wordpress blog stats
Connect with us

Hi, what are you looking for?

Regulating non-personal data: Is there a need for an overarching policy? #NAMA

A panel of speakers discuss the best regulatory approach while identifying what needs to be patched going forward.

Key Takeaways

  • An overarching policy governing non-personal data should have cross-sectoral jurisdiction
  • Before coming up with a regulation for NPD, the government should put its house in order
  • Government should have gained some experience in regulating personal data first

There is a need for an ‘overarching guiding framework in terms of policy’ that would govern not just non-personal data but would be a ‘broader policy’ formulated collectively by the government, industry, and consumers, said Amol Kulkarni from CUTS International.

Kulkarni was speaking at MediaNama’s ‘Regulating Non-Personal Data’ event held on February 18, 2022. The panel on ‘Privacy and NPD’ also included Amlan Mohanty from Google, Anand Venkatanarayanan from Hasgeek, and Digvijay Chaudhary from the Centre for Internet and Society, with Smriti Parsheera from CyberBRICS as the moderator.

This event was organised with support from Google, PhonePe, Amazon, Meta, and Microsoft. To support future MediaNama discussions, please let us know here.

Broader NPD framework should minimise harms

The regulatory framework for NPD should encourage consumers to utilise the data, encourage data sharing, and minimise harms, Kulkarni said.

Should have cross-sectoral jurisdiction: “Then we should look into different mechanisms of how can regulators, sector-level regulators as well as cross-sector regulators like Competition Commission of India, and perhaps the e-commerce regulator in near future or some other regulator, which has cross-sectoral jurisdiction, can add to this sort of policy-level discourse, and then can accompany the Personal Data Protection Bill to address some of the privacy-related concerns under non personal data,” Kulkarni said.

Government should put its house in order: He also asked the government ‘to put its house in order’ before it starts regulating NPD of the private sector and consumers. “Government is the biggest data fiduciary. It collects a lot of data and also the objective under the Data Protection Bill was to mandate data sharing for better policymaking. So if you already have collected a lot of non-personal data, are you first actually using it right now for better evidence-based policymaking?” he asked.

“Given that there is already a push for open data of government data and there is steps that the government has already taken in terms of policy commitments, it may make sense to instead of making this a law, roll it out as a smaller pilot project in some of those sectors and then, see what are the limitations that come up, who are the trustees who come up, whether the community is really represented in all of these, is their addresses all of this working, is privacy being protected, and then only try to scale it up?” — Smriti Parsheera

Exclusion, another big harm: “We have noticed that exclusion is a very big harm when it comes to communities or different types of people,” he said. Kulkarni was referring to exclusion from benefits which the government is providing to the citizens. He was speaking in the context of the need for a framework that would not just address issues related to NPD but issues such as exclusion as well.

Definitions and classifications of data need to be revisited

Expand definition of sensitive personal data: Chaudhary said that the definition of sensitive personal data should be expanded to include the protection that’s been accorded to personal data, to non-personal data too – through data minimisation and other principles.

Include aggregated data under NPD definition: “Rather than just calling it non-personal data, try to fit more and more value-locking data into the aggregate part and I think if you try to do that, there is much better definitional consistency,” Venkatanarayanan said, terming aggregated data as a ‘promising’ aspect which has not been explored in the context of non-personal data regulation. Technically a lot of privacy harms can be mitigated when it comes to aggregated data and that it can be ‘layered much more deeper with differential privacy,’ he added.

What should an ideal regulatory structure for non-personal data look like?

In response, Chaudhary identified four main areas of regulatory concern —

  • Competition issues arising out of NPD governance
    • Chaudhary said that the Competition Commission of India (CCI) is competent enough to pass judgement on such issues.
  • Trade-related issues
    • International trade rules would obviously apply to data-sharing requirements, he said.
  • National security issues 
    • Various government systems including NATGRID and CMS, they collect huge amount of non-personal data. Processing those sets of data, the principles of proportional and non-discrimination have to be taken into consideration in order to give access to the government to additional sets of data, Chaudhary said.

What’s the hurry in regulating NPD? Highlighting the government’s lack of experience when it comes to regulating data, Chaudhary said, “Why cannot we go step by step – first consider streamlining the regulation of personal data. Gather experience and then develop further regulation which the government may think is important.”

 “The risk of re-identification and the impossibility in modern technologies of anonymization has come to mean that there are no completely non-personal datasets. Therefore, the first solution is that whatever systems that you have taken place — the data prediction laws that you have in place reject them all and start afresh.” — Digvijay Chaudhary

Also Read: 

Have something to add? Subscribe to MediaNama here and post your comment. 

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...


Jio is engaging in many of the above practices that CCI has forbidden Google from engaging in.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