On September 13, the Government of India constituted a committee of Experts on Data Governance Framework under the chairmanship of Kris Gopalakrishna, Co-Founder Infosys.
Constitution of the Committee
The members of the Committee are
- Shri Kris Gopalakrishna, Co-Founder of Infosys
- Additional Secretary/Joint Secretary, DPIIT (Department of Promotion of Industry and Trade)
- Ms Debjani Ghosh. President NASSCOM
- Dr Neeta Vema, DG, National Informatics Center
- Shri Lalitesh Katragadda, CTO, Avanti Finance
- Dr Ponnurangam Kumaraguru, IIIT, Hyderabad (Ed:is it Delhi?)
- Shri Parminder Jeet Dingh, IT for Change
- Shri Gopalakrishna S, Joint Secretary, MeitY
Terms of Reference
The terms of reference of the committee are
- To Study various issues relating to Non-Personal Data
- To Make specific suggestions for consideration of the Central Government on regulation of Non Personal Data
Concept of Privacy of Community Data
The initial paragraphs of the notification recalls the work of SriKrishna Committee and refers to the “Community Data”.
The SriKrishna Committee had commented
“Community data relates to a group dimension of privacy and is a suggested extension of our data protection framework. It is a body of data that has been sourced from multiple individuals, over which a juristic entity may exercise rights. Such data is akin to a common natural resource, where ownership is difficult to ascertain due to its diffused nature across several individual entities. It is relevant for understanding public behaviour, preferences and making decisions for the benefit of the community”
The Committee had gone on to suggest that the Government may consider a law to recognize the phenomenon where personal data of individuals get aggregated (eg: Google Map data) and becomes useful to the community, but is beyond the control of the individuals for regulation under the PDPA.
It had flagged the possibility that Individuals may not be aware of what their data can disclose when aggregated with billions of other data points. This data is analysed by algorithms and produces reliable data which helps produce other indicators that are of help to the community.
However, the Committee noted that an individual’s sharing of data in some of these cases automatically shares the data of his/her spouse,friends and family without their consent. It also flagged the possibilities that companies collecting such data can make use of it as “Big Data” and derive some pattern of behaviour of the community and hence the “community privacy” was at risk.
The Committee noted :
“A suitable law will facilitate collective protection of privacy by including a principled basis for according protection to an identifiable community that has contributed to community data. This will take the form of class action remedies for certain kinds of data breaches involving community data with diffused social and systemic harm. Tools like group communication and sanction may be envisaged. Such protection will take into account any intellectual property ownership of the juristic entity.”
It therefore appears that the Government has now taken a follow up action on the recommendations of the Sri Krishna Committee by constituting the Kris Goplakrishna Committee.
However, if we look at the “Terms of Reference”, it indicates that the notification refers to “Non Personal Data” and not “Personal Data”.
We understand that “Personal Data” becomes “Non Personal Data” through a process of “Anonymization”. It is the aggregation of this anonymized data that creates the Big Data business of Google Maps et al.
What the SriKrishna Committee was concerned was the “Identifiable nature of the shared personal data which becomes the aggregated identifiable personal data of a group” and suggested that the “Privacy laws” should grow up from protection of “Individually identifiable personal information” to “Individual group identifiable activity information”.
It appeared that the intention of Justice Srikrishna was, just like we identify the “Right of an Individual to Privacy”, we should identify the “Right of the Family Group” or the “Larger community” to be able to protect the “Community Privacy”.
This concept of “Community Privacy” is not what the current regulations of “Privacy” as a fundamental right of an individual can address. Hence a separate legislative framework was suggested.
It appears that the Terms of Reference does not capture this intention correctly.
Inadequacy of the Constitution of the Committee
It may be noted that the point raised by Justice SriKrishna is a complex legal issue which requires a careful accommodation of the Puttaswamy Judgement as well as the provisions of PDPA. It is not simply a “Technology or Business Promotion Issue” though the stake of business is involved.
Hence, the constitution of the committee as if the issue is one of the Big Data Industry by having only business interests represented there in is not considered correct.
It must be noted that PDPA had a serious opposition from NASSCOM as regards the “Data Localization” aspect and the objection was serious enough for its proxy member in the SriKrishna Committee (DSCI) to record a dissenting note in the report itself. NASSCOM will now have an influence on this committee’s report and will definitely reflect the business interests of MNCs.
The committee also includes of the secretary of DPIIT, another industry representative from Avanti Finance (the board of which consists of Ratan Tata and Nandan Nilekani), a representative from IT for Change which is an NGO, Mr Kumaraguru, an academician, besides the representative from NIC and MeitY.
The Constitution of the committee therefore appears to be inadequate/inapprpriate considering the legal issues on which this new committee may trample with. Considering the involvement of business interests, it would not be surprising that it would reflect the Big Data industry view and could ignore the conflicts with the Privacy and Data Protection requirements. There could therefore be conflicts with the PDPA.
Theory of Dynamic Personal Data
It should be pointed out that we at Naavi.org had flagged this issue in March 2018 when introducing the “Theory of Dynamic Personal Data” There is a need for the industry observers to take a second look at the idea that was discussed here which was expanded in some of the later articles on GDPR. The theory as propounded may be raw but it has an idea that is relevant to the “Community Privacy” issue that was raised by Justice SriKrishna.
We will highlight some of the issues in our subsequent articles in this series. Watch out for more on this topic here.