The non-personal data policy process remains opaque and problematic #SaveOurPrivacy
Replies to Right to Information requests filed to the Committee of Experts working on the Non-Personal Data Governance framework highlight an underlying transparency problem which has been mirrored throughout 2020 by various other such data-related consultations by the Government. As we await this draft report, "non-personal data" remains a badly defined concept that has crept into the Data Protection Bill being deliberated by the Joint Parliamentary Committee.
RTIs responses on the Committee of Experts on NPD
On August 20, 2020 we filed a Right to Information (RTI) request with the Ministry of Electronics and Information Technology asking them to provide us with copies of documents relating to the functioning of the committee of experts, the minutes of meetings of the committee and any other document which was related to its functioning. On September 19, 2020 we received a reply from them stating that the Ministry maintains no record of the internal functioning of the committee of experts.
As a next step, we filed a first appeal against the reply dated October 30, 2020. In our appeal we stated that our third query pertaining to related documents does not relate to the internal working of the committee and on the contrary relates to third party correspondence, details of which can be made available easily. Additionally, submissions made to the committee can easily be provided since a record of them must exist electronically. However, in their decision the First Appellate Authority (FAA) stated that there are no further inputs to our queries than what have already been provided by the CPIO in the initial reply to our RTI request.
Both, the initial response and the decision of the FAA show a marked resistance to the goals of the RTI Act, 2005 which aims to “promote transparency and accountability in the working of every public authority”. These responses show that either the Ministry is failing to provide sufficient oversight to the committee or that there is a concerted effort to hamper transparency initiatives by civil society organizations.
Problems with the NPD framework highlighted in our submissions
On September 13, 2020 we made a submission to the Ministry of Electronics and IT highlighting certain key issues with the functioning and draft report of the Committee of NPD. These issues are:
- Ambiguity in definition and practice : The report states “non-personal data” as data which does not have personally identifiable attributes. This negative definitional framework is further divided into further classes however as noted by many commentators, this remains vague. IFF’s forum member, Tanya Varshney has written on this extensively in the context of a comparative analysis of the GDPR. She states clearly and rationally that, “The ambiguity kicks in when we are ascertaining what degree of identifiability is needed to categorize information as personal or non-personal data.”
- Ignoring the ease of re-identification : One of the central pillars of the draft report is that, “non-personal data” should not lead to re-identification. As our forum member, Shubham Jain states, “identifying what is personal data is very closely related to how difficult it is to re-identify someone from that dataset.” In the absence of a data protection law, specifically a Data Protection Authority, flirting with the idea of a non-personal data policy is laying a privacy minefield for everyday, ordinary Indians.
- Data maximisation and surveillance capitalism : The present expropriation of personal or non-personal data from silicon valley firms will not result in any clear user benefits but will lead to greater data collection and generation of sets. At a moment when India lacks a data protection law this becomes incredibly problematic for end-users. The economic assertions made within the report that non-personal data have the potential to unlock innovation and help local firms compete, is not even borne from any substantial evidence. Here, even models of competition law have been ignored. Hence, in sum, the present approach will lead to greater collection and a ratification of the problematic models of surveillance capitalism, in which even if we accept the premise of this report, data (which can easily be re-identified) will flow from foriegn entities to local ones.
Additionally, here it is also necessary to state that the currently prevailing regime on privacy in India rests largely on the Hon’ble Supreme Court's decision in Justice K.S. Puttaswamy vs Union of India (2017 10 SCC 1). However, the draft report fails to even mention let alone follow the thresholds laid down in the decision.
"Consultation Fatigue" ?
The lack of transparency noticed in the working of the Committee of Experts on the NPD Framework can be seen to be a replication of various other consultations related to data that the government has conducted this year like the National Digital Health Mission Data Policy consultation and the Indian Artificial Intelligence Stack consultation. While we welcome and appreciate such public consultations, it is also important that these consultations drive positive changes in the policies being discussed and are not just used as a measure to fatigue civil society organisations which are already overburdened as a result of the pandemic.
For instance, many of these consultations often are preceded by private meetings where the agenda and priorities are identified. This is precisely the case with the draft report on non-personal data where private meetings were conducted prior to public comment. What was discussed there? Well, we don't know yet, but will keep following through with the RTI to ensure greater transparency.
- RTI request dated August 20, 2020 and reply received (link)
- First Appeal dated October 30, 2020 and FAA decision (link)
- Submission on Draft Non-Personal Data Report dated September 13, 2020 (link)