In India, the black market for people’s personal data is booming, putting Indians’ privacy at risk. Yet the government is persisting in pushing a standalone law on “non-personal” data instead of prioritising a meaningful personal data protection regime that would keep Indians safe. That’s especially troubling for people who are already targeted for data exploitation, abuse, and discrimination, such as women, journalists, activists, and human rights defenders. Access Now is providing input in the process, urging India’s Ministry of Electronics and Information Technology to redirect its efforts to ensure strong personal data protection laws are enacted and enforced.
Non-personal data has been defined as data that either does not relate to or identify a particular individual (such as weather data) or has been anonymised. The primary intent for a framework for regulating non-personal data is to enable the sharing of these data for the “public good” and allow businesses to use it to drive profits and innovation. Regulations related to people’s data must put people first, not businesses.
The Ministry of Electronics and Information Technology kicked off the process of developing the framework by forming a committee of experts under the chairmanship of Mr. Kris Gopalakrishnan. The committee published its initial report on 13 September 2020, seeking public comments. Our input at the time stressed the clear need to prioritise the creation, advancement, and actual implementation of a personal data protection framework that secures data protection for all Indians — not rushing ahead to open up new uses of data that could be risky in the absence of that foundational framework.
After getting public feedback and suggestions, the expert committee published a revised report early in January 2021. While certain changes were made to the proposed non-personal data framework, there are many gaps remaining to ensure it protects the rights of the people in India.
We submitted our follow-up comments to the Ministry on 31 January, underscoring that not only it is premature to advance a framework for non-personal data as a legislative priority at this time, it would raise significant issues that would impair the enactment, enforcement, and institutionalisation of data protection measures in India. The top priority and primary objective of the committee and Ministry should be to protect people’s personal data, not non-personal information. We therefore argue that the outcome of the committee’s work should be a set of recommendations and a rationale for the framework, which a data protection authority set up by a personal data protection law would then study. Proceeding with the standalone law on non-personal data ahead of time would only put long-term effective data protection governance in jeopardy.
In addition to this top level concern, we also flag issues of concern in the revised report related to (a) restricting and minimising the use of data of users, rather than promoting its exploitation, (b) amendments needed to the structure of the non-personal data regulator, (c) the treatment of anonymised data as non-personal data, and (d) the role of data trustees — among other issues.
Access Now continues to assist lawmakers across the globe in developing personal data protection frameworks that are modern and adhere to international standards for safeguarding human rights. This is all the more important during the COVID-19 pandemic, when governments are using health data to fight the spread of the disease. We stand ready to advise those preparing or revising personal data protection legislation in India.