Let Data Protection Authority regulate nonpersonal data, disband panel: IFF

Instead of safeguarding privacy, govt becomes data vendor

Society

January 23, 2021

/ By / New Delhi

Let Data Protection Authority regulate nonpersonal data, disband panel: IFF

Not just Silicon Valley or Indian conglomerates, even government is getting in the business of data, warns IFF (MIG photos)

As deadline for public consultations on revised draft report of nonpersonal data approaches, privacy activist group Internet Freedom Foundation says disband panel that devised the draft and bring nonpersonal data under purview of Data Protection Authority, citing grave concerns over data privacy and data monopolies.

Internet and privacy activist group Internet Freedom Foundation (IFF)  has urged the government to immediately disband the panel headed by former Infosys chairman Kris Gopalakrishnan that drafted the report on nonpersonal data as well as its revised version. The revised draft is currently open for public comments that will close on January 31.

The Gopalakrishnan Committee of Experts on Non-Personal Data (NPD) Governance Framework envisions a clean separation between NPD and personal data. It puts the regulation of NPD outside the ambit of the Data Protection Authority (DPA) envisioned by the Personal Data Privacy Bill (PDPB) currently being examined by a parliamentary panel. The NPD draft proposes a parallel authority, the Non-Personal Data Authority to regulate NPD and has also asked for amendment to the PDPB seeking removal of clauses that could have allowed the DPA to regulate NPD.

Non-personal data is any set of data which does not contain personally identifiable information. This in essence means that no individual or living person can be identified by looking at such data. However, almost all of this data comes from humans and their actions. The Gopalakrishnan committee has classified non-personal data into three main categories, namely public non-personal data, community non-personal data and private non-personal data.

One of the biggest concerns of privacy activists like IFF over the NPD draft is that it treats data as a resource to be exploited and makes the government a potential vendor of data, instead of being the safeguard of privacy of the citizens. IFF also says that the threat of data de-anonymisation is a grave one against which adequate barriers must be maintained. Given that a large portion of NPD will consist of anonymised personal data, it is vital that such issues be dealt with, it says. The relative ease of de-anonymisation has already been highlighted in various contexts, while the situation in India is worsened by the lack of adequate data protection legislation, IFF says, adding that it was an unwise and faulty approach to consider de-anonymisation as only a potential risk when the provisions of the second version of the report envisage the expropriation of data from private enterprises at scale that will vary in quality, scope, type and frequency.

It goes on to say that the proposed version of the governance framework may enable data maximisation, wherein there is overreach in data collection by various entities. Besides the natural issues related to consent, the economic rationale given to bolster the claim that a profusion of data generation and conclusion may not hold up and may instead lead to the exploitation of citizens, the foundation says in its response to the revised draft, adding that this revolted against the increasingly standard principle of by design in global data protection legislations which focus on data minimisation through purpose limitation. Additionally, IFF says it had pointed out in its previous submission, the report fails to substantially engage with concerns about data monopolies and market failure and does not adequately consider competition law.

Apar Gupta, executive director, Internet Freedom Foundation

Apar Gupta, executive director, Internet Freedom Foundation (MIG photos)

In an interview with Media India Group, Apar Gupta, executive director of Internet Freedom Foundation, said that there were several serious problems with the proposed framework under the revised NPD draft that largely toes the line of the first version. “Our recommendation is to disband the committee, recall the draft report, and allow NPD to be regulated under the Data Protection Authority proposed by the PDPB. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms for NPD,” says Gupta.

What are the key objections that IFF has to the Gopalakrishnan panel’s revised draft report on NPD?

We are in a situation where most of our interactions occur through smartphones, be it with service providers like banks or telecom companies or personal finance. It also is the interaction which is taking place with the citizens who are not based in cities, who are based in towns and villages. A lot of this data which is getting collected is personal information, which essentially means that they can tie in this information with me, so that is identifiable. But when you remove that identification characteristics from this data, quite often it becomes what is termed under the draft report as non-personal data.

The non-personal data draft essentially theorises that a lot of these non-personal data needs to be created as an engine for economic growth, for research and for central planning. And it practically means for a lot of people that there is a rational reason now why their personal data will be collected at a greater scale. This may theoretically be anonymised, which means that the personal characteristics are removed, but most studies show that even when anonymisation techniques are employed, they are imperfect. And it can be re-identified. And there is a core economic incentive in re-identification, because the value of that information, if you just take metals is between silver and gold.

So at the end what we are staring at is a very troubling outcome, where there have been core understandings around data protection, gathered the least amount of data about a person, because it is a resource which can be used to control people to target ads to them. Secondly it needs to be tied to a very specific purpose of service delivery. A bank should know only as much as it needs to know for its KYC norms, not about your spending habits and behaviours, so it can sell you insurance at differential rates.

With an NPD report, government is essentially providing a reasoning for private enterprises to gather more data. For the government to also get into the business of expropriating the data, essentially taking the data from the private enterprises and then repurposing it, either using it by itself or giving it to other corporates. So we are entering a form of data socialism, I would say, which is imperfect and by itself would lead to harms on individual liberties.

Is it not data capitalism, rather?

See, be it socialism or capitalism, the practical impact is on the liberty of the people because their data is stored for a longer period and there is a clear interface for government to demand it from private entities. And the government itself, even under the present draft data protection law, which may become a reality, enjoys large exemptions. Even if theoretically that law passes, and a data protection authority is there, and the exemptions are also not there, it is very unlikely for an independent regulator in India, to actually contest, various arms of the government, with respect to policies or actual action, as we have seen in other sectors.

Our recommendations are on this essentially, firstly, the entire premise of non-personal data, in terms of its objectives, arises from a monopolisation of data, which is occurring through Silicon Valley platforms. This is factually correct. We have stated this again and again. However, the prescriptions in the reasoning being adopted is essentially of arms stockpiling strategy, in which a data resource which is amassed by Silicon Valley companies is responded to by the government creating a bigger stockpile, of what it calls a non-personal data. Whereas what is needed today, is to place regulatory checks on market power, as well as the actual need, for Silicon Valley platforms to gather data of more than a billion Indians.

Why only Silicon Valley, what about data collection by Indian telecom firms?

Telecom companies are also increasing in their sophistication and range, in terms of collection of personal data. Even though they do fall within a regulatory ambit of the department of telecom, so their data collection is not primarily focused both in terms of a regulatory pervasiveness, secondly in terms of a business incentive and a technical sophistication which is present with Silicon Valley platforms. But they are reaching there. If you have seen Jio Platforms, in the start and the rollout in itself was preceded by a speech at the annual general meeting by Mukesh Ambani, in which he did not focus on the actual revenue which could be derived from paying subscribers on the basis of monthly revenue of the connection value itself in terms of data use, in terms of call minute usage which are the traditional barometres for telecom industry in terms of its metrics. But was essentially focused towards data and personal data itself being one area.

It has given a recognition that both the telecom side of the business, the media and the social side of the business, and associated high tech businesses in which large amount of investments are now made by Reliance, does throw a very big question mark. So yes, that question is well taken. It is not only the Silicon Valley platforms, even large Indian conglomerates will sooner or later gravitate towards it, because the instrument of power which is traditionally there was monetary finance is now turning into personal data and data as a framework, not to replace it but to weld with it.

Has the state of data privacy worsened over the last six years?

The attitude of the Indian government, especially at the Centre, had been initially one of lethargy, which we had seen and now is in terms of a much more political focus towards data in which there is a lack of recognition of the Supreme Court’s Puttaswamy judgement on the Fundamental Right to Privacy which makes the focus on any such regulation on the individual, on the ordinary Indian. However, now the focus is more towards governance, its own self benefit, which is seen as an end in itself and it’s a very important distinction, because the end in itself quite often in India is not governance by itself. It is sometimes towards the perpetuation of political power, longevity of a particular political party in the seat of power. This has been evident, and is not simply rhetoric, through certain subsidy schemes which have data of beneficiaries. For instance, in the Delhi elections this data was utilised. Most parties, even the regional ones, have what are called the IT cells, which take beneficiary data and which specifically target people not only close to election, or prior or in the midst of elections but as an all year-round calendar activity.

I would say the attitude of the government at present has moved from lethargy towards a degree of activity, but that degree of activity, whether it is in the interest of the individual, the fundamental rights and the constitutional safeguards, is fairly questionable.

YOU MAY ALSO LIKE

0 COMMENTS

    Leave a Reply

    Your email address will not be published. Required fields are marked *