The nine-member panel suggested appointing a regulator to oversee how such data is shared for sovereign, welfare, regulatory and competition uses, with a mandate to ensure that individual privacy is protected and the legitimacy of a request to seek data is strictly evaluated.
The committee has sought feedback from interested parties by 13 August.
“The non-personal data authority should be tasked with enabling legitimate sharing requests and requirements, and with regulating and supervising corresponding data sharing arrangements involving data businesses, data trustees and data trusts,” the draft report of the committee said.
Recognizing the need to use data to provide a level-playing field for new companies, the committee said that global tech companies such as Google, Uber and Amazon collect user data and mine content to make better decisions, giving them an advantage.
“A combination of a first-mover advantage for these large data-driven platforms and businesses, with the sizable network effect and enormous data that they have collected over the years, has left many new entrants and startups being squeezed and faced with significant entry barriers, the draft report said.
“This may be the right time to set out rules to regulate the data ecosystem (which includes data collection, analysis, sharing, distribution of gains, destruction, etc.) to provide certainty for existing businesses and provide incentives for new business creation, as well as to release enormous untapped social and public value from data.”
Prasanto K. Roy, a policy expert, said that while competitive barriers need to be removed to spur innovation, a sweeping law that forces companies to share data could hurt more companies than just the internet giants.
“It would hurt new startups seeking funding, because investors would hesitate to invest in building up customer data as it may have to be shared with competitors,” Roy said.
Non-personal data is information that cannot identify a person and can be details such as weather conditions, data from sensors and public infrastructure. It also includes data, which was initially personal, but was later made anonymous, according to the definition in the draft document.
It said that non-personal data can also be sensitive, if it is related to national security or strategic interests, confidential business information or if it is anonymized data that has a risk of being re-identified.
“So, would Uber want to share anonymized hourly passenger traffic to indicate the busiest routes to benefit competing startups, with no compensation? The report suggests that data can be requested from businesses and government by government, citizens, startups, private firms, non-profit. That would be really worrying for firms who have invested hundreds of millions to set up the networks and apps that capture that data,” said Roy.
The draft suggested that the owner of the data should provide consent for anonymization and usage of this data by others.
It also provided technology-related guidelines for digitally implementing the recommended rules and regulations around data sharing.
The committee that was set up last year includes Debjani Ghosh, president of Nasscom; Neeta Verma, director general, National Informatics Centre, and Ponnurangam Kumaraguru, Indraprastha Institute of Information Technology Delhi member.
The development comes months after the ministry of electronics and information technology framed a draft personal data protection bill, which is currently being discussed by a joint select committee of both houses—Lok Sabha and Rajya Sabha—after which it shall be debated in Parliament.
The proposed personal data protection law deals mainly with personal data, leaving out details pertaining to non-personal data.
The draft report on non-personal data is the first step to deal with such sensitive data and will ensure that there is required governance and controls in place for sharing sensitive information, said Mini Gupta, partner at EY.
“However, mandatory data sharing can be a contentious issue, and there is a need for a framework such that if a company needs to share data, then required secure mechanisms are in place,” Gupta said.