New Delhi, July 16 (KNN) While welcoming the release of report of the Committee of Experts on Non-Personal Data (NPD) Governance Framework, Udai S Mehta, Deputy Executive Director, CUTS International cautioned against having different regulators in cognate sectors, which may end up working in silos.

‘There is a need to adopt a whole of government systems approach towards data regulation, and the Data Protection Authority should be the single data regulator in the country,'' an official statement quoted him as saying.

The report also calls for establishing a separate regulator for non-personal data: The Non-Personal Data Protection Authority. It also gives appropriate consideration to sensitivity of NPD, on the lines of personal data, as given in the Personal Data Protection Bill 2019 (PDPB). However, the same is devoid of a data principals’ perspectives, as was the case with the PDPB as well.

The report highlights the importance of light weight regulation and remains conscious of compliance costs of regulations. However, it misses out on stressing upon adoption of scientific and inclusive regulation making process, such as undertaking regulatory impact assessment; framing risk-based regulations giving due consideration to rights of data principals; and ensuring regulatory harmonisation.

The report recommends securing consent of data principals for processing NPD, along with personal data. Such stress on consent, while important, enhances the risks of consent fatigue. The report does not comprehensively discuss rights of data principals, including actions they are eligible to take in case of violation of their rights. The avenues and mechanisms for data principals to avail redress of their grievances are also not discussed adequately.

Just like the PDPB, the report calls for local storage of critical NPD, while allowing data mirroring for sensitive NPD. Several adverse impacts of mandating local storage of data under the PDPB have been well documented in CUTS studies – Data Localisation: India’s Double-Edged Sword and Consumer Impact Assessment of Data Localisation. Thus, costs and benefits of such recommendations need to be examined in detail.

The report empowers the government to request access to NPD for security, legal, law enforcement and regulatory purposes. However, despite recognising the possible privacy violations through NPD, it misses to recommend upholding principles of necessity, legality and proportionality while enabling such access.

The report calls for mandating sharing of NPD to open up competition for startups. This may not be considered as the first option to foster competition. An enabling environment for data sharing, through mechanisms like data portability, essential facilities doctrine, and regulation of data use in common ownership entities could be envisaged. The report has rightly excluded algorithms and proprietary knowledge from the ambit of data sharing.

Few other areas touched upon by the report, which require further scrutiny include: relation between data custodian and data principals; trusteeship model for enforcing rights of community data principals; management of data trusts, among others.

CUTS will be submitting its detailed comments on the report.