In September 2019, the Ministry of Electronics & Information Technology, Government of India, formed a Committee of Experts (“Committee”) to deliberate on the issue of ‘Non-Personal Data’ and to suggest an appropriate regulatory framework for the subject. The Committee’s initial report, (“Draft Report”) was released for public comment on July 12, 2020. In the next few posts, we will summarise, reflect on and critically analyze the concepts presented in the Committee’s report. This post focuses on the concept of ‘non-personal data’ as a category for regulatory efforts under the Draft Report.
Most of the recent legal and regulatory efforts have focused on the interests of individuals in controlling information which relates specifically to them, as a matter of informational privacy. This culminated in both the recognition of the fundamental right to privacy in KS Puttaswamy v Union of India, as well as in a comprehensive legislative proposal – the Personal Data Protection Bill, 2019, (“PDP Bill”) which is currently being deliberated before a Joint Committee of the Houses of Parliament. However, the Government of India has more recently sought to broaden the scope of regulation for digital technologies and information, the culmination of which has been the formation of the Committee and now, the Draft Report which proposes a new regulation and regulator for non-personal data.
At the outset, it is necessary to examine the definition of ‘non-personal data’, and whether it is a useful category for the intended forms of regulation. Non-personal data has been defined in by the Committee by exclusion – all categories of information not covered by the Personal Data Protection Bill. Personal data under the PDP Bill is defined as data ‘relating to a natural person’ who is directly or indirectly identifiable through the data. Non-personal data effectively includes all data that is not ‘personal data’.
Given the evolution of databasing techniques and technologies for linking information, legal scholars have questioned and critiqued the utility or adequacy of ‘personal information’, particularly as it relates to the protection of individual privacy. Paul Ohm, for example, has argued against the qualifier of ‘identifiable information’, suggesting that contemporary databasing and re-identification techniques make the category obsolete since almost any information can be linked back to an individual. Others, like Schwartz and Solove, have suggested that personally, identifiable information should be a more fluid concept encompassing different standards for protection for different forms of information, according to the context and the risk of re-identification. The PDP Bill also uses similar standards of ‘identifiability’ to denote the scope of its regulation. These discussions imply that the concept of ‘personal data’ and ‘non-personal data’ are not fixed or immutable categories. Rather, they are dependent upon factors including the context and purpose of the use of information and the technologies available for processing or re-identifying information.
The Draft Report proposes to regulate non-personal data in order to foster greater sharing of information, regulate how companies use data, and to enable competition between firms, among other things. These ends of regulation put it firmly in the cross-heads of the proposed data protection regulation, entailing substantial conflict and intersection between these distinct fields of regulation. However, the Draft Report does not adequately address the implications of tying the field of the proposed regulation to the concept of personal data. It is essential that the Committee delineates the scope of its proposed regulations with more clarity.