Insights into Editorial: Towards robust data regulation

Context:

A government committee headed by Infosys co-founder Kris Gopalakrishnan has suggested that non-personal data generated in the country be allowed to be harnessed by various domestic companies and entities.

The nine-member committee, while releasing the draft report, has kept time till August 13 for the public to send suggestions.

It has also suggested setting up of a new authority which would be empowered to monitor the use and mining of such non-personal data.

What is non-personal data?

In its most basic form, non-personal data is any set of data which does not contain personally identifiable information.

This in essence means that no individual or living person can be identified by looking at such data.

For example, while order details collected by a food delivery service will have the name, age, gender, and other contact information of an individual, it will become non-personal data if the identifiers such as name and contact information are taken out.

The government committee, which submitted its report has classified non-personal data into three main categories, namely public non-personal data, community non-personal data and private non-personal data.

Depending on the source of the data and whether it is anonymised in a way that no individual can be re-identified from the data set, the three categories have been divided.

Regulation of Non-personal data (NPD):

For a country that does not have a personal data protection bill, the setting up of a committee to regulate non-personal data seems premature.

However, there is global realisation that data should be unlocked in public interest beyond the sole service of commercial interests of a few large companies.

There is also recognition that data, in many cases, are not just a subject of individual decision-making but that of communities, such as in the case of ecological information.

Therefore, it is critical that communities are empowered to exercise some control over how the data are used.

How sensitive can non-personal data be?

Unlike personal data, which contains explicit information about a person’s name, age, gender, sexual orientation, biometrics and other genetic details, non-personal data is more likely to be in an anonymised form.

However, in certain categories such as data related to national security or strategic interests such as locations of government laboratories or research facilities, even if provided in anonymised form can be dangerous.

Similarly, even if the data is about the health of a community or a group of communities, though it may be in anonymised form, it can still be dangerous, the committee opined.

Possibilities of such harm are obviously much higher if the original personal data is of a sensitive nature.

Therefore, the non-personal data arising from such sensitive personal data may be considered as sensitive non-personal data.

Key stakeholders in the regulation of Non-personal data:

To enable a robust regulation of NPD, the report defines key stakeholders for the ecosystem.

1. First are data principals, who/ which can be individuals, companies or communities.
2. The roles and rights of individuals and companies in the context of data governance are well understood. However, the idea of communities as data principals is introduced ambiguously by the report.
3. While it provides examples of what might constitute a community, e.g. citizen groups in neighbourhoods, there is little clarity on the rights and functions of the community.
4. The report does not problematise the ways in which communities translate offline inequalities and power structures to data rights.
5. There are examples in indigenous data governance, which imagine collective rights and community-personhood on data-related issues, which may have found useful mention here.
6. Next are data custodians, who undertake collection, storage, processing, and use of data in a manner that is in the best interest of the data principal.
7. The details in this section are fuzzy, it is not specified if the data custodian can be the government or just private companies, or what best interest is, especially when several already vague and possibly conflicting principal communities are involved. It is also not clear how communities engage with the custodian.
8. Further suggestion that data custodians can potentially monetise the data they hold is especially problematic as this presents a conflict of interest with those of the data principal communities.
9. Based on current literature, data custodians can be interpreted as data stewards, imagined in many cases as independent entities that intermediate with technology companies on behalf of communities, which they represent.

Global standards on non-personal data:

In May 2019, the European Union came out with a regulation framework for the free flow of non-personal data in the European Union, in which it suggested that member states of the union would cooperate with each other when it came to data sharing.

Such data, the EU had then ruled would be shared by member states without any hindrances, and that they must inform the “commission any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement”.

The regulation, however, had not defined what non-personal data constituted of, and had simply said all data which is not personal would be under the non-personal data category.

In several other countries across the world, there are no nationwide data protection laws, whether for personal or non-personal data.

Areas that India’s non-personal data draft miss:

1. Though the non-personal data draft is a pioneer in identifying the power, role, and usage of anonymised data, there are certain aspects such as community non-personal data, where the draft could have been clearer.
2. Non-personal data often constitutes protected trade secrets and often raises significant privacy concerns.
3. The paper proposes the nebulous concept of community data while failing to adequately provide for community rights.
4. Next, the report talks about data trustees as a way for communities to exercise data rights. Trustees can be governments, citizen groups, or universities.
5. However, the relationship between the data principal communities and the trustees is not clear.
6. The articulation of trustees does not explain how “trust” is extended and fructified with the community, and how trustees are empowered to act on behalf of the community.
7. The idea of trusteeship for data is being discussed globally — the principles of a legal trust and the fiduciary responsibility that come with it are critical.
8. Trustees, by definition, are bound by a duty of care and loyalty towards the principal and thus work in their best interests, negotiating on behalf of their data rights with technology companies and regulators. This thinking is not reflected in the report.

Trusts can hold data from multiple custodians and will be managed by public authority. The power, composition and functions of the trust are not established.

One possible way to simplify the ecosystem would be to consider data trusts as a type of custodian, such that fiduciary responsibilities can be extended, and trustees can represent the community and act on behalf of the data principals.

The committee should organise broader consultations to ensure that the objective of unlocking data in public interest and through collective consent does not end up creating structures that exacerbate the problems of the data economy and are susceptible to regulatory capture.

Conclusion:

Finally, the report explains data trusts comprising specific rules and protocols for containing and sharing a given set of data.

Regulation must be clear, and concise to provide certainty to its market participants, and must demarcate roles and responsibilities of participants in the regulatory framework.
The report is unclear on these counts, and requires public consultation and more deliberation.