process children’s data.
In addition, moderating false information and/or curbing fake news, including content published on social media platforms, messaging services, websites, and other forums, might be important areas of focus. In this regard, the Proposed DI Act may introduce compliance requirements and/or specific measures, such as periodic risk assessments, algorithmic transparency, and disclosures by data intermediaries. Concomitantly, the penalty framework for non-compliance, especially for cybercrimes and other offences, may become more stringent. A specialized adjudicatory mechanism for addressing online offences may also be introduced.
It remains to be seen whether a separate rights regime finds its way into the Proposed DI Act (similar to Clauses 12-15 under Chapter 3 of India’s current draft of the Digital Personal Data Protection Bill, 2022 (“DPDP”)), such as in respect of rights related to processed and/or shared information; correction and erasure; grievance redressal; as well as rights of nomination and/or digital inheritance. However, additional digital user rights related to secure electronic processing, as well as against discrimination and automated decision-making, may be included in the new law. Furthermore, certain rights that were part of previous iterations of DPDP but which have now been excluded – such as the right to be forgotten, may be subsumed within the Proposed DI Act in respect of non-personal data.
For instance, Clause 13(2)(d) of DPDP provides that a data principal can request the concerned data fiduciary, such that the latter will be obliged, to erase the personal data of the former when the information is no longer needed for the sake of the original processing – “unless retention is necessary for a legal purpose”. However, this stipulation appears to sit uncomfortably with Clause 9(6)(b) of DPDP which allows data fiduciaries to hold on to personal data for ‘business’ purposes – in addition to legal ones – as long as the data fiduciary’s assessment of such purpose remains backed by reasonable assumption. Thus, it is unclear whether a data principal’s request for erasure may be rejected if the data fiduciary needs (or wants) to preserve such personal data for exclusively business-related reasons, especially if and when the latter removes the means through which the underlying personal information can be associated with specific individuals (see the lead-in to Clause 9(6) of DPDP) – say, through the use of anonymization techniques. Accordingly, the current formulation in DPDP does not clarify how this conflict may be resolved, including in respect of a potential disagreement between the data principal and the data fiduciary, respectively, about whether the collected personal data is to be corrected or erased. In addition, Clause 13 of DPDP does not impose an express obligation on data fiduciaries to pass on the corrections/erasures to third parties – i.e., those with whom such fiduciaries subsequently share, or have already shared, the underlying personal data.
Similarly, under Section 22 (‘Correction of personal data’) of Singapore’s Personal Data Protection Act 2012 (“PDPAS”), an individual may request an organization to correct an error or omission in her personal data which is in the possession, or under the control, of that organization. Unless the organization is satisfied on reasonable grounds that a correction should not be made, it is required to correct such data as soon as practicable. However, unlike Clause 13 of India’s DPDP, pursuant to Section 22(2)(b) of PDPAS, the requested organization is obliged to send the corrected personal data to every other organization which such data was disclosed to within a year prior to the date of correction. Nevertheless, the latter obligation is subject to some important qualifications.
Further, similar to Clause 9(6) of DPDP, in Section 25 (‘Retention of personal data’) of PDPAS, an organization must ‘cease to retain’ or alternatively, de-identify (anonymize), personal data as soon as it is reasonable to assume that: (a) the data is no longer serving its purpose of collection; and (b) its retention is ‘no longer necessary for legal or business purposes’. Here, the reference to ‘business purposes’ may be interpreted as legitimate business purposes only (i.e., encompassing justifications based on exceptions, notice, and consent). However, from a data principal’s perspective, it may be almost impossible to prove the expiry of all ‘business purposes’ with respect to an organization. Further, it is unclear whether the onus to prove an outstanding ‘legitimate’ purpose lies with the organization itself. The advisory guidelines issued by the Singaporean Personal Data Protection Commission (“SPDPC”) in this regard do not explicitly address the question of onus either. However, organizations are expected to document and/or demonstrate reasons for retention. According to the SPDPC, an organization will be considered to have ceased to retain personal data when it no longer has the means to associate such data with particular individuals – i.e., when the personal data has been anonymized.
