Introduction & timeline of data protection in India
It is true that soon every business will become a tech business as “data” will be the new source of income. Managing and dealing with data of so many people by businesses and organisations, large or small, cannot be as easy as you may think. Leaving this area unregulated could lead to a global crisis from human rights violation to economic domination in the market, leading to endless privacy and cyber-crimes. Hence, regulating this area should be the prime focus of our nation’s government and any other country’s government where there is no privacy regulation. India recognised “privacy” as a fundamental right back in 2017 in a landmark decision passed by the Supreme Court in Justice K S Puttaswamy v. Union of India.
Right after the declaration of the “right to privacy” as a fundamental right, in July 2017, a Committee of Experts was constituted under the leadership of Justice B.N Srikrishna. The committee examined various issues pertaining to data protection & privacy as there was no legislation governing the flow of data in the economy. The committee even suggested a draft bill on data protection, and it was presented before the Ministry of Electronics and Information Technology (MeitY) on 28th July 2018.
Later in 2019, MeitY presented the Personal Data Protection Bill 2019 (PDP Bill) in Lok Sabha. Another committee by the name of Joint Parliamentary Committee (JPC) was constituted, and the purpose of JPC was to study and research upon the PDP Bill. The JPC was initially required to present its recommendations regarding the PDP Bill during the budget session in 2020 but got an extension of 2 years. In December 2021, during the winter session, JPC presented a report with recommendations on the PDP Bill before both the houses, but the Parliament is yet to enact the PDP Bill into an Act. Till today we are waiting for robust legislation on data protection & privacy.
But is it just about our Personal Data?
Personal data is any data from which one can quickly identify that person. It could be any trait, attribute or feature through which that person could be directly or indirectly identified, whether online or offline. But does privacy apply to only our data? Should we not worry about our non-personal data? The European Union (EU) has a regulation on non-personal data. Why not us?
As we know that India’s PDP Bill is greatly inspired and influenced by the EU’s General Data Protection Regulation (GDPR) which came into effect on 25th May 2018. Even the GDPR is only applicable to personal data, and it does not regulate the flow of non-personal data. But in December 2018, the EU officially published the Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU.
This blog post will not explore the area of personal data or GDPR. Still, it will primarily focus on non-personal data as to why it is essential and how India & the EU have taken a stand regarding this area of concern.
Before discussing the EU’s regulation on the free flow of non-personal data, it is essential to address the same issue from the Indian perspective. The MeitY handled the case concerning the law of non-personal data in India. A non-personal data committee was set up by MeitY, which released two reports in 2020 and the other in 2021.
But what is Non-Personal Data (NPD) after all?
The reports mentioned above define ‘non-personal data’ as any not personal data that will come under the definition or ambit of non-personal data. Let’s understand this in a bit simplified way: non-personal data is any data with no personally identifiable information. Thus, no one can get identified through such data- a blurred image of a person.
Non-personal data also include anonymised data of a person or the aggregated data of an event developed so that an event could no longer be identified through such data. The report further divides non-personal data into three different categories, namely-
- Public non-personal data- As from the name, we can understand that it’s talking about the non-personal data of the people but collected by the public or governmental entities while executing their respective roles & duties, for example, Vehicle registration details.
- Private non-personal data- Here, the collection or generation of non-personal data is done by private entities & businesses. For example- Derived insights.
- Community non-personal data- These are anonymised personal or raw, or factual data about a community of natural persons. For example- Public electric utilities.
What is the current status of NPD in India?
On 16th December 2021, the JPC presented its report on the PDP Bill before the Houses of Parliament. It has changed the present scenario, especially regarding the framework the non-personal data committee was working on and suggested in their 2020 & 2021 reports. The same cannot be seen in the recent report.
JPC has now recommended that the PDP Bill cover the issue relating to personal data. It will restrict the purpose of such legislation governing the digital economy and shall also accommodate the matter pertaining to non-personal data. It further states that since the bill will be covering both personal & non-personal data, the title should be changed to Data Protection Bill, 2021 (DP Bill).
The justifications given for the following changes are-
- Both personal and non-personal data affects the privacy of an individual.
- It is difficult to determine/distinguish between personal and non-personal data.
- Why have two regulatory authorities for the same subject, i.e. data?
If we try to analyse these arguments, then we will find out.
- Non-personal data do not affect the privacy of an individual. Why? Isn’t it supposed to be an anonymised form of data without a component of personally identifiable information? Then how can it affect the privacy of an individual? Well, of course, there can be cases of re-identification. Still, it is to be noted here that the previous bill- PDP Bill and now even the current one- DP Bill, has a provision relating to re-identification and makes it a criminal offence. The entire bill has only one provision stating such criminal liability. Hence, instead of bringing in the concept of non-personal data into the same legislation, it would have been rational if the provision about re-identification could act as a deterrent against it.
- It is indeed difficult to distinguish between the two: personal data and non-personal data. But it is to be noted here that non-personal data are anonymised and have no personally identifiable information. All that is required is a stringent provision on re-identification of non-personal data.
- The third argument can be justified that we don’t require two regulatory authorities for the same subject matter. Still, we need to understand that personal data principles shouldn’t be applied to non-personal data as it would hamper and hinder the economy’s growth. Since the innovation largely depends upon the users’ data and restricts such data that has no relation to the people’s privacy rather than the intellectual property, non-personal data are also obtained through different algorithms and analytical tools used by such businesses. Restricting the flow of such data will raise a question about the company’s intellectual property as to who is the rightful owner of such data.
NPD framework in EU
One needs to understand that in the present age of digitalisation. Most of the gathered data are not split into personal or non-personal data; instead, they are mixed datasets, which means such data contains both personal and non-personal data. In the EU, none of the regulations about personal data (GDPR) or the other rules on the free flow of non-personal data (Regulation 2018/1807) state data processing separately. Both the regulations complement each other without conflicting provisions.
But how are mixed datasets regulated in the EU? As simple as it seems, the regulation relating to non-personal data is applied to the non-personal dataset, and the GDPR governs the personal data dataset. There are no provisions relating to splitting up the mixed datasets or processing them separately, and practically it would be pretty challenging.
But what if the mixed datasets are inextricably linked? Which regulation would apply? In such cases, GDPR would apply to the entire dataset even if the personal data comprises a small segment. The EU’s law on non-personal data is not orthodox and promotes the spirit of free flow and movement of non-personal data in the EU. Even the concept of data localisation does not apply to such data.
From the above discussion, we can understand a couple of things, the first being that the concept of both personal and non-personal data is relatively new in India, and regulating both the types of data together wouldn’t serve the purpose as the essential purpose of a data protection regime should be to promote and protect the privacy of the citizens. Whereas non-personal data are considered as a valuable resource for the innovation and development point of view, restricting the flow of non-personal data in the economy would lead to an increase in the cost for the businesses as well as many foreign businesses would have to change their structure as this approach relating to non-personal data by our law-makers is relatively new and have no direct nexus to either the GDPR or the Regulation 2018/1807.
-Written by- Aarlin Moncy