- No end-use restrictions on data requesters: There are no audit mechanisms to see if entities that seek data are, in fact, using it for stated purpose (public good or sovereign).
- Businesses don’t have a say in data sharing: There is no proper mechanism for data businesses to reject requests for data from data trustees.
- Businesses will have to deal with high compliance costs: Businesses, small and big, will have to think about compliance mechanisms for both PDP and NPD frameworks.
- Proxy issue a real concern: A company could theoretically set up a Section 8 company to set up a HVD, and seek data from other data businesses.
- Metadata could be too valuable for businesses: Businesses might not want to part with metadata, that will be stored on an open-access metadata directory, as they see value in it. Instead, access to this directory could be restricted.
- Opt-out from anonymisation will complicate things for businesses, individuals: It would be on individuals to understand both the PDP and NPD frameworks to decide whether they want to opt out of anonymisation. Meanwhile, businesses would have to deal with complicated dual-compliance of the frameworks.
- Re-identification always a risk: There is always a risk of re-identification of anonymised personal data.
“The revised non-personal data (NPD) report has concluded that there isn’t really an overlap between personal data and non-personal data, but I think there still continues to be that inherent risk of an overlap”, said Jyotsna Jayaram, counsel at Trilegal. This risk, specifically with regard to non personal data based on personal data, leaves businesses confused. Businesses would have to spend time thinking about how they manage this data, and about silos that they have never had to think about before, she said
Jayaram was speaking at MediaNama’s discussion on the revised report by the Committee of Experts on a Non-Personal Data Governance Framework, held on January 15. MediaNama hosted the discussion with support from Facebook and Microsoft. All quotes have been edited for clarity and brevity.
Helping businesses: WIll NPD framework really do that? Motivations unclear
- Need to identify problem with current situation before it can be solved: The motivation behind the NPD report seems to create “anxiety about NPD’s economic value not being extracted by India” and addressing it.
“I would like to see a consideration of what’s currently wrong in that respect […] I would like to understand what is wrong with the private markets for data sharing that do exist […] The assertion is that there is some kind of data hoarding or certain firms don’t get access to other firms’ data. Then what do you do as a state: do you try and create that private market and regulate it, or do you try and create an enabling framework for that to happen, or do you set up this kind of fairly heavy-handed regulatory architecture.” — Malavika Raghavan, lawyer and researcher
- Counterpoint — ‘This is a sensible approach’: Subhashish Bhadra, principal, Omidiyar Network, felt that the committee’s motivations were, in fact, quite clear. “If you take a classical economics thing of them the state should step in and regulate any kind of markets, there are certain information asymmetries, externalities, etc. If you look at the data market, there are very strong externalities because the data Company A collects would be useful to non-profit B or company C or a government D. But because this company that is collecting the data will not ever be able to monetise each and every possible use case of that data, it does not have the incentive to share and create that privat emarket in data,” said Bhadra.
- Potential conflict with regard to privacy: Prasanto K. Roy, technology and policy consultant, felt that the agencies that regulate non-personal data and personal data could be dealing with a potential conflict of goals, with the former being concerned with “unlocking economic value” and the latter looking to protect privacy. “We will be dealing with this sooner or later,” he added
- Counterpoint — Businesses are not sharing proprietary data: Businesses are supposed to share NPD with data trustees, and for a public good purpose. This does not entail businesses having to share proprietary data, argued N Dayasindhu, CEO of Itihaasa Research and Digital, who helped the Committee of Experts in report preparation. “It is just data that they are collecting from India, from Indians, from the community, and not business-related IP that they create,” he said.
Metadata directory: Is it really metadata and what are the risks?
Metadata directory can give insight into a company: The metadata directory, which will be maintained by the NPDA, will be open access. This, Jayaram said, could be quite valuable information as it would tell people what data fields a company collects and makes decisions on. “It’s certainly information you may not want to part with, which you now have to part with and can be used by organisations for various things,” she said.
- ‘Limit access to it’: Bhadra, too, wondered why this directory should be open to everyone. He suggested it could be open only to those who can potentially create HVDs, and hence not open to other businesses.
Is this even metadata? Raghavan wondered whether the term “metadata”, as it is used in the report, is indeed what the accepted definition of it is. “Metadata refers to data that provides information about other data […] Now if we want to talk about some other concept, then I think we should just call it something else because when we talk about metadata in this way, and then set up rules it’s definitely going to create some dissonance […] The directory of metadata, is it really so safe? My point is that we should call it something else because the description of metadata and the treatment of it in this report create a lot of regulatory overlaps and so on, ” she said.
Counterpoint — ‘Data can be asked for only through HVD process’: Parminder Jeet Singh of IT for Change, and a member of the Committee of Experts, said that metadata only meant the “nature of the processes”, and not he data itself which would be transparent in a registry. “The data itself can only be asked for in the HVD process,” he said.
Anonymisation: What this ‘dual compliance’ means
The revised NPD report requires data collectors, at the time of collecting personal data, to give the data principal (customers, general public etc) the choice to opt out of anonymising the data. Panduranga Acharya, director-legal at Swiggy, argued this was a “bipolarate system”, which would require businesses to comply with both the NPD and PDP frameworks. It will be very difficult for companies, he said
What will this achieve? Acharya argued that if data principals were to get an option to opt out of the NPD option, the relevant dataset will not have the “full data”. I am not sure if the government would really want to achieve what it wants to in this way, he added.
- Dual compliance: I think this would lead to a lot of compliance for a startup, without achieving the intended purpose, he said. Startups would have to spend resources to manage information, have separate dataset tools — where certain data cannot be used for business purposes, or data that can be used for public good purposes or that which is important to the government, he said.
“Assuming some social welfare scheme has to be implemented, such information cannot be implemented unless this dataset is comprehensive which is unlikely to be if the data principal is given an option of opting out from that consent.” — Panduranga Acharya, director-legal, Swiggy
Individual will have to be aware of NPD, PDP framework to make decisions: Individuals will have to opt out of anonymisation if they want protections under the PDP Bill. “So, as an individual, I need to know the new NPD framework, the PDP framework and then choose one or the other,” Raghavan said, adding that research has established that opt-outs are not very effective mechanisms in the first place.
Will anonymisation still carry privacy risks? Jayaram, meanwhile, said that the risk of re-identification always exists with anonymised personal data. “So, I definitely think that just because you apply a level of anonymization or you call it NPD under this legislation doesn’t take away those privacy risks that exist […] I don’t think that this is as ring-fenced from privacy litigation as well.”
Anonymisation option exposes companies to risk: Roy said that companies such as those in the fintech space use data for analytics. They don’t necessarily need personally identifiable information (PII), and would prefer to anonymise to reduce exposure to risk. These companies could also use a third-party to process analytics, and they wouldn’t want to share personal information.
“This puts an additional barrier for me because I now require consent and this actually makes the data which I am storing more secure. And why should there be a barrier for that?” — Prasanto K. Roy, technology and policy consultant
‘Data business should be able to say no to sharing data’
There is no mechanism for businesses to reject requests: There is no way a data business can say no to sharing information, because there is no mechanism to understand what is public good, said Acharya. He felt that data businesses are not in a position to seek satisfaction that the data is indeed being shared for public good. “That clarity is lacking […] In my opinion, we should empower these data businesses to say no,” he said, referring to requests made for “public good” purposes.
- Jayaram echoed Acharya’s argument, saying that although requests from data trustees need to be granular and specific, “right now, there are no guidelines on the proximity of the actual purpose of that HVD, as well as the extension of data that’s required”. So you could then end up actually having some sort of broad request, and still having to share this data.
“Of course, it should be for public good, but there are several non-apparent uses that you can put it to which may not be for public good, and there’s literally no way to check that, you know, this goes to the point on end use.” — Jyotsna Jayaram, counsel, Trilegal
Data sharing should not be automatic: At the same time, Acharya felt, data seekers should have the ability to ask the NPD Authority to decide on whether the data request is a valid one. Sharing data for public good purposes should not be “an automatic or mechanical process”, he said, essentially arguing for the NPDA to play an active role in enabling (or disabling) data sharing.
Counterpoint — Appeal process already exists: Dayasindhu acknowledged that businesses would have concerns around sharing data. But, he said, businesses could approach the NPDA if they didn’t find a data trustee’s request to be appropriate to the high-value dataset that they are creating. So, businesses could say “I am not comfortable sharing this data and the NPDA will adjudicate on that request from the data custodian or business.”
‘Businesses have to bother about things they never did before’
Companies have to rethink data management: Jayaram said that personal data will be governed by a set of extensive compliances. At the same time, now there is another legislation in the works that could require businesses to “classify and store data in a certain manner such that it remains under one of each of the regulations”.
“Forget compliances; you will only be able to identify compliances once you know which of the regulations apply […] I think, in terms of data management, storage and classification practices, there is going to be a lot of work.” — Jyotsna Jayaram, counsel, Trilegal
No clarity on classifying NPD with ‘inextricably linked PD’: The report, said Jayaram, classifies data that is inextricably linked to personal data will be classified as ‘personal data’. “To my mind, there’s no guidelines right now on what that would mean. The report does refer to the GDPR, but the GDPR also doesn’t define the term,” she said, adding that this is still a fairly subjective determination.
- “Given the general sentiment towards mandatory sharing [in the NPD framework], it could serve as sort of a disincentive to anonymise the data in the first place, to ensure that that those personal data elements are retained so that you can be subject to compliance under the PDP Bill, but be saved from the mandatory sharing under the NPD legislation,” said Jayaram.
Higher costs for small business: It is going to be very difficult for small businesses, not specifically startups in general, said Acharya. “There are small startups who would also be categorised as a data business. In such cases, there is no reason why they have to shell out more resources and finance towards building compliances.”
‘In case of data breach, who should one approach?’: Richa Mukherjee, director-public policy, PayU India, pointed out that the NPD report also talks about the parallel operations of sectoral regulators, in addition to the PDP’s data protection authority. “I would like to take an example of a recent data breach. The amount of data that was leaked — suppose this was to happen after the regulation comes into place. So, what authority would one report to, the DPA, the NPDA, sectoral regulators or all of them? That’s the clarity we are seeking.”
Can businesses game the system to gain access to HVD?
Setting up a proxy Section-8 company: A company, speculated Jayaram, could tackle problems on obesity, diabetes or healthcare, and call this “public good”. This company could set up a proxy — in the form of a section-8 trust or society — find a way to convince the NPDA that it needs data to set up a HVD. This would allow such a company to get access to the HVD. “I know that this is going to be aggregated, but even then that is a lot of value,” she said.
No limitation on end-use: Multiple speakers agreed that there don’t seem to be any end-use restrictions on data requesters. Entities could indeed use the HVD for public good, but at the same time it could be used for commercial decision-making. Jayaram suggested that there could be deterrence if the legislation prescribed forms of audits or end-use restrictions.
- Bhadra said that there needs to be clarity on the roles of data trustees and even data requesters. “The report says data requesters must use data for public good, is the data requester not allowed to use it for commercial gain? If they don’t use it for public good, is there some accountability mechanism that they will have to meet? Some of these gaps in the framework are a bit concerning.”
Counterpoint — ‘Report has tried to mitigate these externalities’: Dayasindhu, replying to a question about this potential loophole, said that the report has indeed tried to mitigate these externalities. The NPDA will assess whether a community is being represented by the data trustee well, and that the data trustee has the correct credentials.
“Even in terms of the actual data sharing mechanism, the committee has said there shouldn’t be any harm that is caused to either the data collector or the data source.” — N Dayasindhu
Counterpoint — ‘Data infrastructure can be used for any purpose’: Singh acknowledged that, in the current form, there are no real constraints on the illegal use of data. He, however, explained that it could be looked at as a ‘data infrastructure’. “Government makes a road […] but road is an infrastructure and you will use for other purposes, as long as it’s not an illegal purpose. So, generally, once a thing has been given the status of infrastructural data, it says all entities can ask for that data and can do business with it. It is considered to be in public interest in the sense that a road is in public interest,” he said.
Sharing locations of data processing centres: Is it a concern?
The revised NPD report requires data businesses to share locations where data is stored and processed. Roy felt that this would be a major problem for several reasons, and said this could be a precursor to data localisation. “This is going beyond what the Reserve Bank of India (RBI) had said in April 2018 that data must be localised. There, it wasn’t asking for a list of where all you are processing [data] and so on,” he said. He also wondered how this would work in a world where processing is distributed worldwide.
Not really a big deal: Both Mukherjee and Acharya said there isn’t much to be worried about in terms of submitting location data of data processing centres. Mukherjee said that if companies have their servers based in India, even if that data isn’t shared with regulators, it is just common knowledge. “S0 I don’t see any concern if you have to share the location of the servers,” she said. Acharya, too, said that the sharing of location details “should be alright”.
Also in this series: