SUMMARY
The draft report by a panel of experts talks about the creation of a ‘Non-Personal Data Governance Framework’
The proposed law would ensure that big companies don’t create data monopolies and squeeze out competition
The report mentions that sharing of non-personal data could lead to governments and private players coming up with better services
A government-appointed committee of experts, headed by former Infosys vice-chairman Kris Gopalakrishnan, has submitted a draft report which talks about the need for having a law that regulates the handling of non-personal information.
The draft report on the ‘Non-Personal Data Governance Framework’ talks about how digital transformations all over the world have meant that data is treated as an asset, which is monetised, either directly by trading it, or indirectly by developing a service on top of that data.
The report adds that in a data economy, companies with “largest data pools have outsized and seized unbeatable techno-economic advantages.” These companies, having leveraged their “first-mover advantage” to create large pools of data, mean that smaller startups are often squeezed out of the competition, or there are significant barriers to their entry.
India, being the second-most populous country in the world, also with the second-largest smartphone userbase, is by extension, one of the largest data markets in the world. A law that regulates the sharing, commercial use and privacy of non-personal data of users will ensure that big corporations don’t end up creating data monopolies which would invariably harm smaller businesses and tech startups.
For these purposes, the draft report of the committee suggests setting up a regulator, for the sharing, commercial use and privacy-related concerns with non-personal information.
The report mentions that sharing of non-personal data with companies and private players could lead to the creation of economic value, as the data could be useful for Indian entrepreneurs to develop new and innovative services and products from which citizens may benefit. However, it also concedes that the sharing of such non-personal data, in the form of anonymised personal data, could provide collective insights that could open the way for collective harms (exploitative or discriminatory harms) against communities.
An example of the same, cited in the report explains a scenario where anonymised data about people of a certain sexual orientation frequenting certain pubs or restaurants could lead to vigilante mobs taking the law into their hands and cracking down on these pubs and restaurants. In such an instance, a group should have the right, under the new proposed law, to exercise collective privacy.
What Is Personal And Non-Personal Data?
For this purpose, the report seeks to delineate the terms ‘personal’ and ‘non-personal data’. According to the report, non-personal data is information that cannot identify a person and can be details such as weather conditions, data from sensors and public infrastructure. It also includes data, which was initially personal but was later made anonymous, according to the definition in the draft document.
The Ministry of Electronics and Information Technology (MeitY) has invited suggestions on the draft report. Submissions will be accepted until August 13. The Internet Freedom Foundation (IFF), an Indian digital liberties organisation, has previously flagged the carve-out (exemption) that exists within the draft report of the Data Protection Bill. This provides the central government with the right to access anonymised or non-personal data to frame policies in the interest of its digital economy. “Such provisions show that the proposed law is far more interested in treating data as a resource. We believe that a data protection law should not be used as a legislative backdoor to commodify data,” says the IFF.
Risks With Anonymised Personal Data
The draft report recognises the risks associated with anonymised personal data passing off as non-personal data and subsequently leading to the identification of certain persons. It says that the non-personal data authority, “must seek to work within the frameworks of the expected privacy legislation and in consultation with the Data Protection Authority, and mitigate such risks with an ex-ante evaluation of the risk of re-identification of anonymised data, prior to approving requests for data-sharing.”
