Data reforms: Getting it right on data

World over, the data collection activities have continued to increase in variety, scale and speed.

By Gulshan Rai & Kamal Taneja

Two government documents relating to the regulation of one common parameter, “data”, are in the public domain. These documents deal with separate derivatives data, i.e., personal data (the PDP Bill) and non-personal data (the draft report on non-personal data of the Kris Gopalakrishnan’s Committee, hereinafter referred as NPD report). The common features among two documents are the concepts of consent, collection, usage of data, and mandatory sharing of same with the government for national security, public interest and economic growth. The NPD report, nevertheless, has some interesting concepts. It defines non-personal data and classifies it into private, public and community non-personal data. Certain categories of NPD, in line with PDP Bill, have been classified as sensitive and critical. New terminologies have been introduced like raw and factual data, data custodian, data trust, data trustee, etc. The report also discusses vital aspects relating to the data business and ownership of data. The data trustee can directly seek access to community data from anyone and place such data in a data trust.

In a sense, the data trustee would act as a self-regulatory organisation, though the NPD report does not say so directly. A separate regulator has been proposed for NPD. The report, particularly clause 4.1, indicates that different principles for data governance could be applied differently across sectors like health, e-commerce, artificial training data, etc. It may thus lead to the initial thought of different regulators for different data, a concept which has ministries have been toying with. An example is the e-commerce regulator.

The proliferation of technologies like next-generation communication, big data, artificial intelligence, data analytics, virtual reality and internet of things has led to the creation of many new services and transformation of the businesses which are information intensive. World over, the data collection activities have continued to increase in variety, scale and speed. The organisations and entities are and will get affected in unexpected ways. Every time anyone logs-in to access applications, metadata is collected by the applications and service providers. Only the application provider knows about the exact flow of data. The same data sets and metadata may be lying at several locations. Every authentication/authorisation of accessing “Google search”, “Apps” or such services may go out of the country. The scenario of cross border flow of data, thus, has become complex and confusing. The techniques and the issues to address such data sets and metadata have become more challenging and sophisticated. Few dominant players have emerged tilting the balance in the market worldwide. This aspect has been made amply clear in the recent US congressional hearing of dominating tech players.

The recommendations made in the NPD report, though take cognisance of technology and market trends, which are missing in the PDP Bill, and have far-reaching implications. A parliamentary committee examining the PDP Bill may have to take note. The two documents are by and large moving in silos. The interoperability of the two documents is important, especially when PDP and NPD are derived from the same composite and complex data set. Data from one sector has enormous value in other sectors. There cannot be different regulators for different derivatives of data, and that will result in turf war and confusion in terms of effective enforcement of regulations. There are challenges with the concepts made in NPD, many of which are in conflicts with PDP Bill. The report has attempted to provide examples of different types of non-personal data; however, such measures raise more confusion and issues then bring in clarity, vis a vis, PDP Bill. Inclusion of inferred or derived data in the definitions of personal and non-personal data in the PDP Bill as well as NPD report would create confusion. Treatment of such derived and inferred data in both derivatives, which at times can be proprietary information, would raise concern and confusion among all entities and regulators. Concepts like raw/ factual data have not been defined in the report. It must be noted that the data set of raw/ factual data would be complex and would contain both personal and non-personal data, thus raising confusion and turf war among stakeholders and regulators.

The NPD report has recommended that anonymised data be treated as non-personal data, taking cognisance of the fact that anonymised data bears a risk of re-identification. It must be noted that entities nowadays, for security, split, encrypt and store data in different storage systems. The data is encrypted with algorithms which are difficult to decrypt. Will encrypted data be taken as anonymised data.? If so, all such anonymised data will be personal data but would be shared as per provisions of NPD report rather than the mechanism prescribed under the PDP Bill. Further, the thumb rule provided in the report can qualify certain non-personal data as sensitive and critical, even if the underlying personal data may not be classified in the said category under PDP Bill. The report recommends that the data principal should provide consent for anonymisation and usage of the anonymised data. Misuse and withdrawal of consent are associated concerns. It is important to note that this very report also recommends about ownership of data. It raises a lot of issues relating to the intellectual property which have legal and procedural implications.

The organisations are mandated to share the data by law with data business houses. However, no mechanism has been proposed for binding data business houses and government agencies to adhere to while sharing/disclosing and commercialising data. Also, the report lacks appropriate details to determine the commercial value of the data which the data business and trusts would need to share with the data principal. The sharing of data also invokes serious IPR issues, and Article 300A of the Constitution of India gets into the picture. The same applies to Clause 91 of the PDP Bill. The said clause needs to be deleted in the Bill. The data-sharing mechanism is, in general, very weak, with no checks and balances. Even suggestions are missing to prevent misuse and violation of the rights of the data principal. It appears that the report intends to get facilities to data businesses and data trusts at par with those provided to security agencies, LEA and other government agencies under clause 35 and 36 of the PDP Bill.

Concepts like ownership of data, consent for data sharing, cross border flow and data business are under incredible strain world over. The report in the present form is merely a business proposition where ideas have been floated purely to recommend another line of business. Such proposals require clarity with respect to technical and procedural implementation and enforcement of regulations.

It will be a challenge for legal experts to shape the recommendations of the committee into a framework, which will stand the scrutiny of law. It will be better to revisit the report and consider all aspects, international scenario and geopolitics of data governance and recommend a modular framework which is interoperable and consistent with the Puttaswamy judgement and other laws. It will be easier to convert such well-conceived framework into regulations which may be implemented in phases as the country gets more clarity in a complex techno-legal subject.

Rai is former National Cyber Security Coordinator & distinguished fellow, ORF and Taneja is associate lawyer, Karanjawala & Co. Views are personal