Draft Report on Non-Personal Data
#GS2 #Laws #Governanace
A draft report on non-personal data has sought to bring some clarity to a pack of contentious issues in India’s data privacy space.
- The panel has tried, but with limited success, to define non-personal data. It has delved into crucial subjects such as ownership of data, undertaking a data business, and data sharing.
- It puts forward useful suggestions on the need to set up a ‘non-personal data regulatory authority’ to manage India’s vast and emerging data space while nurturing a creative and egalitarian technology architecture.
- However, the report is not free of the ambiguities embedded in earlier policy papers on the subject, including the overarching Personal Data Protection (PDP) Bill 2019.
- A major concern arising out of the new report is the lack of clarity on how it defines non-personal data. It considers this to be data that is not related to an identified or identifiable natural person.
- According to the report, this would include data on weather conditions, from sensors installed on industrial machines, from public infrastructure, and so on.
- Another category of non-personal data could pertain to information that initially was personal data but was later made anonymous. For instance, the report says that data that is aggregated and to which “certain data transformation techniques” are applied to the extent that the individual or specific events related them are no longer identifiable can qualify as anonymous data.
- The data transformation techniques that can be used to “anonymize” personal data are not clearly defined. Vested interests can exploit the situation.
- The panel’s suggestions also end up giving the State immense powers to define and determine non-personal data and use that for its interests. This doesn’t augur well for democracy, besides hurting business interests. A new form of digital control raj should be avoided.
- Another potentially controversial idea is the suggestion to create a Non-Personal Data Authority. The panel suggests that data can be classified into three categories — public, community, and private non-personal data, based on their ownership and origin of creation. There is little clarity on who owns what kind of data as reflected in the way the report defines and identifies stakeholders such as data principal, data custodian, data trustee, and data trust. The roles of these parties are still not delineated.
- These issues need to be addressed to avoid unethical practices, especially in a country like India which is witnessing a data economy explosion.
- Going forward, this could lead to a chain of exploitative practices, legal wrangles, and policy deadlocks, only benefiting vested interests — if the legal framework is not revisited. Bringing transparency into the data debate is the need of the hour.