In this regard, in 2020, the DG Committee was of the opinion that when the underlying data is without any personally identifiable information (“PII”), it should be considered ‘non-personal’. The DG Committee had also suggested that it was possible to formulate a general definition of non-personal data according to the origins of such information – such as in respect of anonymous data that was initially personal (i.e., prior to anonymization), but now is not. Accordingly, data which is aggregated, and to which certain data-transformation techniques have been applied – such that individual-specific events, markers, or other PII are no longer identifiable – may be qualified as anonymous data.
However, based on the extent to which the DG Committee’s recommendations are included in the Proposed DI Act, personal data which is later anonymized may continue to be treated as the non-personal data of a corresponding data principal. Accordingly, a data principal could act upon any subsequent harms arising from re-identification (for instance, if an applied pseudonymization technique is not adequately robust) or even in respect of a harm otherwise arising from such data processing.
Under the Personal Data Protection Bill, 2019 (“PDP 19”) (a previous iteration of DPDP, which was the draft law on personal data in India at the time of the First and Revised DGC Reports), consent was obviously necessary – albeit for the collection and processing of personal data alone. In this regard, since the conditions for valid consent under Clause 11 of PDP 19 – involving the data principal’s ‘specific’ approval that was ‘capable of being withdrawn’ – did not apply to non-personal data, it could not, therefore, be assumed that the consent provided for the processing of personal data would apply automatically to non-personal data as well, i.e., if and when such personal data was later anonymized. Accordingly, the DG Committee had recommended that a data principal should be required to provide her consent for anonymization too, as well as for the use of such anonymized data, at the time of providing consent for collection/use of her personal data in the first instance. Accordingly, appropriate standards of anonymization may be later defined to minimize and/or prevent risks of re-identification.
The DG Committee had further recommended that, at the time of collecting personal information, ‘data collectors’ (or data fiduciaries) should provide a notice with respect to – and offer the data principal the choice to opt out of – data anonymization. Accordingly, details about anonymization ought to constitute a separate disclosure requirement. Through such notice, data principals may be informed that their personal data could be anonymized and/or used for other purposes, including in the future.
Moreover, the DG Committee had felt that it was important to extend the concept of ‘sensitivity’ to non-personal data, including when produced from anonymized personal data – especially when it remained susceptible to re-identification. This was an acknowledgement of the fact that even when personal data gets converted to a non-personal form, the possibility of harm to the original data principal remains. After all, no anonymization technique provides perfect irreversibility.
Further, the DG Committee had pointed out that the connection between anonymized personal data and non-personal data, respectively, was well-captured within PDP 19 itself under Clause 2(B) – which stated that the provisions of PDP 19 would not apply to any personal data that had been anonymized. Anonymization, in turn, had been defined under PDP 19 as the irreversible process of transforming or converting personal data to a form in which a data principal could not be identified – and where such non-identifiable form met the standards of irreversibility as specified by the relevant data protection authority. Accordingly, any personal data that had been subjected to a de-identification process and, as a result, had been successfully anonymized, would automatically become non-personal data – thus falling beyond the purview of PDP 19. However, the DG Committee did clarify that ‘mixed’ datasets – which typically contain both personal and non-personal data linked to each other – would be governed by PDP 19 alone.
At present, this understanding ought to extend to DPDP too, since DPDP is India’s current draft on personal data. Further, this understanding appears to be consistent with the EU’s General Data Protection Regulation (“GDPR”) – since it has been established that GDPR regulates mixed datasets when the non-personal components of such datasets are inextricably linked with personal data components. Nevertheless, in light of the fact that DPDP is generally silent on both non-personal and anonymized data, a clarification in this regard may be issued later. However, given that the November 2022 draft of DPDP expressly clarifies that it deals with (digital) personal data alone, such a clarification may now be unnecessary, including in light of the Proposed DI Act.
