We shall now take a few other comments made by Mr Kris Gopalakrishna as follows and try to derive an inference out them.
5.“I think our concept of privacy will go through a change because we are voluntarily disclosing whom we are because we want some service”.
6.“The understanding of data privacy would go through a change once the boundaries around data were clearly drawn, dispelling concerns about disclosing identity”
7.“Establishing policies around data, how industry must responsibly use your data and respect your privacy — today it’s not codified and hence the worry about disclosing your identity,”
I am not sure why Mr Kris says that “Establishing policies around data…is not codified today”. The PDPA does exactly address this issue (though it is in the process of being enacted). The Corporate responsibilities on what principles of collection and processing is to be followed and how the “Data Trust Score” has to be developed etc has been addressed by PDPA. We have to only get the law passed without delay and get the implementation process into action.
As regards the concerns about disclosing the identity, the concept of the data collector being a “Data Fiduciary” and exercising the responsibility of a trustee can address the concern to a large extent, much more than what GDPR has addressed in GDPR as the Data Controller’s responsibilities.
If therefore the KGC does not trample on the implementation process of PDPA, privacy governance in India through data protection would make substantial progress. If the DPA then takes control then the data protection regime can bring confidence to people concerned with their privacy.
Speaking on “Anonymity” Mr Kris has commented
8) “Globally, companies are looking at anonymising data — stripping data sets of personal attributes of individuals and gleaning meaningful inferences from the data points.”
This aspect has been addressed by PDPA both by declaring that Anonymization will make a personal data go out of the jurisdiction of PDPA and also criminalizing the re-identification where anonymized information may be re-identified.
The very definition of “Anonymization” is that it can never be re-identified, but under the concept of “Dynamic Data” and the “Corporate restructuring” as well as AI, no body can be certain that an anonymization process be 100% effective.
The failure of anonymization and consequential re-identification can be addressed under PDPA if properly implemented by hoisting vicarious liabilities on the inefficient anonymization as well as the re-identification.
Lastly, Mr Kris has reflected
9. “Unfortunately or fortunately, data, compared to all the previous eras — agriculture, manufacturing and IT or digital — where the economic value lay in physical goods, knows no national boundaries. It can be transmitted without friction. How does a nation create value on the data of its citizens? How does a nation protect the data of its citizens? These are the questions everyone is grappling with”
In this comment, Mr Kris has acknowledged the need for data sovereignty and the need for the country to consider aggregated personal data as an asset of the nation. It is precisely this concept which is in conflict with commercial exploitation and the committee has to show how it will ensure that the national interests are not compromised.
Partially the PDPA will address this issue. KGC will however need to ensure that any of its recommendations donot provide loopholes for commercial establishments to take out the benefits of Indian personal data out of the country. If they are allowed, this will be considered as “Data Laundering” or “Data havala” similar to money laundering and havala.
If this committee can find a Data Governance framework that can prevent the TransUnion type of data heist, then it will be a great achievement. Let us hope the committee would be able to reach this goal.