Personal data includes all data about or relating to a person who is directly or indirectly identifiable by such data. All data collected by a body, that cannot be classified as someone’s personal data can be termed as non-personal data. In common parlance, non-personal data includes data sets aggregated and collected by various mobile applications and websites and devices on the internet, arising from the digital trail that individuals (data principals) leave in the wake of their internet usage.
This could include data generated from individuals about their behavioral patterns, preferences on social media and intermediaries that have been collected and further anonymised. Moreover, it could also include large quantities of data on climate trends generated by a weather app, the traffic patterns generated by a taxi app which, did or did not originate from an individual, or cannot be identified to an individual.
In contrast with personal data, which can be traced back to an individual, the critical difference between personal and non-personal data arises from the fact that it challenges the notion of individual control over data as individuals are unlikely to be aware of what their personal data can reveal when aggregated with a multiverse of other data points.
As a collective resource, aggregated data must be leveraged for better governance. It can guide policymakers to innovative solutions to modern-day problems, keeping data as evidence.
Personal Data Protection Bill, 2019
Use Of Non-Personal Data In Governance
The Personal Data Protection Bill, 2019 gives powers to the government (clause 91(1)) to frame policy with the aid of non-personal data for growth, security and integrity of the digital economy, and for the prevention of misuse of data. For this purpose, the government will also have the power to direct any data fiduciary/data processor to provide non-personal data to ‘enable better targeting of delivery of services or formulation of evidence-based policies.’
In India, with a myriad of developmental issues, the scope datasets could have in driving policy interventions is large. For example, industries such as health tech, fintech and telecom have started to rely on datasets to innovate and provide new-age solutions.
As per this clause, the government can access data from both data fiduciaries and data processors, which includes non-personal data or anonymised data. This undermines the existing business practices wherein the data processor is contractually bound by the data fiduciary and cannot share data (personal or non-personal) or any insights thereof, as they belong to the client of the data processor on whose behalf the data processing entity is conducting data processing activities as per instructions and contract.
This will have a huge impact on business confidence of clients and foreign nationals, of data processing companies in India as they would be apprehensive of the government’s access to data.
Such a provision is likely to discourage innovation and investments in India, as the government is asking for non-personal data as well as anonymised personal data. There are also concerns that business-sensitive information, including trade secrets, can be sought under the Bill’s ambit.
As data has been defined to include “insights collected from data,” such access to data by the government would infringe upon the intellectual property rights of companies and other businesses. This clause is likely to bypass the control of the data fiduciary and obligations of data processor under its contract with data fiduciary.
De-Anonymisation of Personal Data by Govt
Under clause 91(2) of the draft Personal Data Protection Bill, 2019, the government in consultation with the Data Protection Authority has the power to direct any data fiduciary to provide for anonymised personal data for the purpose of evidence-based policymaking. The definition of anonymisation as given in the bill provides for an irreversible process but given the nature of cryptography, the anonymisation, as well as de-anonymisation techniques of data, is simultaneously growing. Though the aim is to achieve absolute irreversibility of anonymised data, it cannot be disregarded that the technology for de-anonymization is also growing.
Additionally, the scope of this bill should be limited to the protection of personal data and individual privacy. Venturing into the territory of non-personal data should not be the aim of this bill. Therefore, this provision should be deleted fand until the report on non-personal data by the expert committee is published, the government should refrain from making any policy decisions with regard to non-personal data.
Challenges & Opportunities
It is important that any regulation that is dealing with non-personal data, must allow for its free flow and provide access to data sets for communal benefits and in building a digital economy. It must aid innovation and the establishment of a larger ecosystem surrounding data. Allowing for data sharing framework, and free flow of data allows users of data processing services to use the data gathered in different markets to improve their productivity and competitiveness.
Users can, therefore, take full advantage of the economies of scale provided by the large market, improving their global competitiveness and increasing the interconnectivity of the data economy.
The aim of the new law must be to reassure that the rights of citizens to the protection of their personal data are always respected, including when their data are mixed with other types of data, or that their data are properly anonymised.
The law must balance the interest of the businesses and individual privacy and security on two sides. While it is welcome to see the government increasingly rely on aggregated data to leverage its potential in driving effective policy changes, there needs to be a stronger, detailed framework that looks at the possibility of excesses of power, and its effect on the market.
Moreover, the placement of provisions relating to non-personal data in a Personal Data Protection bill is a mismatch. The Data Protection Authority has a mandate to regulate matters relating to privacy and personal data of the users. Against this backdrop, it remains unclear how the provision is to be operationalised, with no empowered regulator in place to keep a check.
[The article was co-authored by Karthik Venkatesh and Kazim Rizvi, The Dialogue team]