Unconstitutional draft report on non-personal data ignores concerns about privacy and data monopolies

Donate to help sustain our work

Tl;dr

We submitted our comments on the second version of the Draft Report by the Committee of Experts on Non-Personal Data Governance Framework. In our comments, we raised four concerns that we felt needed to be addressed: firstly, that the definition of non-personal data provided contains significant ambiguities and is based on an unconstitutional approach; secondly, that the risks surrounding de-anonymisation haven’t been adequately addressed; thirdly, that the proposed framework may lead to data maximisation, monopoly formation, and the exploitation of citizens; and, lastly, that the consultation process may be becoming superficial and opaque.

Frameworks for the governance of non-personal data

The Committee of Experts on Non-Personal Data (NPD) Governance Framework had released its draft report on a governance framework for NPD for publication consultation, on which we had provided our comments. On the basis of feedback from the public, the Committee revised its report and released a second version, on which comments have been invited till January 31st, 2021.

The second version of the draft report largely toes the line of the first version. It defines NPD as data which is not personal data as defined in the Personal Data Protection Bill, 2019 (PDPB) or which does not contain personally identifiable information. Thus, NPD would either be data that does not originate from persons (such as weather data, industrial machinery data), or personal data that has been anonymised. It is the latter that must be focused upon, since it is likely that it would comprise the majority of NPD.

The draft report envisions a clean separation between NPD and personal data. It puts the regulation of NPD outside the ambit of the Data Protection Authority envisioned by the PDPB, and even sets up a parallel authority, the Non-Personal Data Authority, with a radically different function to that of the Data Protection Authority - the promotion of NPD for commercial purposes. The report even goes so far as to ask for an amendment to the PDPB, arguing for the removal of certain clauses that would allow the PDPB to regulate NPD - only if NPD is de-anonymised would it fall under the jurisdiction of the PDPB.

A new classification of business called ‘Data Business’ is proposed. Subject to certain thresholds, registration as a data business would not be compulsory. Data business would allow access through data-sharing frameworks not only to meta-data datasets for commercial purposes, but also to certain ‘High Value Datasets’, subject to some perfunctory community rights of the data. A request to create a ‘High Value Data’ can come from any entity - for example, as noted in the report itself, a dataset “on diabetes among Indian citizens” can be circulated with the Ministry of Health and Family Welfare acting as a data trustee.

What are the issues?

Firstly, the report provides an extremely broad definition of NPD by defining it in opposition to personal data as defined in the Personal Data Protection Bill, 2019 (PDPB). As we had indicated in our previous submission, issues arise in the context of both implementation and jurisprudence when trying to ascertain whether a given piece of data is ‘personal’ or ‘non-personal’. The proposed relationship between the PDPB and the NPD framework may also not adequately address concerns about privacy and data security. It is shocking that the 9 judge bench holding of the Supreme Court in the Puttaswamy judgment on the fundamental right to Privacy is not even considered or reasoned by the Draft Report in its Second Version. This is an anti-constitutional approach that we find extremely worrying.

Secondly, as the report itself has noted, the threat of de-anonymization is a grave one against which adequate barriers must be maintained. Given that a large portion of NPD will consist of anonymised personal data, it is vital that such issues be dealt with. The relative ease of de-anonymization has already been highlighted in various contexts, while the situation in India is worsened by the lack of adequate data protection legislation. It is an unwise and faulty approach to consider de-anonymization as only a potential risk when the provisions of the second version of the report envisage the expropriation of data from private enterprises at scale that will vary in quality, scope, type and frequency.

Thirdly, the proposed version of the governance framework may enable data maximisation, wherein there is overreach in data collection by various entities. Besides the natural issues related to consent, the economic rationale given to bolster the claim that a profusion of data generation and conclusion may not hold up, and may instead lead to the exploitation of citizens. This revolts against the increasingly standard principle of by design in global data protection legislations which focus on data minimisation through purpose limitation. Additionally, as we had also pointed out in our previous submission, the report fails to substantially engage with concerns about data monopolies and market failure, and does not adequately consider competition law.

Lastly, the functioning and the outputs of the present committee and the draft report are severely problematic and stray from several healthy precedents on public consultations and transparency adopted by the Ministry of Electronics and IT. While the present version of the draft report does mention consultations with stakeholders from civil society, information about the scope, extent and nature of these consultations is largely unavailable. Furthermore, the proceedings of the Committee have engendered questions about whether such consultations have had merely a perfunctory nature.  The response to an RTI filed by us failed to provide any information on the workings of the Committee. Thus, it would seem that the approach adopted in releasing a second version is towards incremental changes rather than substantively addressing the substantive issues, concerns and faulty premises adopted within the proposals. Tackling such issues is vital, as even if there is disagreement it requires reasoning and compliance with constitutional principles.

Recommendations

Our broader recommendation, given the serious issues that plague the proposed framework, is to disband the committee, recall the draft report, and allow NPD to be regulated under the Data Protection Authority proposed by the PDPB. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms for NPD. Questions about the fostering of growth in the sector can then be handled in consonance with an approach that safeguards user data.

At a more granular level, we proposed that the NPD be regulated by the Data Protection Authority. This would strengthen institutional independence, reduce confusion and minimise the potential risks and faulty premises adopted by the second version of the Draft Non-Personal Data Report. This also becomes necessary in light of issues of the ease of de-anonymisation, since a proactive approach in which robust guidelines for anonymisation procedures are mandated and enforced (in addition to any retroactive procedures) may be better equipped to deal with the emerging threats posed by de-anonymisation.

Subsequently, the Data Protection Authority must junk an approach that directly enables the over extraction of data and the formation of data monopolies, and create a model that centre the governance framework around the protection of user privacy, based on the Puttaswamy judgement on the Fundamental Right to Privacy. Finally, opacities in the consultation process must be cleared, and further information about the proceedings of the committee and the consultations held must be provided to increase transparency.

Important Documents

  1. Second version of the Draft Report of the Committee of Experts on Non-Personal Data Governance Framework (link)
  2. IFF's submission on the second version of the Draft Report (link)
  3. RTI request dated August 20, 2020 and reply received (link)
  4. First Appeal dated October 30, 2020 and FAA decision (link)
  5. Submission on the first version of the Draft Non-Personal Data Report dated September 13, 2020 (link)