A robust non-personal data (NPD) governance framework will have to address antitrust concerns in the machine-to-machine (M2M) space, according to Nikhil Narendran, Partner at Trilegal— a law firm. “Some of this (M2M) data could be proprietary, or important to the company but when you make it open, there is a chance it will be accessible to other players, and affect their competitive advantage. The government will (also) get access to it,” Narendran cautioned.
A company’s data is usually stored in a data centre which houses proprietary M2M machines. The provision of data will include data from such a centre, Narendran explained. “A company’s proprietary information such as how it runs its business, how it runs its data centre, etc., could be revealed to a competitor or a third party,” he added.
Narendran’s concerns stem from the fact that the NPD framework proposed by the Committee of Experts headed by Kris Gopalakrishnan calls for controlled access to NPD for individuals and organisations. (You can read MediaNama’s summary here.)
Understanding M2M: The term is used for technology that enables networked devices to exchange information and perform actions without human involvement, according to TechTarget. M2M communication is often used for remote monitoring, the article explained. Moreover, M2M is also the foundation for the internet of things (IoT).
“Artificial intelligence (AI) and machine learning (ML) facilitate the communication between systems, allowing them to make their own autonomous choices,” read the article.
Narendran said that there are a lot of problems with the NPD framework but these problems multiply for M2M. “…a large amount of M2M data will be NPD, the problem is multipolar in the M2M sector,” he warned.
Why it matters: It is important to understand the impact of a non-personal data framework on M2M communications given its widespread use in various sectors. The implications can be far-reaching as a large volume of data being processed by machines is non-personal data. The lack of a framework leaves this data susceptible to deanonymization risks thereby threatening the privacy of users.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
What kind of data is covered under M2M communications?
M2M communications feature heavily in infrastructure and industrial segments. Arjun Sinha Roy, Founder and Director at Irasus Technologies— a cleantech energy firm based out of Gurugram, offered the following examples which use M2M communications:
- GPS (Global Positioning System),
- Industrial Shop Loading,
- efficiencies in the usage of solar energy,
- and electricity distribution.
Roy also pointed out that devices such as glucometers, and devices with sensors which track people’s vitals in real time leverage M2M communciations and will fall under the purview of an NPD governance framework.
“Imagine POS (point of sale) machines connected all the time, (it will aid) rural banking. If you’re able to connect machines in rural health centres to a centralised facility in a city, diagnosis available in those cities can be done remotely using an M2M framework,” Roy told Medianama.
Amol Kulkarni, Director of Research at CUTS International, said that UPI (Unified Payments Interface) also uses M2M communication as it sits between machines operated by different players in a payment or a financial transaction.
Moreover, Digvijay Chaudhary, Researcher at Centre for Internet and Society (CIS), added that M2M communication will include weather data, and sensor data collected from chimneys and factories. He said that the interaction between systems such as a smartwatch and a phone is also an example of M2M communication.
What are the cybersecurity concerns?
Narendran elaborated that NPD will also cover telecom data such as the number of calls that a telco handles in a particular region. Narendran also said that it will include the number of packets that flow through the core network of a telco. It could also cover the number of intrusions stopped by the telco at their outer level.
“Why would a company reveal such information to the public? The first example can be of use (to businesses). We can figure out how many calls went to restaurants, spas, and hotels. The other examples enter the danger zone. One can figure out how strong or resilient a telecom network is with the help of that data,” he warned.
Narendran added that telcos will face a problem while taking a decision on which data to release and which data to hold back. “The companies can call some data proprietary or sensitive and not share it but that exception is not there currently,” Narendran told Medianama. He highlighted that unfettered access can poses a threat to security.
As mentioned above, a company will have to disclose its M2M data, which is usually stored in a data centre where several machines communicate with each other, under the framework. “The information will reveal details about (the company’s) network topology whereas information about traffic could expose cybersecurity and leave a target on the (back of) company’s network,” Narendran said.
No incentive to share non-personal data
Narendran said that there are no incentives for enterprises which rely on M2M communications to comply with an NPD framework. The question of incentives is important because companies will incur huge costs and spend a lot of time and effort to anonymise large amounts of personal data to create non-personal data and then share it.
Meanwhile, Kulkarni said that the point of incentives, fees or commission that an entity should receive for sharing NPD with businesses needs to be accorded serious consideration.
He said that companies have made these investments to put systems, which collect, generate, and transfer data, to run a business. He further clarified that collection and transfer of NPD is not the only substantial purpose of an investment.
