Personal Data Protection Bill, 2019 | Control over non-personal data a risky proposition

The Bill provides in particular the definition of personal data, but does not define exclusively what will be meant by ‘non-personal data’. Personal data helps identify an individual and comprises details like name, age, gender, phone number and the like. It can be again sub-categorized as sensitive personal data - which includes information on financials, biometric, health, someone’s sexual orientation, genetic profile etc.

Globally, different privacy laws govern protection of personal data of an individual, but ‘non-personal data’ stays outside the realm of the legal ambit and therefore it is highly unregulated. The definition of non-personal data as ‘any other data than personal data’ might sound very simple, but it is slightly more complicated.

The European Union has two different legal regimes to deal with personal and non-personal data -- GDPR (General Data Protection Regulation) -- Regulation 2016/679 and Regulation 2018/1807, respectively.

The EU regulation sub-categorises non-personal data into two types on the basis of its origin. The first is any data which does not identify any human being and includes information relating to climatic conditions, industrial machines, aggregate e-commerce sales and the like. The second is the anonymised personal data, which makes it difficult to identify a particular person, but contains information on location, e-commerce shopping histories etc. Anonymised data is thus a result of dataset collected from various individuals to set out a pattern where although the identity of a particular individual must be hidden, but it is not that difficult to re-identify or trace the individual.

Apart from these two, the EU regulation discusses the concept of “mixed database” wherein the said data consists of elements of both personal and non-personal data. In such cases, where the personal and non-personal data are closely inter-linked, it becomes necessary to ensure as to how any breach is to be dealt with when such anonymised yet personal data of an individual is also at stake and the law adequately deals with it. Hence, defining everything other than personal data as non-personal data is problematic.

It is, therefore, very important to legally delineate these concepts, by statutorily defining them in the first place. No such distinction or elaboration on such non-personal data is provided under the Personal Data Protection Bill, 2019.

Section 91, as mentioned earlier, provides for data aggregation (which includes non-personal data) and collection for maximisation of the digital economy. The Bill does not provide how data breach of such non-personal data would be dealt with. Given the different categories of non-personal data and how sometimes it can give birth to situations where the anonymised personal data can also be misused, such aggregation raises a lot of concerns.

The process of anonymisation of personal data is not completely devoid of risks too, and can actually be used for the re-identification of an individual. By combining datasets and using advanced techniques, the anonymised datasets can be processed to identify the individuals by assessing the patterns of their activities. This further raises concerns over the privacy rights of individuals in cases of illegal use of such personal data and its breach.

The Data Protection Authority, which is to be constituted under the law, and will have jurisdiction on cases of data breach, will naturally face a challenge in dealing with situations where the said data falls under the category of non-personal or mixed data, due to the absence of specific statutory provisions relating to it.

This move of providing complete control over the non-personal data to the government is very risky, given that there is no statutory accountability at the government’s end in the case of misuse. Similarly, again under Section 91, the government can direct compulsory data sharing among companies. This sounds good for a startup, but it is very unfair to the already established companies, who have collected their data by investing a lot of resources and time.

Hence, the access to non-personal data and issues relating to its collection, usage and formulation of policies, based on it, needs separate attention due to the complex nature of such data. Any casual approach towards such information will only lead to more confusion and raise substantial privacy concerns in matters of breach or misuse of such data.

If the government doesn’t rectify such definitional and structural issues with the Bill, it is bound to generate a lot of litigation in the higher judiciary, at the same time possibly compromising with the privacy of a lot of individuals. The GDPR, along with other EU regulations, are a very comprehensive set of legislations on this issue and can serve as a guiding light to the Indian law on the matter.

Raghav Pandey is an Assistant Professor of Law at Maharashtra National Law University, Mumbai. Aditi Seetha is a lawyer practising in Delhi. Views are personal.