Business Lawyers on Navigating Non-Personal Data Governance in India

The digital economy is rapidly evolving, and with it comes the pressing need for effective governance of data — both personal and non-personal. As highlighted by Vaneesa Agrawal in her Thinking Legal article , the regulatory landscape surrounding non-personal data (NPD) in India is still in its infancy, presenting both challenges and opportunities.

This article will delve into the current regulatory framework, emphasise business lawyers ‘ concerns over privacy and security, and examine the dominance of big tech companies in this space, all while building on insights from recent developments in the field.

Regulatory Framework: A Work in Progress

India’s approach to data governance has been significantly shaped by the enactment of the Digital Personal Data Protection Act (DPDP) in 2023. Business lawyers say that while this Act primarily focuses on personal data, it lays a foundation for understanding how non-personal data might be regulated in the future. The DPDP establishes a framework for data protection that includes provisions for penalties, data audits, and impact assessments. However, business lawyers note that it lacks comprehensive regulations specifically addressing non-personal data.

“This gap in legislation creates a situation that requires careful navigation and legal expertise.”

- Vaneesa Agrawal, founder of Thinking Legal

To understand the aspects of the DPDP Act 2023, check our article titled “Understanding India’s Digital Personal Data Protection Act and DPDP Bill, 2023”

Business lawyers point out that the Expert Committee on Non-Personal Data Governance Framework, led by Kris Gopalakrishnan, has proposed a regulatory authority dedicated to overseeing NPD. This authority would be responsible for establishing guidelines for data sharing and addressing risks associated with non-personal data. This has sparked discussion among business lawyers, with them analysing its potential impact on various industries.

Recent developments, as highlighted by business lawyers, indicate that the Ministry of Electronics and Information Technology (MeitY) is working towards creating the National Data Governance Framework Policy (NPD Framework), which aims to maximize the benefits of NPD while ensuring its responsible use.

“The NPD policy could serve as a critical building block in India’s digital architecture by promoting data-driven governance.”

- Vaneesa Agrawal, a prominent business lawyer.

But Vaneesa Agrawal , the founder of Thinking Legal, also notes that despite these initiatives, significant gaps remain. The absence of enforceable regulations leaves non-personal data largely unregulated, raising concerns about potential misuse. Business lawyers emphasise that the lack of clarity regarding roles and responsibilities — such as those of data custodians and trustees — further complicates governance efforts.

Concerns Over Privacy and Security

One of the primary concerns surrounding non-personal data is its potential to be re-identified or deanonymized. Vaneesa Agrawal, a leading business lawyer , highlights that even when data is anonymized, advanced techniques can sometimes reverse this process, exposing sensitive information about individuals or communities.

The Expert Committee and business lawyers have highlighted that certain categories of non-personal data — especially those derived from sensitive personal data — pose significant risks if not adequately regulated. This has also led to discussions among business lawyers about the need for specialized legal knowledge in data protection, with suggestions that every business lawyer should have a basic understanding of data privacy laws.

“The Indian government has expressed concerns regarding the vast amounts of data collected by big tech companies like Google and Facebook.”

- Vaneesa Agrawal, Thinking Legal

Business lawyers note that these companies often possess extensive datasets that can be exploited to influence public opinion or manipulate consumer behaviour. The growing digital footprint of citizens raises alarms about privacy violations and security risks associated with such vast collections of data.

Moreover, as AI technologies become more sophisticated, they increasingly rely on large datasets for training models. This reliance raises ethical questions about consent and ownership of data.

“The government’s efforts to regulate AI usage will likely intersect with discussions around non-personal data governance.”

- Vaneesa Agrawal, a Prominent Business Lawyer

Know more about AI and its ethical concerns with legal inputs from Vaneesa Agrawal here .

Big Tech Dominance: A Double-Edged Sword

The dominance of big tech companies poses a significant challenge in the realm of non-personal data governance. Business lawyers point out that these corporations have the resources to collect and analyse vast amounts of non-personal data, often outpacing smaller players in the market. This creates an uneven playing field where smaller companies struggle to compete. Recent reports also indicate that MeitY has flagged concerns regarding the growing influence of these tech giants in India’s digital landscape.

“The ministry’s internal presentations have pointed out potential threats posed by big tech’s extensive data operations, including vulnerabilities related to user privacy and national security.”

- Vaneesa Agrawal, founder of Thinking Legal

Furthermore, business lawyers also see that there are fears that current regulatory frameworks may inadvertently favour these large corporations by allowing them access to valuable datasets while stifling competition from local businesses. The government’s push for a more equitable digital economy must address these disparities to ensure fair access to non-personal data for all stakeholders.

Opportunities Ahead: Crafting a Comprehensive Framework

Despite these challenges, business lawyers across India point out that there are significant opportunities for India to shape a robust regulatory framework for non-personal data governance. The government’s ongoing initiatives signal a commitment to addressing these issues head-on.

Establishing Clear Guidelines

Creating a Regulatory Authority

Encouraging Public Awareness

Fostering Collaboration

Global Leadership

In Conclusion

As India continues its journey towards becoming a digital powerhouse, navigating the complexities surrounding non-personal data governance will be crucial. Business lawyers highlight that while significant challenges remain — particularly concerning privacy risks and big tech dominance — the ongoing efforts by the government present an opportunity to create a balanced regulatory framework that fosters innovation while protecting user rights.

The future of India’s digital economy hinges on how effectively it addresses these challenges while capitalizing on the opportunities presented by non-personal data governance. As stakeholders from various sectors engage in this critical dialogue, Vaneesa Agrawal, an expert business lawyer, concludes that it is imperative that they work collaboratively toward establishing a framework that not only promotes growth but also safeguards individual rights in an increasingly interconnected world.