“A data fiduciary which has a business of providing services to its consumers and collects data in the process so the investments that it has made is not necessarily only for collection or generation of NPD. They are in the course of its business,” Kulkarni added.
Understanding risks of deanonymisation
A large degree of non-personal data is actually personal data which is stripped of personally identifiable information (PII). It means that NPD is still susceptible to misuse if a company manages to add PII back into the mix. Chaudhary said that the level of risk will depend on what kind of checks and balances are built into the NPD framework.
He explained that health data, including heartbeat rate, collected by companies to train their AI systems will have to be first anonymised for it to be classified as NPD. The users will only have a right to know how this data is used if there is a provision under a law. He pointed out that there is a privacy risk posed by NPD:
Re-identification: It is the risk when a user’s anonymised data is re-identified by companies using various other pieces of data sets. Chaudhary said that there was a study which found that true anonymisation was not possible because of re-identification. Chaudhary offered an example in which a smartwatch detects that the heart rate of a certain group of people becomes calm or goes in a meditative state five times a day. There is a risk that the smartwatch sees a pattern and identifies these people as Muslims in the district. Chaudhary explained that the risk is proportional to the processing power of an organisation even if the data is stripped of personally identifiable information.
Narendran elaborated that data is anonymised using technologies such as differential privacy and K-anonymisation. They (committee of experts) are presuming that the data will be corrupted which is why companies will not be able to identify anyone. It (rationale) will not always fly with new technologies coming up,” Narendran said.
Is there an upside?
Roy argued that anonymised data can be linked through different attributes and used to make systems to support decision-making or develop a better understanding of consumer behaviour. He said that it is important to weigh benefits in the privacy debate as certain industries will accrue “huge benefits” if the data is used judiciously.
He reasoned that societies around the globe are not on the same page when it comes to weighing the benefits of privacy. “Certain societies, such as US and European societies, are extremely sensitive about privacy (whereas) it is so difficult to sell a subscription service to an Indian consumer because we have a mindset where we are fine with a free (service) even if it is at the cost of privacy,” Roy said.
“A lot of NPD will be used by businesses to drive efficiency,” Roy averred.
“It is important to understand the context of data usage. Once you strip the hype around IoT and M2M, (you will realise) machine automation digitalizes only a repeatable and a basic task at the end of the day. The debate should (instead) be about what you do with data,” Roy concluded.
M2M in the context of communities
The NPD of communities held by Big Tech will be one of the most valuable datasets that a lot of businesses will want to obtain access to under the framework. It is also one of the most vulnerable cohorts when it comes to deanonymization risks.
Chaudhary said that the NPD framework will not cover communities which are created algorithmically as opposed to offline communities created with the knowledge of people such as employees of an organisation.
“Now, there are certain groups that are formed by Big Tech but a user is not aware of them (for targeted advertisements). They will classify users into certain categories based on their patterns of how they use social media or how they interact with e-commerce websites.” Chaudhary told Medianama during an interview.
The question of whether communities, whose anonymised data is used by companies, have rights must be considered as well, according to Kulkarni. He supported the idea of incentives for communities to partake in transfer of such data, adding that it was worth considering whether a data fiduciary (or custodian) making profits out of such data should disburse some of the profits to the community.
Roy painted a more optimistic picture and suggested that NPD is being used across industries. “The context of misuse is limited and the benefits are higher in terms of industrial efficiencies,” he said.
M2M in the context of personal data
Narendran explained that dealing with M2M communication on the consumer front will be challenging because it will involve collection of personal data. The IoT devices record biometrics and voice patterns which fall under the NPD framework only when the personal data are anonymised.
Furethermore, a lot of the data processed by machines will fall into a mixed data set. A mixed data set contains both personal and non-personal data. Chaudhary explained: “Most M2M communications would have a mixed data set. They are so closely interlinked that it is difficult to separate such mixed data. The data protection bill says that mixed datasets shall be considered as personal data.”
Roy said that the M2M space will be disrupted, elaborating that the consumer segment, which consists of IoT devices, will have to bear the brunt of this disruption. However, he was upbeat about the benefits resulting in the use of personal as well as non-personal data.
He said that data is available in a certain format today which could be either digital or analog but it is missing real-time context which is offered by IoT devices.
Do we possess regulatory capacity to monitor M2M communications?
