Independent Research and Policy Advocacy

Your Reference Library

Independent Research and Policy Advocacy

Your Reference Library

Our Response to the Report by the Committee of Experts on Non-Personal Data Governance Framework

Save Post

Abstract

In this blog post, we present our comments to the Report by the Committee of Experts on Non-Personal Data Governance Framework (the Report) in response to the call for comments from all stakeholders by the Ministry of Electronics and Information Technology (MeitY), Government of India. Our response is accessible here.

We are concerned that a sweeping regime with detailed regulatory supporting apparatus has been envisioned in this Report without a clear articulation of the objectives or motivations of such a regime, or why these objectives cannot be dealt with under existing frameworks. Further, it is unclear that the market-wide or consumer-level risks from such a framework have been thoroughly and rigorously considered or fleshed out using well recognised policy analysis framework.

Our response organises our overarching concerns into the following 3 sections:

  1. The Report fails to identify the basis for a separate regulatory regime for regulating non-personal data (NPD).

    We find that the major objectives stated in the Report, i.e. regarding competition, and addressing privacy concerns are insufficient to form the basis for a separate regulatory framework for the regulation of NPD.

    • With respect to competition, the Report has failed to provide evidence to establish an abuse of dominance in the market that justifies the need to regulate NPD. Further, entrusting the Non-Personal Data Authority (NPDA) to address issues of market competition impinges on the jurisdiction of the Competition Commission of India (CCI).

    • Next, the Report requires the NPDA to address privacy concerns that may emerge from the re-identification of non-personal data. This creates the potential for regulatory overlap and clash with the proposed Data Protection Authority (DPA) under the Personal Data Protection (PDP) Bill.

  2. Lack of clarity in concepts and definitions that are foundational to the Report’s vision further weaken the basis for it to exist.

    • The Report attempts to conceptually distinguish between personal and non-personal data. However, in practice, these concepts are not watertight and often flow into each other. Therefore, regulating them under two separate legal frameworks can create considerable legal uncertainties.

    • Further, the Report assumes that the sub-categories of Public NPD, Private NPD, and Community NPD are mutually exclusive. Our analysis suggests that data could belong to more than one of these categories simultaneously. This can create confusion in their regulatory treatment as the Report proposes different data sharing arrangements for different categories.

    • Also, the understanding of groups, group privacy, and collective harm in the Report is narrow. The Report assumes that members of communities or groups share some socially constructed, physical and/or behavioural characteristics and individuals are aware of their membership to a community or group. The Report fails to account for the privacy risks or harms that arise through profiling within databases, where ad-hoc groups are created without the knowledge of the individuals who constitute the group themselves. This limits the robustness of the Report’s conceptualisation of group privacy.

    • The model of data trustees suggested by the Report does not appear to be representative of the communities it is supposed to represent. The suggestions made for the bodies that will act as trustees indicate that they are not genuine representatives of the community but could merely entrench government control or other power structures. Moreover, there is ambiguity in how the data trustees interact with the data trust, which calls into question the actual authority that data trustees might possess.

    • The Report proposes seeking individuals’ consent for anonymisation of their personal data. Consent is not adequate for protecting users’ data, as has been well established by the experience of other jurisdictions and rich literature on the subject. While consent is a good first step, similar problems of consent taking that exist for the collection and processing of personal data will persist in the case of NPD as well.

  3. The Report does not provide suitable evidence for the assumptions that underlie the market-based framework for data.

    • The assumption that data can be “priced” is not tested. The value of data is context-specific, and currently, it is widely recognised that data may not be accurately “priceable”. Research indicates that there are several factors that can help determine the value of data but based on the context of its use. This makes it difficult to estimate an ex-ante price of data.

    • The assumption that data can be “owned” or be treated like “property” is not tested. Various frameworks support broader control-based approaches to data rather than defaulting to ideas of “ownership”. Any regulatory approach to personal or non-personal data governance must move away from notions of “ownership” which are not well-suited to the reality of how data flows or to the claims of control that various parties have on the information that represents them.

Our full response is available here.

Authors :

FFI

FFI

Tags :

Privacy and Data Protection

Share via :

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts :

August 24, 2023 | Dvara Research

A customer-centric framework to implement data protection in financial services

Dvara Research, with the Data Security Council of India (DSCI), co-developed two privacy handbooks directed at FSPs in the insurance and banking sector. The handbooks help FSPs implement data protection in a customer-centric manner throughout the data lifecycle, including in legacy systems.

By Beni Chugh, Srikara Prasad, The Data Security Council of India
November 28, 2022 | ThePrint

Protecting the users — what the primary aim of a personal data protection legislation should be

The latest iteration of India’s data protection legislation calls for a reminder of why the country needs a Personal Data Protection Bill and what would make it a good one.

By Srikara Prasad, Beni Chugh
November 21, 2022 | Moneycontrol

Data Protection Bill | Three changes that will sharpen draft Bill

Protecting citizens’ privacy is a pre-eminent mandate of any data protection regime. The Digital Personal Data Protection Bill appears to have departed farther away from that mandate

By Beni Chugh
May 6, 2022

Marking up India’s Personal Data Protection Bill

India’s Personal Data Protection Bill, 2019 (the Bill) was introduced in Parliament in December 2019, and is currently under consideration by a Joint Parliamentary Committee of MPs.

By Srikara Prasad, Anubhutie Singh, Beni Chugh, Sarah Stanley, Malavika Raghavan
April 26, 2021 | Dvara Research

Understanding harm from personal data processing activities and its challenges for user protection

By Srikara Prasad
February 13, 2021 | Dvara Research

Response dated 31 January 2021 to the Report by the Committee of Experts on Non-Personal Data Governance Framework released by the Ministry of Electronics and Information Technology in December 2020

An analysis of literature on the socio-economic implications of sharing privately held NPD and the objectives of other comparable frameworks suggests that the rationale for some of these goals are unclear. They do not take into consideration the complete economic and social merits and demerits of sharing privately held NPD.

By FFI

In all our research efforts, we strive to maintain an independent voice that speaks for the low-income household and household enterprises. Our ability to perform this function is significantly enhanced by our commitment to disseminate as a pure public good, all the intellectual capital that we create.

Li Xs
Privacy Policy

© — Dvara Research | All Rights Reserved