The PDP Bill, 2019 was largely based on the European Union\u2019s General Data Protection Regulation (GDPR). Personal data, as per PDP 2019 is defined \u201cdata about or relating to a natural person who is directly or indirectly identifiable, and shall include any inference drawn from such data for the purpose of profiling\u201d. The PDP Bill, 2019, like the GDPR, excluded data that was \u201canonymized\u201d from the definition of personal data, since as per its specifications, such data could not personally identify an individual.

A growing number of new products\/services, rely not only on personal data, but also on data regarding natural phenomena, national resources, infrastructure etc. Coupled with these developments is a rising concern in governments about the ownership of various types of data with private companies, especially Big Tech, exemplified by the various legal and regulatory initiatives against Google, Facebook and Amazon etc. globally.

Similar concerns led the Indian government to set up of a Committee of Experts (CoE) to develop a framework of regulation on Non-Personal Data (NPD). Recently, it came out with the second report, where it sought to revise the scope of its recommendations of the first report on several dimensions. The premise of the CoE is that NPD covers all data that is not in the scope of PDP Bill 2019 and also includes data regarding \u201cmachines and natural phenomena\u201d.

In this article we consider the scope of the CoE proposed by the second Report on NPD regulation.

The first question is \u201csince PDP bill does not consider anonymized data under the definition of personal data, does it become \u201cnon-personal\u201d data to be regulated by the proposed NPD Regulator (as per the CoE recommendations)?\u201d Anonymized data refers to aggregated personal attributes which should no longer enable identifying the person to whom they relate. Anonymized data is, therefore, de-personalized.

With the proliferation of sources and of data collected from individuals, there are a variety of data sets, comprising different attributes, with varying degrees of personal idenitifiability. Given the increasing sophistication of algorithms and advances in hardware, the possibility of inferring personal data from anonymized data are growing. Advances in Big Data or data sets that span across a variety of domains, make it more easily possible to distinguish a person or identify a specific person from even strongly anonymized data. Anonymization as a data protection mechanism is thus more of a legacy when large amounts of data were \u201csiloed\u201d, but is clearly found wanting today. A lot of recent well publicized research shows that data protection through anonymization is a crude and inadequate mechanism.

Thus, given that there is a chance of re-identification, the definition of \u201canonymized\u201d data must account for reversibility. GDPR recognizes this and acknowledges the risk of identification from anonymous data. However, several other groups such as the European Data Protection Board and some national regulators, do not concur that such a risk is acceptable. In the Indian case, the PDP Bill, 2019 refers to anonymization as: \u201csuch irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority\u201d.

For data to be truly anonymized, irreversibly, as stated in the PDB bill 2019, it must not be capable of being cross referenced with other data to reveal identity. Since irreversible anonymization is almost impossible to achieve in practice, the EU GDPR also incorporates pseudonymization which is \u201c \u2026 the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.\u201d

Psueodonymized data comes under the purview of the GDPR. The PDP Bill, 2019 does not refer to psuedonymization and neither does the CoE. Thus, given the regulatory flux with respect to anonymization, it would not be prudent to come up with overly prescriptive mechanisms in India or consider anonymized data under the purview of the proposed NPD Regulator.

The proposed scope of NPD thus overlaps with the PDP Bill, 2019 and hence is a source of confusion. Interestingly, overlapping is recognized by the CoE which has excluded mixed data sets (that have \u201cinextricably linked personal and non-personal data\u201d) from its scope and recommends that these be governed by the PDP Bill, 2019. But the most meaningful analysis from data comes from mixed data sets and hence these are the most used data sets in the digital economy. This exclusion, further reduces the scope of activities as envisaged by CoE. In a new area of regulation, a clear cut scope helps to give a stable regulatory regime

GDPR blandly labelled anonymized data as non-personal while including a risk-based assessment of whether such anonymized data would come under its purview. Moving forward, GDPR\u2019s scope of what constitutes personal data will only increase to include greater amounts of anonymized data. Given these developments, we find that the scope as set out by CoE is not nuanced and should not be accepted without first firmly establishing the contours of PDP Bill 2019 and the current state of technology.

To accept GDPR\u2019s definition of non-personal to include anonymized data in our situation is not appropriate as the scope of regulation, regulatory environment, state of technology and other contexts are not similar. The CoE should consider that even if it were possible to have irreversible anonymization, the underlying data is aggregated depersonalized data, not non-personal.

As far as inclusion of data from machines\/devices\/sensors under the scope of NPD regulation is concerned, it must be borne in mind that these belong to individuals or enterprises. It would be their intellectual property as it would be used to improve, design, or provide services and be covered under the Copyright Act. Moreover, any data gathered from sensors on individuals could be used for profiling and hence would again come under \u2018mixed data sets\u2019 which would then be governed under the PDP Bill, 2019.

Regarding data about national infrastructure and resources and data collected by public agencies for providing public services, it is already mandated to be shared under the Open Data Policy (National Data Sharing and Accessibility Policy) of the government (with appropriate safeguards regarding individual privacy). That this policy is poorly implemented and thus does not make available data to the citizens in a systematic usable way needs to be addressed by bringing in greater accountability and better enforcement.

There is a need to have an enabling incentive-based mechanism for sharing data collected by private agencies on national infrastructure. The CoE makes a valid case for making large datasets in agriculture, healthcare, education, for helping in developing public policy. However, sharing for knowledge enhancement cannot be mandated, it has to be incentive based. In EU and the UK, discussion on sharing of such data sets is based on creating an enabling environment. In this environment, various sectoral agencies either working independently or in collaboration with others, develop a framework for sharing. Such initiatives when mandated through an overarching regulatory regime as suggested by the CoE are likely to be unsuccessful.

Yes, there is a need to support start-ups and innovation, as identified by the CoE, but a poorly designed framework for sharing data is not going to help them. In fact, it may actually harm them. Besides, it is not just access to data, start-ups also require knowledge and skills in developing sophisticated algorithms, need a deep understanding of customer domains and cross domain knowledge. None of these are currently addressed by the proposed NPD framework.

In summary, as shown above, significant discussions, deliberation and research is required regarding the scope of proposed NPD regulation. Just because use of data for economic purposes is expanding, it should not be a reason to regulate it prescriptively. Before proceeding with any proposed regulation on NPD, we need to review the final contours of the PDP Bill, 2019 as it actually gets enacted into an Act, since it is inextricably linked to the proposed NPD regulation.

Rushing into regulation as proposed by the CoE would cause confusion between the scope of PDP 2019 and the NPD regulation. Next, we should also take into account several other existing regulations like Competition Law and IPR which in fact can and do address issues of economic re-distribution and allocation. A detailed assessment of the lacunae in the existing regulation in the context of dealing with the economic aspects of data and its linkage with ownership may need to be worked out. Strengthening or extending the scope of existing legal and regulatory institutions may be a better approach than creating yet another regulator de novo, especially in the context of an existing uncertain and technologically fast evolving environment.

","blog_img":"","posted_date":"2021-03-23 12:44:00","modified_date":"2021-03-24 11:03:04","featured":"0","status":"Y","seo_title":"An existentialist dilemma for the Non-Personal Data regulation?","seo_url":"an-existentialist-dilemma-for-the-non-personal-data-regulation","url":"\/\/www.iser-br.com\/tele-talk\/an-existentialist-dilemma-for-the-non-personal-data-regulation\/4861","url_seo":"an-existentialist-dilemma-for-the-non-personal-data-regulation"}">