Chaudhary said that there will be no technology to achieve compliance if a law is not in place. “There are huge systems interacting (presently); it’s just that we do not have a law in place. The data protection bill will create a compliance burden on every organisation that is collecting data. The compliance will be huge because it’s difficult to classify what is personal data and what is not personal data. There will be a need for building capacity,” he explained.
Most businesses will only look to build capacity once a law on NPD is put in place in order to meet its compliance burden, as per Chaudhary.
Narendran said that no one has capacity at the moment. “The fact of the matter is we don’t have capacity for personal data,” he said. He portended that the framework is going to be selectively used against certain sectors if it were to come out today.
Kulkarni said that the Indian government should stick to a single regulator and deal with personal data first. “We believe having two regulators is not a good idea.” The state needs to figure out how to protect personal data and learn from its experience.
When asked about capacity, Kulkarni used the example of the tax department to suggest that there are “silos of excellence” within the country. He said that the government needs to think about the capacity of the competition regulator— Competition Commision of India.
“The non-personal data governance framework tries to solve the problem of data monopolies and how to break data monopolies and silos to enable flow of data from Big Tech to small companies, which is a competition problem,” Kulkarni explained.
“CCI is building up its own capacity. It’s quite late in the day but at least they are doing something now,” Kulkarni said.
Lowdown on Committee of Experts’ report
The Ministry of Electronics and Information Technology (MeitY) constituted the Committee of Experts in 2019 to deliberate upon a governance framework for NPD. The first report was published in July 2020 after which the committee released a revised version in December 2020.
The committee is ready with a new draft of its recommendations but the report has not been made public yet, Kulkarni told Medianama.
Some of the highlights from the report were:
NPD Legislation: The Committee of Experts has proposed that the Non Personal Data (NPD) framework become the basis of a new legislation for regulating NPD.
Sovereign purpose requests exempt: The Non-Personal Data Authority will not adjudicate the validity of data requests under Sovereign purpose (national security, law enforcement etc).
Entire raw data databases exempt: The committee has limited data requests to specific data-fields, and no requests can be made for entire databases.
Private inferred data exempt: Private entities need not make available inferred, derived data, including trade secrets, algorithms, analytics.
Purpose limitation: The committee clarified that one can request data only for specific and defined purposes.
Data Processors exempt: Data processors cannot be asked to give NPD belonging to data custodians (whose data they’re processing).
What should be the way forward?
Narendran* said: “The NPD framework needs more open discussions to make it a meaningful one. The data altruism project of the EU (European Union) is very similar to the NPD project of India but that’s a bit more altruistic in its outlook.”
Chaudhary suggested that users must be told what their data is being used for. “We do not know what our data is being used for in the absence of a law,” he added. He said that users give their consent for data to be used by the likes of Alexa, Google Assistant, for their product and AI training, or other use cases but the exact use case is not revealed.
“It is extremely difficult to imagine that they will be giving you a specific use case. There are remedies for personal data in the data protection law. There are no penalties when you talk about NPD, and they are not even in the works,” Chaudhary said. He said that India should not focus on being the first country to come up with a law on non-personal data; the focus should be on bringing a good piece of legislation.
Roy said that the advantages of having these systems in place will be far higher than the cost but if there is any potential misuse, it needs to be addressed because if you have misuse then it breaches the consumer’s trust. He supported the idea of a self-regulatory code of conduct (along the lines of ASCI) for the industry to follow which will supplement the provisions under the Act.
The regulators should also try to tackle the question of data ownership which Roy said is the biggest industry concern. “There is no clarity as to who owns the data,” he said.
He gave an example of a fintech company which drives its business through an app on the phone. He said that there are many claimants to the data starting off with the mobile app company, the consumer, mobile network operator, underlying financial institution, etc.
“The objective (should be) to make the user the owner of the data. It will throw up legal challenges otherwise,” Roy said. He added that India should move in the direction of GDPR (General Data Protection Regulation). The users should have a right to control access to the information, he reiterated.
*Disclaimer: The post was edited on September 22, 2022 at 12:40pm for purposes of clarity.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also read:
- Why ‘group privacy’ should be recognised, and how ‘non-personal’ data becomes a regulatory blindspot
- New Data Governance Framework ditches monetisation, encourages businesses to share non-personal data
- Regulating non-personal data: How the free flow of data makes anonymisation harder #NAMA
- Regulating non-personal data: Is there a need for an overarching policy? #NAMA
