Our Comments on Non-Personal Data Governance Framework
The Committee has undertaken the laudable task of trying to address the issue of big data amassed by huge corporations like Google, Facebook and Amazon and allowing smaller players to access this. There have been significant improvements in the Non-Personal Data Governance Framework (hereinafter “the Report” or “the framework”) as compared to its previous version. However, it is debatable whether this framework is the right approach for it or the steps taken to protect non personal data sufficient. The framework is replete with abstract concepts and ideas and it lays out a very shaky platform to draft a legislation which aspires to be a model for the world. The Framework is Utopian in its model and fails to consider real world mechanics that come into play in governing non personal data.
The framework fails to clarify what sort of an institutional structure would be beneficial in regulating non-personal data (hereinafter “the NPD”), ensuring that data principals receive their fair share of benefit from the processing of their data or how misuse can be thwarted. The focus of the framework seems to be finding ways to monetise data and citizen’s rights are more of an afterthought. The report focuses more on how corporations can utilize data to improve their datasets but focus on how non personal data can be used to better citizen governance is absent.
The Non-Personal Data Governance Framework lacks architectural clarity and legal coherence. Its definitions and categorizations are notably vague. It assumes that data has an intrinsic value but it does not explain what this intrinsic value is and how this will be beneficial to the citizens, government and the private sector.
The framework does not define rigorously the links between personal and non-personal data. Its examples and illustration, which are chosen randomly throughout the report, suggest that any personal data can be reclassified as non-personal data by applying ineffective anonymization techniques that scholars in the field have repeatedly shown do not work. The report also fails to address inadequately the consequences of failure of anonymization. The framework proposes to treat hospitals and other health care deliverers, for example, as “data businesses” who can be compelled to publish meta-data and satisfy third party commercial requests on terms to be fixed by the government authorities. But the data involved is derived from individual health records, among the most sensitive and personal forms of personal data. These and other similar passages imply that “deriving” data from personal data extinguishes individual rights of privacy.
The Report imagines a new domain of community data. It anticipates granting government authority complete discretion to identify and set the boundaries of “communities”, and to empower individuals to act as the “guardians” or “beneficial owners” of this community data, at government discretion. This “corporatism”, in which government defines communities possessing new legal rights and arbitrarily determines the community’s legal leadership, is explicitly anti-democratic, though dresses in “will of the people” populist grab.
The Report has used terms like “data sovereignty” and “public good” but no definition of them has been provided. Though the Report has considered economic, social and public value of data, it has failed to consider the individual value of non-personal data and therefore has missed talking about data from an individual’s perspective. The Report has done little to address the privacy principles of transparency, accountability and purpose limitation as enshrined in the Right to Privacy judgement which is the law of the land. The Report has empowered the government to get access to non-personal data of citizens for a multitude reasons with no safeguards or redressal mechanisms whatsoever against misuse of such data by the government or private players.
The Report makes a number of assumptions, which have not been tried out even on a pilot basis. It has relied on a one-size-fits-all approach, without accounting for different needs for different stakeholders. For instance, the use case of weather data or road data will not be similar to the use case of data categorized as sensitive or critical non-personal data. Most importantly, the report builds on the problematic parts of the Personal Data Protection Bill, 2019 (the “PDP Bill, 2019”). For instance, the PDP Bill, 2019 does not define what all falls within the ambit of critical personal data. This has to be decided by the government from time to time. This categorization and definition of critical personal data is problematic in itself and the Report has gone further with this fallacious categorization.
The Report imagines a public data authority empowered to enforce sharing of non-public data through private parties who have collected or generated it, with the power to order unwilling parties to share if the requests are “genuine”. There also has been no qualifications to term a request as genuine. No substantive provisions of law, or process for judicial review are proposed to qualify this extra-constitutional discretion, which threatens to infringe on both the fundamental rights of privacy and free expression.
You can read our comments on the previous draft here.
You can read our comments on the framework here: