A single regulator is needed for personal and non-personal data: CUTS International

KNN, July 16, 2020

While welcoming the release of report of the Committee of Experts on Non-Personal Data (NPD) Governance Framework, Udai S Mehta, Deputy Executive Director, CUTS International cautioned against having different regulators in cognate sectors, which may end up working in silos.

‘There is a need to adopt a whole of government systems approach towards data regulation, and the Data Protection Authority should be the single data regulator in the country,” an official statement quoted him as saying.

The report also calls for establishing a separate regulator for non-personal data: The Non-Personal Data Protection Authority. It also gives appropriate consideration to sensitivity of NPD, on the lines of personal data, as given in the Personal Data Protection Bill 2019 (PDPB). However, the same is devoid of a data principals’ perspectives, as was the case with the PDPB as well.

The report highlights the importance of light weight regulation and remains conscious of compliance costs of regulations. However, it misses out on stressing upon adoption of scientific and inclusive regulation making process, such as undertaking regulatory impact assessment; framing risk-based regulations giving due consideration to rights of data principals; and ensuring regulatory harmonisation.

The report recommends securing consent of data principals for processing NPD, along with personal data. Such stress on consent, while important, enhances the risks of consent fatigue. The report does not comprehensively discuss rights of data principals, including actions they are eligible to take in case of violation of their rights. The avenues and mechanisms for data principals to avail redress of their grievances are also not discussed adequately.

Just like the PDPB, the report calls for local storage of critical NPD, while allowing data mirroring for sensitive NPD. Several adverse impacts of mandating local storage of data under the PDPB have been well documented in CUTS studies – Data Localisation: India’s Double-Edged Sword and Consumer Impact Assessment of Data Localisation. Thus, costs and benefits of such recommendations need to be examined in detail.

The report empowers the government to request access to NPD for security, legal, law enforcement and regulatory purposes. However, despite recognising the possible privacy violations through NPD, it misses to recommend upholding principles of necessity, legality and proportionality while enabling such access.

This news item can also be viewed at: