Experts call for defining non-personal data before making laws on it

Economic Times, July 13, 2022

The Joint Committee of Parliament (JCP)’s recommendations on non-personal data (NPD) and anonymised personal data in last year’s draft Data Protection Bill will not work till NPD is defined clearly, cybersecurity and policy experts said on Tuesday.

Most experts who participated in a panel discussion by not-for-profit Consumer Unity & Trust Society (CUTS) International said that regulation of NPD when the definition of the term itself was still vague would be premature.

They said proper guardrails must be put in place before access to any NPD could be shared.

“At a certain point it was suggested by a few members but the Bill took a different turn where the word ‘personal’ was removed, which showed that the ambit of the Bill was increasing, and they wanted to include non-personal data as well,” Pandey said.

Pandey said in his view he wanted personal data to be dealt with as a standalone subject and look at NPD only if the need arose.

Regulating NPD calls for harder work in terms of ecosystem and enablement, and cannot be ordained by just writing a policy or law, said Ashish Aggarwal, head of policy and vice president at IT industry body Nasscom.

“It is much more than thinking of it as raw data. There is a lot of processed data or information when we talk of digitization, citizen services or e-governance in general,” Aggarwal said.

There is a need for a comprehensive cybersecurity framework to protect NPD, he said, which is why when the Bill talks about data breaches it steps into the domain of cybersecurity and moves away from the domain of personal data.

Shopkeepers’ data, for example, could be considered both individual and commercial, Parminder Jeet Singh, executive director at IT for Change, said.

“Without identifying the subject of non-personal data, it is not even meaningful to talk about protection, therefore it is futile without identifying to whom the protection would accrue,” Singh added.

The panel discussion was also attended by Daniel Castro, vice president at Information Technology and Innovation Foundation; Astha Kapoor, co-founder at Aapti Institute and Venkatesh Krishnamoorthy, India country manager at BSA.

The priority globally is to protect the personal data of users, and non-personal data should be kept as a separate entity, Castro said.

“In both cases, the goal should be to maximise the use of data and its economic value. But personal data needs exceptional protection,” he said, adding that personal privacy and data rights, and data portability were required to empower the consumer.

The economic value of data and the sheer quantity of data flow make approaches to data regulation important.

Despite being the fastest-growing digital economy and having a flourishing IT industry, India lags in its data protection regime and, unlike many other countries, does not have a dedicated regime for protecting personal data or NPD, said Amol Kulkarni, director, research, CUTS International.
This news item can also be viewed at: