wordpress blog stats
Connect with us

Hi, what are you looking for?

Non-personal data: The Risks of Ambiguity

people, city, community

By Subhashish Bhadra

  1. Define the ‘duty of care’ better and provide enforcement and accountability tools. Keeping aside the question of whether protection from harms and unlocking value are conflicting aims within the same framework, the bill imposes a ‘duty of care’ on certain stakeholders without providing them specific guidance or holding them accountable.
  2. Guard against expanding too much government in data markets. A powerful non-personal data authority (NPDA) will determine who is a data trustee and will adjudicate on disputes. Because India has low state capacity, the NPDA could turn more restrictive than enabling. It’s role and functioning should therefore be based on regulatory best practices.

Analysis of Key Stakeholders

1. Data Trustees

  • Role: (i) creation, maintenance, data-sharing of HVD (ii) ensure HVDs are used only in the interests of the community (iii) ensure that no harms to people due to re-identification (iv) set up grievance redressal mechanism for community (v) complaint to NPDA about harms emerging from sharing of non-personal data about their community (vi) storage non-personal data as per the personal data protection bill requirements for the personal data underlying the NPD
  • Incentives: (i) Can charge a ‘nominal charge’ from data requesters for data infrastructure, data processing etc. but not towards data collection (ii) Create HVD that might benefit related entities financially or operationally (iii) altruistic goals — research, social good, etc.
  • Accountability: Unclear. Presumably to NPD Authority.
    • Many non-profits are institutionally linked to corporate entities. Despite an obligation to not discriminate between data requesters, data trustees could unduly benefit a related corporate entity because of weak enforcement in India and lack of financial incentives for data trustees. Therefore, the NPDA should be mandated to set ownership and funding criteria if a non-profit wants to be data trustees, such that corporate-linked non-profits can be excluded.
    • Data requesters should be allowed to complaint to (a separate quasi-judicial arm of) the NPDA if their data requests have either been denied, or provided on discriminatory terms
    • Since they deal with the community’s data, data trustees should be mandated to be transparent, by releasing publicly annual reports that list the HVDs it operates, the data it contains, how many requests it got, from whom, etc. The specifics could be delegated to the NPDA.
    • This is a unique opportunity to provide recourse against group harms like algorithmic bias against racial, ethnic or religious groups. These are not adequately covered by the personal data protection bill (since harms are at a community level), and could be brought in here.
  • Role: (i) share data with data trustees when data requests are made (ii) ensure no harm to data principal from re-identification (iii) use best anonymization technique and data sharing protocols (iv) share meta-data with NPDA
  • Incentives: No incentives specified.
  • Accountability: If a data custodian denies a data trustee’s request, the latter can appeal to the NPDA. Other accountability measures (e.g. related to duty of care towards community) undefined.
    • The scope of mandatory meta-data sharing is unclear. Section 6.1(V) seems to indicate that all data businesses will need to share data, whereas Section 6.3 seems to indicate that only registered data businesses will need to. This should be clarified.
    • Depending on this clarification, the purpose of registration may need to be clarified if the interpretation from Section 6.1(V) holds.
    • Since the purpose of the meta-data directory is to enable creation of HVDs, access to it should be restricted to potential data trustees (i.e. government or non-profits), rather than all organisations registered in India — a group that could include potential competitors of the data custodian.
    • The ability of data trustees to complain about harms from non-personal data — which will presumably be either against a custodian, processor or trustee — is included but not defined. It should be defined. Moreover, the right to complaint should be extended to all individuals (the equivalent of a PIL), so that NPDA-appointed trustees don’t act as gatekeepers for rights violations.
  • Role: (i) ensure no harm to data principal from re-identification (ii) use best anonymization technique and data sharing protocols (v) share meta-data with NPDA
  • Incentives: No incentives specified.
  • Accountability: Accountability measures (e.g. related to duty of care towards community) undefined.My Take: Data processors are not expected to share non-personal data with data trustees, unless it collects such data itself. However, specific obligations around sharing meta data and accountability for non-personal harms are unspecified, as noted above.
  • Role: (i) Use requested data only for specific purposes, and to benefit greater good (ii) storage non-personal data as per the personal data protection bill requirements for the personal data underlying the NPD
  • Incentives: None specified. Report says that a requestor can use data to benefit greater public good, but is silent on using it for private profit.
  • Accountability: None specified.My Take: The framework aims to benefit organisations that seek data from high-value datasets. It uses principles like ‘specific purpose’ and ‘greater good’, without clarifying what these mean, how they will be interpreted or enforced. To avoid any such confusion, the committee should provide more details.
    • The report says that non-personal data sharing should benefit greater public good, but does not lay out a process for ensuring it. The process could require a requestor to specify the purpose for which it would use the data. The data trustee should be obligated to provide that data, unless it chooses to dispute it with the NPDA.
    • Relatedly, the report is silent on what the data requestor can do with non-personal data (i.e. equivalent of ‘licensing requirements’). Can it combine datasets and create proprietary data? Can it make data freely accessible to the public, thus bypassing the data trustee? Just like with open source software, the NPD law can impose licensing requirements on requestors, to be determined by the NPDA at the time of approving an HVD. Using NPD for private profit should be an acceptable use — anything else will prevent start-ups from using these datasets.
    • There is no post-facto accountability to ensure that the data requestor used the data for specified purposes. This is understandable and desirable because too many restrictions might defeat the purpose of the framework. However, the framework should have a mechanism for complaints by either trustees or individuals, to be adjudicated by (a quasi-judicial arm of) the NPDA.
    • As stated in the report, the purpose of non-personal data is to benefit India and its people. Companies registered abroad may provide such benefits too, especially young foreign start-ups for whom registering in India is cumbersome and expensive. Therefore, access to HVDs should be open to any organisation that is using it to benefit Indians — which can be monitored by the relevant data trustee.Accountability: None specified.
  • Role: (i) ensuring unlocking economic benefit from non-personal data for India and its people (ii) create data sharing framework (iii) manage meta-data directory (iv) establish rights over Indian non-personal data (v) address privacy and re-identification risks, and prevent misuse (vi) adjudicate when data custodian refuses to share data with trustee
  • Incentives: None specified.
  • Accountability: None specified.
    • NPDA must be mandated to organise a public consultation process before bringing out a new regulation. This should include a cost-benefit analysis, public consultation, revision of draft, another round of consultation, and a final regulation that responds to major comments received.
    • Judicial functions of NPDA — e.g. resolving disputes between data trustees and data custodians — should be with a different entity, whose officers are trained in law and appointed by a majority judicial body. This will maintain ‘separation of power’ and ensure specialisation.
    • NPDA should submit detailed annual reports to Parliament (and also make it public), meet with the Parliamentary IT Committee every quarter and release publicly detailed minutes from its board meetings. This will ensure accountability and transparency of the NPDA.
    • For any investigative or enforcement functions (e.g. in addressing misuse of data), the NPDA should create and enforce SOPs that provide businesses clarity on what to expect. Not doing so will create uncertainty for tech businesses, and thereby hamper innovation in the economy.
    • In situations of low state capacity (like in India), regulators often respond by limiting the number of entities that it regulates. Such behaviour will be harmful under this framework, since NPDA determines who is recognised as a data trustee (and, by extension, as a ‘community’). Restricting the number of data trustees will limit the rights of communities over their data. Hence, NPDA should be mandated to provide in writing, and within a few weeks, responses to all those who apply to be a data trustee. The rejected applicants should be able to challenge the decision.

Sharing of Data with Government

One of the contentious issues under this report is the perceived carte-blanche to the government to access non-personal data. My interpretation is, however, different — the report says that there are three grounds for government to access non-personal data:

  • Law enforcement and crime prevention
  • Pandemic mapping, prediction and prevention

Image for post

If the government wants to access data — either personal or non-personal — there are more convenient ways for it to do so, rather than go through the high-friction route of data trustees, and non-discriminatory HVDs.

*

Subhashish Bhadra works as Principal, Investments at Omidiyar Network India. This article — originally posted here — has been cross-posted with permission. 

*

Also read:

You May Also Like

News

By Luca Belli and Nicolo Zingales Recently, WhatsApp pushed an in-app notification requesting users to accept its new privacy policy by February 8, 2021....

News

By Rajnesh Singh Very few periods over the course of modern history have shaped humanity, culture and politics the way 2020 has. The global...

News

By Siddharth Sonkar Recently, in his inaugural address, US President Joe Biden announced the appointment of Christopher Hoff, to oversee the negotiations over revising...

News

Internet Shutdowns are a disproportionate act of censorship of freedom of expression, and their deployment by various regimes takes place on an ad-hoc basis....

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