India could soon become the first country in the world to introduce legislation on non-personal data protection. But the draft framework leaves more questions than answers on the rights of individuals and the duties of data businesses, and the feedback received on the draft law has been kept confidential.
Last month, the Committee of Experts on Non-Personal Data released a revised report on the Draft Non-Personal Data Framework. Despite the previous report receiving 1,500 submissions as feedback, the current report still fails to address many crucial issues.
One of the most glaringly obvious problems with the report is its inaccessibility. The current and past reports have been drafted in English, despite talking about mechanisms of public consultation and participation by communities. The committee should make the effort to translate the report into as many languages as possible and deliver it to stakeholders such as farmers groups (a group that is enthusiastically used as an example in the report).
What Is Non-Personal Data?
Generally, governments around the world recognize two types of data: personal and non-personal. Personal data refers to any information that is personally identifiable – such as the name of a person, their residential address and their voter ID.
One would think that non-personal data is exactly the opposite, but this is untrue. Governments and businesses regard non-personal data to be only a few degrees less private than personal data. This is the data that businesses run on. Take the cab riding company, Uber. It collects demographic data (or location data) from its users to understand their demand. They use this data to make assessments such as the traffic conditions in an area during a particular time of the day and the number of people who travel to and from that area. Decisions such as prices and the availability of cabs will be taken on the basis of this.
The report seems to suggest that people lose control over their personal data once it is regarded as ‘non-personal’. Ironically though, the misuse of this non-personal data by businesses usually infringes upon the personal data of the users. For instance, the vehicle registration database developed by the Ministry of Road Transport and Highway, Vahan, was being misused by rioters in order to target members of the Muslim community; their vehicles were attacked and set fire to.
This means a simultaneous infringement of both personal and non-personal data of users. Suppose there is an individual who takes an Uber cab from her home in place ‘A’ to her work in place ‘B’ at 9 am every day. Uber keeps a record of this information and begins to push notifications to her on the days that she does not book a cab or may not have booked one yet. Thus, this non-personal data is also used to personally target individuals, so it doesn’t really lose its personal essence.
Corporate Interests Over Public Interests?
The report is also heavily pro-corporate. Take for instance the liability clause for data businesses under Clause 8.15. Data businesses are a new category of companies, defined as companies that collect personal and non-personal data. Under Clause 8.15, the report defines liability for data businesses: “Organisations are to be indemnified against any vulnerability found as long as they swiftly remedy it and adopt a standards-driven approach.”
This, read with the fact that they have a one-time registration process to become data businesses (as opposed to a licensing system), reduces their liability. In a licensing system, there can at least be certain standards that these businesses will have to adhere to – one of them being the strictness of the measures taken to protect non-personal data.
The report also does not provide for revoking the one-time registration, in case non-personal data is misused or is violated by a third party because the company responsible for it did not take sufficient precautions to protect it. It does not even attempt to discuss the strict penalties that should be imposed, or even the compensation to be given to communities, in case this data is violated. It is left to be seen if these aspects will find mention in the final legislation.
In addition, Clause 7.4 (iv) creates a distinction between ‘active misuse’ and ‘accidental misuse’ of non-personal data. The committee has strangely not described how this ‘accidental misuse’ of data can happen, but has provided to immediately forgive it if the company has the mechanisms to “swiftly remedy it.”
When is Personal Data ‘Non-Personal’?
The report says that the Non-Personal Data Protection Authority (DPA) will decide whether personal data meets the standards of anonymisation so that it can be classified as non-personal data. (Anonymisation has been defined under Section 3(2) of the Personal Data Protection Bill, 2019 as the “irreversible process of transforming or converting personal data to a form in which a data principal [or data subject – individuals like you and me from whom the data is collected] cannot be identified.”)
But using the logic of the report itself – that if all things go well, this might be the first legislation on non-personal data protection in the world – the committee should have made an effort to draft basic guidelines on what the standards of anonymisation should be, with detailed examples.
One of the examples under the heading ‘non-personal data collected by public entities’ is “police department collecting video footage about a public gathering from private news channels.” While the report has passed this off as a casual example, the usage and collection of data in this manner is highly problematic. Where do we draw the line between the usage of this footage for the collection of non-personal data and full-fledged surveillance?
Further, according to the report, “Mixed datasets that typically have inextricably linked personal and non-personal data will be governed by the Personal Data Protection Bill.” Such datasets include e-commercial data relating to a company’s customers’ orders, preferences, interests, shopping patterns, feedback etc. The report, however, fails to mention the standard that will be used to decide when this mixed data should be governed by the Personal Data Protection Bill. While one possible reply to this might be (using the committee’s own words) that the “jurisprudence will evolve over time”, it is better to be specific in the beginning than be vague and leave it to businesses to decide.
The report gives data subjects the option to not allow their personal data to be processed as non-personal data, if they choose to opt out of the anonymisation process. What this means is that once the personal data is anonymised, it becomes non-personal data.
The report is unclear on what happens if a person refuses to allow their data to be anonymised. Will their personal data not be processed at all? Or will it just not be processed as non-personal data? Will the person ever be prevented from anonymising their data, just for the sake of protecting their personal data?
Additionally, providing this option is problematic because personal data should not be barred from being anonymised. The security of this data might be compromised because of this, since data that is anonymised and unrecognisable is always a safer option. For instance, if anonymised data is hacked by a third party, the identities of the people whose data has been compromised will still be unknown.
There may also be instances where the users might want their data to be anonymised irrespective of its status as non-personal data. For instance, transgender people submit sensitive personal data on the Transgender Portal, which – if not anonymised – might affect their safety. The report must allow the data to be anonymised and then provide the data subject with the option to opt out of allowing their personal data to be processed as non-personal data. The question then is: At what stage does this opt-out option apply? For instance, if the data has already been anonymised and if the processing has already begun, can the data subject revoke their consent?
Confusing New Concepts and Functionaries
The report is unclear about the difference in the functions of the Data Business (in the non-personal data policy) and the Significant Data Fiduciary (in the personal data policy). This brings us to the new bodies that have been created in the report: The data trustee, data custodian, data processor, data businesses, non-personal data authority are all multiple new authorities with seemingly overlapping roles. The report could have done better in its illustrative explanation of these roles.
In Clause 7.7, for instance, the report states, “A data trustee can be organically created by the coming together of some community members.” Going strictly by the language of the report, the word ‘can’ makes it seem like the trustee is a voluntary body. The vagueness of the term ‘some community members’ also leaves the reader with many questions: Who chooses these members, how do they plan on getting the consent of the community, and what if community members do not come together, to begin with? Or is this also ‘jurisprudence that is yet to be evolved’?
The data custodian can either be a government body or a private entity. If it is a government body, how will it deal with its conflict of interest between the protection of the community’s data and the promotion of data businesses?
Overall, the report does leave the reader with just as many questions as the first draft. The fact that the Committee on Non-Personal Data has decided to keep the consultations and feedback received confidential doesn’t really help the cause. One can only hope that the committee takes its time with the feedback and doesn’t hastily begin drafting the legislation in its rush to be the ‘first country’ in this matter.
Sarada Mahesh is a lawyer based in Bangalore. She works as a legal researcher and aims to make the law more simple and accessible.