New Delhi: Justice B.N. Srikrishna (Retd), one of the architects of the first draft of India’s personal data protection bill, has raised concerns about the draft Non-Personal Data (NPD) Governance Framework, which is currently open for feedback.
In its current form, the framework leaves “the fundamental right of privacy of persons vulnerable to infringement by the state”, Justice Srikrishna said in an email interview to ThePrint.
The NPD Governance Framework has been devised by an expert committee led by Infosys co-founder Kris Gopalakrishnan, which was formed in September 2019 to “study various issues relating to non-personal data” and to make suggestions about its regulation.
Differences between personal and non-personal data
While the draft bill formulated by the Srikrishna committee dealt with personal data — the kind that can be used to identify an individual, such as name and biometric details — the Gopalakrishnan panel was formed to delve into the management of information that doesn’t include that of the personal kind. Examples include “weather conditions, aggregated e-commerce sales and data on commuting patterns”, according to experts.
Anonymised data — that is, when personal data is stripped of personally identifiable information — is also an example of NPD. Anonymised data is used in data analytics and to develop artificial intelligence services.
NPD is important because it provides insights that can help innovation, and thus increase revenue for companies and economic growth for a country. In addition, the government says data, which includes NPD, could “play a critical role as a community or public resource”.
The personal data protection bill, which Srikrishna has opposed for certain “dilutions” effected by the government, is currently with a parliamentary standing committee.
The draft NPD framework devised by the Gopalakrishnan committee, meanwhile, was opened for feedback in July, with the deadline being 13 September.
It has recommended that data-sharing be allowed for national security, legal purposes, etc, and for community benefits or public good, research and innovation, policy making, for better delivery of public services etc., and to encourage competition and provide a level playing field or encourage innovation through startup activities.
Asked what can be improved in the framework, Srikrishna said, “The approach is centered on controlling NPD as an asset for public benefit…”
In doing so, he added, “the grey area of intersection” between personal data protection and NPD “has been ignored”.
“That will leave the fundamental right of privacy of persons vulnerable to infringement by the state.”
The “grey area of intersection”, Srikrishna said, would be where personal data has been “inputted into a pot or public authority by a person and that is sought to be used as NPD without express consent of the data principal (the person to whom the data relates and thus belongs)”.
To a question about the data-sharing provisions, he said, “The attempt (of the draft governance framework) seems to be to enable the state to acquire the same without consent on the ground of public benefit.”
When asked whether citizen rights could be impacted by the government seeking access to non personal data, Srikrishna said, “Most certainly yes.”
Srikrishna, however, said a positive point about the proposed framework is the “attempt to identify the different classes of data, more particularly the data put in by government bodies that can be used for public benefit”.
Speaking to ThePrint, two members of the NPD panel agreed that the government should be subject to fair checks and balances when it accesses non-personal data.
“There does need to be elaboration on a government’s responsibilities when the government accesses non-personal data from companies and other entities. There will need to be more clearly defined checks and balances in how the government accesses non-personal data,” said Parminder Jeet Singh, executive director of NGO IT for Change.
Lalitesh Katragadda, founder of crowdsourcing tech platform Indihood, added, “Government agencies should also follow the same mechanism, and go through the same checks and balances as any private company, when the government wants to access non-personal data.”
‘Too early to regulate non-personal data’
Justice Srikrishna said he feels it’s too early to regulate non-personal data at all.
“In my view it is unnecessary to regulate NPD at this time. The data market should be allowed to grow and stabilise, after which alone can it be regulated. Regulation before growth will stultify the market.”
Singh and Katragadda, however, said it is important to regulate non-personal data and it is not too early to do so.
Katragadda said, “If non-personal data is not governed, it can be corralled by a few monopolies… Under a governance framework, raw, non-personal data collected by a large firm like Amazon must be made freely accessible to a small startup and vice versa. There may be some companies that will not agree with the idea of simply making anonymised data collected from users available to everyone for free. However this is about the greater good and social benefit.”
Singh said, “In fact it may be getting late because the default situation of data collectors owning all rights over non personal data is getting concretised and accepted, and may become difficult to reverse.”