The Committee of Experts on Non-Personal Data (NPD) Governance Framework has released a revised draft on NPD after incorporating suggestions from the first. The committee is soliciting recommendations on the revised draft from stakeholders till January 31, 2021.
Meanwhile, the Internet Freedom Foundation (IFF) has called the draft ‘unconstitutional’ and submitted their feedback to the committee with some concerns and policy recommendations.
What Does The New Draft Say?
Along the lines of the first draft, the revised one also classifies non-personal data, as any data that does not identify a person (like weather data) or anonymised data. Majority of the data that will be classified as NPD is likely to be anonymised data.
The draft bats for a clear divide between NPD and personal data. The committee also recommends breaking away NPD from the rubric of Data Protection Authority, under the Personal Data Protection (PDP) Bills 2019. The report calls for a change in the PDP Bill, so that the DPA can only regulate NPD if it is de-anonymised, and a separate NPD Authority with ‘radically’ different function from DPA, focusing on the promotion of NPD for commercial purposes.
The draft also proposes a new classification, ‘Data Businesses’, for entities above a certain threshold, in terms of data processed. Such businesses will play a role as data custodians and have an obligation to share the relevant NPD when requests are made to create ‘High-Value Datasets’. The requests can be made by any entity, including government ministries.
Concerns
The committee has defined the NPD in broad brush strokes, calling it any data that is not ‘personal data (as defined in the PDP). Experts are still on the fence on what part of data is ‘personal’ or ‘non-personal’. Hence, with such a broad definition of NPD, it is a matter of grave concern as classifying the wrong data as NPD could amount to infringing on privacy.
Further, the committee does not even mention the Puttuswamy judgement on the ‘fundamental right to privacy’ in the entire report. This, according to IFF, is ‘shocking’ and ‘extremely worrying’.
In principle, the draft agrees that adequate barriers are needed to prevent anonymised data from being re-identified. But re-identifying anonymous data with great accuracy across contexts is not a big deal. Given that a large portion of NPD will consist of anonymised personal data, such issues must be dealt with.
IFF also thinks it is an ‘unwise’ and a ‘faulty’ approach to consider de-anonymisation as the only potential risk as the report envisages the expropriation of data from private enterprises at a scale that will vary in quality, scope, type and frequency. Meaning, it will create a power imbalance, with the government having a lot of say, especially if there is a lack of transparency as to how the data will be used.
The general assumption is more data is always good. However, the more data is collected, the more it puts citizens at the risk of exploitation. According to IFF, it is worrisome because the draft has taken an approach of ‘data maximisation’. The economic rationale to collect the data in abundance does not always hold. We need to first try and understand whether we need the data to solve a particular problem. The approach also goes against the standard principle in global data protection legislation that focuses on data minimisation through purpose limitations.
Additionally, the report fails to substantially engage with concerns about data monopolies and market failure and does not adequately consider competition law.
The lack of transparency and the overall superficial consultation process when drafting the report is another major concern. There were around 1,500 submissions in feedback, none of them was made public, raising doubts whether these consultations are just perfunctory. While the present version of the draft report mentions consultations, the report fails to mention the extent, nature, and scope.
Recommendations
With the aim that there should be robust guidelines to protect citizen’s digital rights, the IFF recommends disbanding the committee, recalling the draft report, and allowing NPD to be regulated under the DPA. Doing so will shift the focus towards the protection of citizens and ensure well-defined regulatory mechanisms for NPD. This will also reduce confusion and minimise potential risks.
Currently, even the PDP Bill –still under review– has been criticised heavily, mainly because it gives excessive power to the government to handle data. The addition of another authority will only bring more ambiguity. Instead, the government should focus on more transparency in the current mechanisms.
More than forming another body that can increase non-personal data use, the committee should focus on safeguarding user data and users. Also, it should focus on competition policies to avoid data monopolies and puts checks and balances to prevent the government from expropriating data, leading to power imbalances.
