#DataProtectionTop10: Impostors under the Personal Data Protection Bill

Donate to help sustain our work

Tl;dr

In post 2 of the #DataProtectionTop10 series, we discuss in detail yet another issue with the Personal Data Protection Bill, 2019 - the preference given to the private sector and State over your data protection. This basically allows them to profit over your personal data without your consent! Here we first examine the provisions in the Bill on government access to non-personal data and setting up of privacy sandboxes, and then discuss potential changes that could be made to include a more rights based perspective on non-personal data.

Background

Picking up where we left off in Part 1 of this series on the issues with the Personal Data protection Bill, 2019, this post is a continuation of previously raised concerns. The muddled objectives of the Bill have resulted in the inclusion of some provisions that do not really fit into the rubric of data protection. Hence, in this post we shall discuss these provisions and how they affect the privacy of the people. So, without any further ado, let’s get started!

The Issue: The use and misuse of Non-Personal Data

The provision that we are concerned with is Section 91 of the Bill. According to the Section, the Central Government can frame policies for the promotion of digital economy so long as the policy does not cover personal data. However, it does not stop there; the Section goes on to state that the Central government can, after consulting the Data Protection Authority, direct any data fiduciary or data processor to share any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies.  

Before we dive into the issues with the provision, we need to understand non-personal data and anonymised personal data. Anonymised data is such data that meets the standard of irreversibility or anonymisation as prescribed by the authority, and is in a form in which the data principal cannot be de-identified as per the prescribed standards of irreversibility.  To begin with, anonymised data has been exempted from all the other provisions of the Bill. Till here, things seem to be fine. But what becomes a bit more concerning, is “non-personal data” that has been very conveniently defined under the Bill as any data other than personal data. The definition of non-personal data given under the Bill is problematic as it does not provide any clarity on what it actually is and how it can be delineated from personal data. We have discussed at length the problems with distinguishing between personal data and non-personal data in our comments to the draft framework for the governance of non-personal data. In that we have highlighted that non-personal data is a very ambiguous concept and that ascertaining the degree of identifiability of a data-point can be a convoluted process in the context of both implementation and jurisprudence.

Similarly, the definition of anonymised personal data is also not comprehensive, and it does not address the possibility of identification of the individuals. A seemingly innocuous non-personal data or anonymised data when combined with other datasets can cause the deleterious effect of de-identification and targeting of the individuals to whom the data pertains. The threat of de-identification of anonymised data and the consequent violation of privacy of individuals is very grave as the underlying data is personal data.

Despite the concerns raised by non-personal data and anonymised data, the Government still wants access to them. It appears that the only possible rationale for this approach of the Government is that it sees data as a resource which needs to be harnessed at any rate for the growth of the digital economy of the country. What is equally worrying is that Section 91 serves as kind of an exemption to the Government which grants it the power to demand non-personal data or anonymised data  from data fiduciaries and use it however they want, without having any regard for the security of the underlying personal data.

Sandboxes to play with your data!

By making provision for sandboxes lacking adequate safeguards for personal data protection, the Bill peaks at favouring businesses and the growth of the digital economy over the protection of informational privacy of individuals. A regulatory sandbox is set up for the testing of new products or services under a controlled environment with relaxation in certain regulatory requirements. A data sandbox is where data is accessed and analysed in an isolated environment. It gives the innovators access to sensitive and proprietary data while respecting the privacy and intellectual property rights of the rights holders. The Bill creates a provision for sandboxes in order to encourage innovation in artificial intelligence, machine-learning or other emerging technology in public interest.

This provision is worrisome; firstly because the term ‘sandbox’ is not defined anywhere in the Bill. Secondly, it falls under chapter VIII, which provides for exemptions from the provisions of the Bill. The necessary implication of this is that data fiduciaries get exemption from the core data protection principles such as consent, purpose specification, collection limitation, and storage limitation. Such exemptions could have detrimental effects on the right to privacy of the individuals.

Solution: A rights-based approach to non-personal data

The provisions for Government access to non-personal data and privacy sandbox are unique to the Personal Data Protection Bill, 2019. The fundamental considerations behind these provisions are the economic interests of the State, and thus it is a stark deviation from the ultimate objective of data protection legislation: the protection of informational privacy of individuals. Thus, these provisions must be deleted.

We had voiced similar concerns when we provided our submission on the second version of the Draft Report of the Committee of Experts on Non-Personal Data Governance Framework. In our submission, we had recommended that:

  1. Non-personal data be regulated under the Data Protection Authority proposed by the PDPB. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms for NPD. Questions about the fostering of growth in the sector can then be handled in consonance with an approach that safeguards user data.
  2. Doing so would also strengthen institutional independence, reduce confusion and minimise the potential risks and faulty premises adopted by the second version of the Draft Non-Personal Data Report. This becomes necessary in light of issues of the ease of de-anonymisation, since a proactive approach in which robust guidelines for anonymisation procedures are mandated and enforced (in addition to any retroactive procedures) may be better equipped to deal with the emerging threats posed by de-anonymisation.
  3. Subsequently, the Data Protection Authority must junk an approach that directly enables the over-extraction of data and the formation of data monopolies, and create a model that centres the governance framework around the protection of user privacy, based on the Puttaswamy judgement on the Fundamental Right to Privacy.

This is the second post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here.

Important Documents

  1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
  2. Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
  3. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
  4. The SaveOurPrivacy Campaign (link)
  5. Second version of the Draft Report of the Committee of Experts on Non-Personal Data Governance Framework (link)
  6. Submission on the second version of the Draft Report  dated January 18th, 2021(link)
  7. Submission on the first version of the Draft Non-Personal Data Report dated September 13, 2020 (link)

This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.