Non-personal data likely to be dropped from new data law
The addition of non-personal data in the law was recommended by the Joint Parliamentary Committee set up to examine the Personal Data Protection Bill, 2019.
Non-personal data, or anonymised datasets that shield the identity of an individual, are not likely to be a part of the upcoming data protection law currently being finalised by the Union ministry of electronics and information technology (MeitY), officials familiar with the matter said.

“The government has been very clear that the data protection law must not create roadblocks or breaks in development of the Indian economy,” an official said on the condition of anonymity. “The law was formulated for personal data and it is not likely to contain references to non-personal data.”
The official added that the draft law will need a review in the post-pandemic era, and that the “government is examining and studying all the provisions.”
The addition of non-personal data in the law was recommended by the Joint Parliamentary Committee (JPC) set up to examine the Personal Data Protection Bill, 2019. It was only in December last year that the committee tabled its report, which has since been under examination by the government. Several members of Parliament argued against the final draft, stating that it provided “unbridled” exemptions for the government, which was a cause for concern.
The draft law, the official cited above said, is likely to be introduced in the monsoon session of the House.
“Expediting the personal data protection law should be the focus. Legislating non-personal data would require deeper deliberations,” said NS Nappinai, Supreme Court lawyer and founder of Cybersaathi. “Hence if indeed it’s true that the proposed draft is moving back to its original focus on personal data, and by doing so the enactment can be expedited, it would be a welcome move.”
The inclusion of non-personal data within the scope of the draft law by the parliamentary committee also meant a deviation from the original draft of the law penned by the Justice Srikrishna Committee. That set the foundation for data protection law that secures individuals’ informational privacy and autonomy.
“The government may have taken decision that it is better to protect the fundamental right to privacy, declared by the Supreme Court. Adding non-personal data would have ended up creating confusion,” said a person aware of the committee’s recommendations, asking not to be named.
The parliamentary panel’s version proposed bringing non-personal data under the ambit of a Data Protection Authority that would be setup to check data-sharing, storing, securing, and accessing policies. “... we cannot keep non-personal data above or beyond the law or regulation. Instead, there should be different layers of protection or security on these two types of data. Besides, when we are creating Data Protection Authority, the Authority necessarily has to deal with all disputes pertaining to data protection, whether personal or non-personal. Thus, a larger umbrella of Data Protection Authority has been created in which non-personal data will also be governed by rules and regulations,” the committee said in its recommendations.
“There was a lot debate on whether non-personal data should be added. The panel has submitted it findings after several rounds of consultations,” said a member of the joint parliamentary committee involved in the drafting of the law, who too asked not to be named. .
Most stakeholders told the committee that non-personal data should not be included within the scope of the law.
The committee’s proposal on non-personal data was “a major change in the scope of the bill and widened the regulatory perimeter to such an extent that there is less clarity on how the regulator will effectively regulate both personal and non-personal data, how companies will comply, and how individuals will exercise the rights granted to them,” said Kazim Rizvi, founder of the tech policy think tank, The Dialogue, which was among the organisations that submitted recommendations to the committee.
He added that the purpose and genesis of the upcoming data protection legislation is to protect the informational privacy of individuals. “In contrast, the requirement to regulate non personal data stems from the objective to unlock the economic value of data to benefit citizens, businesses, and communities in India. Given these divergent purposes, housing the regulation of both data sets under one legislation’s umbrella would lead to multiple sticking points for implementation and compliance,” he explained.
The government is also working on a separate legislation to govern non-personal data. Set up by the ministry of electronics, and headed by Infosys co-founder S ‘Kris’ Gopalakrishnan, the committee is working on the regulatory structure for non-personal data and has held several rounds of stakeholder consultations.
