- An overarching policy governing non-personal data should have cross-sectoral jurisdiction
- Before coming up with a regulation for NPD, the government should put its house in order
- Government should have gained some experience in regulating personal data first
There is a need for an ‘overarching guiding framework in terms of policy’ that would govern not just non-personal data but would be a ‘broader policy’ formulated collectively by the government, industry, and consumers, said Amol Kulkarni from CUTS International.
Kulkarni was speaking at MediaNama’s ‘Regulating Non-Personal Data’ event held on February 18, 2022. The panel on ‘Privacy and NPD’ also included Amlan Mohanty from Google, Anand Venkatanarayanan from Hasgeek, and Digvijay Chaudhary from the Centre for Internet and Society, with Smriti Parsheera from CyberBRICS as the moderator.
This event was organised with support from Google, PhonePe, Amazon, Meta, and Microsoft. To support future MediaNama discussions, please let us know here.
Broader NPD framework should minimise harms
The regulatory framework for NPD should encourage consumers to utilise the data, encourage data sharing, and minimise harms, Kulkarni said.
Should have cross-sectoral jurisdiction: “Then we should look into different mechanisms of how can regulators, sector-level regulators as well as cross-sector regulators like Competition Commission of India, and perhaps the e-commerce regulator in near future or some other regulator, which has cross-sectoral jurisdiction, can add to this sort of policy-level discourse, and then can accompany the Personal Data Protection Bill to address some of the privacy-related concerns under non personal data,” Kulkarni said.
Government should put its house in order: He also asked the government ‘to put its house in order’ before it starts regulating NPD of the private sector and consumers. “Government is the biggest data fiduciary. It collects a lot of data and also the objective under the Data Protection Bill was to mandate data sharing for better policymaking. So if you already have collected a lot of non-personal data, are you first actually using it right now for better evidence-based policymaking?” he asked.
“Given that there is already a push for open data of government data and there is steps that the government has already taken in terms of policy commitments, it may make sense to instead of making this a law, roll it out as a smaller pilot project in some of those sectors and then, see what are the limitations that come up, who are the trustees who come up, whether the community is really represented in all of these, is their addresses all of this working, is privacy being protected, and then only try to scale it up?” — Smriti Parsheera
Exclusion, another big harm: “We have noticed that exclusion is a very big harm when it comes to communities or different types of people,” he said. Kulkarni was referring to exclusion from benefits which the government is providing to the citizens. He was speaking in the context of the need for a framework that would not just address issues related to NPD but issues such as exclusion as well.
Definitions and classifications of data need to be revisited
Expand definition of sensitive personal data: Chaudhary said that the definition of sensitive personal data should be expanded to include the protection that’s been accorded to personal data, to non-personal data too – through data minimisation and other principles.
Include aggregated data under NPD definition: “Rather than just calling it non-personal data, try to fit more and more value-locking data into the aggregate part and I think if you try to do that, there is much better definitional consistency,” Venkatanarayanan said, terming aggregated data as a ‘promising’ aspect which has not been explored in the context of non-personal data regulation. Technically a lot of privacy harms can be mitigated when it comes to aggregated data and that it can be ‘layered much more deeper with differential privacy,’ he added.
What should an ideal regulatory structure for non-personal data look like?
In response, Chaudhary identified four main areas of regulatory concern —
- Competition issues arising out of NPD governance
- Chaudhary said that the Competition Commission of India (CCI) is competent enough to pass judgement on such issues.
- Trade-related issues
- International trade rules would obviously apply to data-sharing requirements, he said.
- National security issues
- Various government systems including NATGRID and CMS, they collect huge amount of non-personal data. Processing those sets of data, the principles of proportional and non-discrimination have to be taken into consideration in order to give access to the government to additional sets of data, Chaudhary said.
What’s the hurry in regulating NPD? Highlighting the government’s lack of experience when it comes to regulating data, Chaudhary said, “Why cannot we go step by step – first consider streamlining the regulation of personal data. Gather experience and then develop further regulation which the government may think is important.”
“The risk of re-identification and the impossibility in modern technologies of anonymization has come to mean that there are no completely non-personal datasets. Therefore, the first solution is that whatever systems that you have taken place — the data prediction laws that you have in place reject them all and start afresh.” — Digvijay Chaudhary
- MP Amar Patnaik on Non-Personal Data: Different DPAs would impede protection of citizens’ rights #NAMA
- Data Protection Bill 2021: MP Amar Patnaik bats for data regulators at state level
- Data Protection bill 2021: How the JPC wants to deal with non-personal data
Have something to add? Subscribe to MediaNama here and post your comment.