Clarifications about overlap of regimes
The DG Committee had also recommended that PDP 19 should be amended to ensure that its provisions did not end up regulating non-personal data (along with personal data). For instance, when the committee made this recommendation, Clause 91(2) of PDP 19 had sought to establish a framework within which even non-personal data could be regulated (for instance, where the central government was authorized to direct a data processor to provide it with anonymized personal data to enable better targeting of public service delivery or for the formulation of evidence-based policies). Thus, in order to ensure that the frameworks for personal and non-personal data, respectively, were kept separate and mutually exclusive – even while operating simultaneously and harmoniously with each other – the DG Committee had suggested that such provisions should be removed from PDP 19 altogether, and instead, the scope of such removed provisions ought to be included under a separate legal regime for non-personal data – and non-personal data alone. Accordingly, it would then be clear that PDP 19 did not apply to the processing of anonymized data under any circumstances.
It is possible that the lack of reference to either anonymization or non-personal/anonymized data in DPDP is a result of the DG Committee’s recommendations in this regard.
Revised intermediary framework and new technologies
Certain media reports from earlier this month suggested that the Proposed DI Act may introduce a framework to regulate data storage, localization, social media platforms, and online gaming. The new law may also introduce working guidelines to classify various internet portals – such as e-commerce websites and artificial intelligence (“AI”)-enabled platforms – differently.
In that regard, the Proposed DI Act could become the country’s default law for technology-related legislation in the future, including in respect of online/digital/social media platforms, as well as devices and internet-based applications that rely on new technologies such as the Internet-of-Things (“IoT”), AI, machine learning (“ML”), Web 3.0, wearable internet-based devices, autonomous systems, virtual reality (“VR”), and distributed ledger technology/blockchain. Given the widespread use of such new technologies in critical fields such as healthcare, banking, and aviation – their development and deployment may be made subject to rigorous requirements, including by regulating high-risk AI systems through quality-testing frameworks, algorithmic accountability, threat and vulnerability assessments, as well as content moderation.
Further, according to reported accounts – breaking away from the current catch-all method employed by the IT Act – the viability of having separate categories under the Proposed DI Act for online intermediaries on the basis of their business and user-base have formed a key element in discussion (e.g., by distinguishing social media intermediaries from other online intermediaries, including in respect of different compliance requirements based on varying standards of data processing). Such intermediaries may be classified based on: (i) the nature and extent of their involvement in content transmission (including telecom and internet service providers), (ii) their type of work, (iii) their platform content (vis-à-vis user-generated content), as well as (iv) their role in peer-to-peer information sharing.
Accordingly, intermediaries under the Proposed DI Act may include a wide variety of entities, including search engines and platforms that are involved in advertisement technology (AdTech), e-commerce, social media, digital content, and online gaming. Obligations for online gaming intermediaries under the Proposed DI Act may be included in addition to the new legal regime for operators of online games – as introduced through amendments made to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 via MeitY notification dated April 6, 2023 (the “2023 Amendment Rules”).
Further, certain intermediary obligations under the Proposed DI Act may be extended to entities that do not necessarily operate as intermediaries on the internet.
The DG Committee had also proposed the classification of a ‘data business’ (“DB”) for any organization (government or private) that collects, processes, stores, or otherwise manages personal and/or non-personal data. Further, a DB may be treated as a ‘data custodian’ (as defined in the First DGC Report) or as a data processor. According to the DG Committee, a data custodian ought to undertake information management in the best interest of the data principal. Thus, a data custodian may be similar to a ‘data fiduciary’ (as defined in Clause 2(5) of DPDP), while being subject to the directions and control of the data principal. Further, in respect of community data, data custodians may be required to exercise a ‘duty of care’ with regard to the concerned aggregation, including in connection with handling the non-personal data associated with such community. Some such duties may include the adoption of anonymization standards, protocols, and safe data-sharing.
In addition, the DG Committee had envisaged ‘data trusts’ as institutional structures comprising specific rules and protocols for containing and sharing a given dataset. Accordingly, data trusts may contain data from multiple sources and/or data custodians, especially when such data is relevant to a particular sector (and thereby necessary for providing digital services). Further, data custodians may voluntarily share the data contained in such data trusts, including when either of private or public organizations share the data held by their respective selves – as envisaged under the present draft of the NDGFP. Since data trusts may involve both mandatorily and voluntarily shared data, the government and/or data trustees may compulsorily require the sharing of important data for a particular sector with respect to specific purposes – which task could be managed and provided by such data trusts.
However, a DB need not constitute an independent industry or sector. Thus, in the future, existing businesses across diverse sectors may get categorized as DBs – if, and as long as, they collect data. For example, companies operating in sectors such as banking, finance, telecommunications, internet-enabled services, transportation, consumer goods, and travel, as well as universities, private research laboratories, non-governmental organizations, etc., may be classified as DBs, based on prescribed thresholds with respect to the amount of data collected or processed.
Further, a DB that collects data above a certain threshold may be required to register in India. Threshold parameters such as in respect of gross revenue, number of consumers/households/devices handled, percentage of revenue from consumer information, etc., may be considered relevant for the purpose of ascertaining registration requirements. In addition, applicable thresholds within the personal data framework for ‘Significant Data Fiduciaries’ (“SDFs”) might be harmonized with similar thresholds for non-personal data. Under DPDP, pursuant to Clause 11, the central government may notify any one or class of data fiduciaries as an SDF on the basis of specified factors. Further to such classification, additional obligations may be imposed on notified SDFs. The factors which may be considered to make an SDF assessment will include the volume and sensitivity of personal data processed, the risk of harm to the data principal, and national/public interest, as well as any other factor that may be deemed necessary by the government for this purpose.
Furthermore, the idea of separately classifying a DB goes beyond considerations of non-personal data alone, since organizations may collect and process both personal and non-personal data, and ultimately utilize such data for various commercial purposes – including to provide services and other economic reasons. Accordingly, a DB may be required to share metadata along with the underlying information pursuant to appropriate regulations framed in the future.
No/Limited safe harbor
The Proposed DI Act may modify the safe harbor principle, as contained under Section 79(1) of the IT Act, with respect to intermediaries. Broadly, protection from liability for different kinds of intermediaries/platforms against content shared by their users may be contingent under the new law upon the former’s compliance with prescribed obligations in respect of hosting third-party information.
In this connection, the IT Act had been previously amended by the Information Technology (Amendment) Act, 2008 (“the 2008 Amendment”), pursuant to which Section 79 was introduced under a substituted Chapter XII (‘Intermediaries not to be liable in certain cases’). This provision sought to exempt intermediaries from liability for such third-party information that was only hosted or otherwise made available by them, albeit subject to important qualifications – as spelled out by the 2008 Amendment under subsections (2) and (3) of the revised Section 79. Thereafter, the Information Technology (Intermediaries Guidelines) Rules, 2011 (the “2011 Rules”) were framed to provide clear due diligence requirements for intermediaries (pursuant to Section 79(2)(c) of the amended IT Act). Further, the 2011 Rules prohibited content of a specific nature on the internet and required intermediaries such as website hosts to block such prohibited content.
Subsequently, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “2021 Rules”) were notified, replacing the 2011 Rules. Key changes under the 2021 Rules included additional due diligence requirements for certain entities – including social media and significant social media intermediaries – as well as a framework for regulating the content of online publishers with respect to news, current affairs, and curated audio-visual content. The 2021 Rules were further amended in 2022 to extend such additional due diligence obligations on online gaming intermediaries as well.
Finally, earlier this year, MeitY published draft amendments to the 2021 Rules related to due diligence by an intermediary, inviting feedback from the public. Further to such feedback, a few months later, MeitY notified the 2023 Amendment Rules – which amended the 2021 Rules, especially in terms of (a) online gaming, (b) due diligence by online gaming intermediaries, as well as (c) grievance redressal in this regard.
Given that this is how things currently stand in respect of India’s proposed digital governance architecture, in the next note of S&R Data+, we will examine the specific concerns related to children’s data under this regime, including in light of DPDP and other data protection frameworks – such as those in the US and Europe – with respect to children’s personal data.
This insight has been authored by Deborshi Barat (Counsel); he can be reached at firstname.lastname@example.org for any questions. This insight is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.
© 2023 S&R Associates