Personal Data Protection Bill, 2019 | Control over non-personal data a risky proposition

Representative Image

Raghav Pandey and Aditi Seetha

The Personal Data Protection Bill, 2019, recently approved by the Cabinet, paves the way for the long-felt need to protect privacy rights of an individual. The law, prima facie, strictly deals with issues of personal data and places stringent restrictions on “data fiduciary” and also imposes strict sanctions against violations. However, a lenient approach has been taken when it comes to the use of the data by the government.

The wide exemptions provided under the Bill raise serious questions about the government’s access to individual’s data in the name of “interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign States, public order” etc.

The most debatable and questionable step is the forced collection of “any personal data anonymised or other non-personal data” from any data fiduciary or data processor incorporated under Section 91. This attempt of giving ultimate access of such non-personal data to the government will only give birth to more complex privacy issues rather than solving them.

The Bill provides in particular the definition of personal data, but does not define exclusively what will be meant by ‘non-personal data’. Personal data helps identify an individual and comprises details like name, age, gender, phone number and the like. It can be again sub-categorized as sensitive personal data - which includes information on financials, biometric, health, someone’s sexual orientation, genetic profile etc.

Globally, different privacy laws govern protection of personal data of an individual, but ‘non-personal data’ stays outside the realm of the legal ambit and therefore it is highly unregulated. The definition of non-personal data as ‘any other data than personal data’ might sound very simple, but it is slightly more complicated.

The European Union has two different legal regimes to deal with personal and non-personal data -- GDPR (General Data Protection Regulation) -- Regulation 2016/679 and Regulation 2018/1807, respectively.

The EU regulation sub-categorises non-personal data into two types on the basis of its origin. The first is any data which does not identify any human being and includes information relating to climatic conditions, industrial machines, aggregate e-commerce sales and the like. The second is the anonymised personal data, which makes it difficult to identify a particular person, but contains information on location, e-commerce shopping histories etc. Anonymised data is thus a result of dataset collected from various individuals to set out a pattern where although the identity of a particular individual must be hidden, but it is not that difficult to re-identify or trace the individual.

Apart from these two, the EU regulation discusses the concept of “mixed database” wherein the said data consists of elements of both personal and non-personal data. In such cases, where the personal and non-personal data are closely inter-linked, it becomes necessary to ensure as to how any breach is to be dealt with when such anonymised yet personal data of an individual is also at stake and the law adequately deals with it. Hence, defining everything other than personal data as non-personal data is problematic.

It is, therefore, very important to legally delineate these concepts, by statutorily defining them in the first place. No such distinction or elaboration on such non-personal data is provided under the Personal Data Protection Bill, 2019.

Section 91, as mentioned earlier, provides for data aggregation (which includes non-personal data) and collection for maximisation of the digital economy. The Bill does not provide how data breach of such non-personal data would be dealt with. Given the different categories of non-personal data and how sometimes it can give birth to situations where the anonymised personal data can also be misused, such aggregation raises a lot of concerns.

The process of anonymisation of personal data is not completely devoid of risks too, and can actually be used for the re-identification of an individual. By combining datasets and using advanced techniques, the anonymised datasets can be processed to identify the individuals by assessing the patterns of their activities. This further raises concerns over the privacy rights of individuals in cases of illegal use of such personal data and its breach.

The Data Protection Authority, which is to be constituted under the law, and will have jurisdiction on cases of data breach, will naturally face a challenge in dealing with situations where the said data falls under the category of non-personal or mixed data, due to the absence of specific statutory provisions relating to it.

This move of providing complete control over the non-personal data to the government is very risky, given that there is no statutory accountability at the government’s end in the case of misuse. Similarly, again under Section 91, the government can direct compulsory data sharing among companies. This sounds good for a startup, but it is very unfair to the already established companies, who have collected their data by investing a lot of resources and time.

Hence, the access to non-personal data and issues relating to its collection, usage and formulation of policies, based on it, needs separate attention due to the complex nature of such data. Any casual approach towards such information will only lead to more confusion and raise substantial privacy concerns in matters of breach or misuse of such data.

If the government doesn’t rectify such definitional and structural issues with the Bill, it is bound to generate a lot of litigation in the higher judiciary, at the same time possibly compromising with the privacy of a lot of individuals. The GDPR, along with other EU regulations, are a very comprehensive set of legislations on this issue and can serve as a guiding light to the Indian law on the matter.

Raghav Pandey is an Assistant Professor of Law at Maharashtra National Law University, Mumbai. Aditi Seetha is a lawyer practising in Delhi. Views are personal.