Shri Kris Gopalakrishna, Co-Founder of Infosys who has been appointed the “Chairman” of the “Expert Committee on Data Governance Framework” with the terms of reference
a) To study various issues relating to Non Personal Data
b) To make specific suggestion for consideration of the Central Government on regulation of Non Personal Data
has provided some indication of what is in his mind on “Privacy” and “Data Protection” through is interview in ET From his interview we have culled out 9 statements on which we provide our comments.
The reason why we are taking up this for debate is that the views of the Chairman of the committee could influence the final outcome of its recommendations and hence it is necessary for data protection regulation watchers to understand his mindset.
The views and corresponding comments are as follows. These comments donot necessarily indicate any disagreements but try to clarify issues.
- “the broad strokes of data regulations lie in trying to leverage the economic value of data for the benefit of the citizens, not just for corporations, and protecting them from the vulnerabilities inherent in the digital era.
In the past, the broad strokes of “Data Protection regulation” was embedded in “Cyber Crime Prevention” legislations such as ITA 2000/8. It recognized “Data” as a valuable asset of the organization and companies do protect data in their own interests. But when an enterprise fails to protect data and apart from adversely affecting its own interest, adversely affects the interests of other persons, the law provided a remedy which included prosecution of company and its officials for negligence.
After the advent of strong data protection laws, the broad strokes of “Data Protection Regulation” leveraged the need of individual privacy protection. Hence GDPR prescribed stringent penalties that made the industry sit up and take notice of the compliance requirements. In India, PDPA was framed by Justice Srikrishna to provide a similar “Data Protection Governance Framework”.
These regulations kept a window open to accommodate the interests of the Data Analytics industry by accommodating “Legitimate Interest” and “Anonymization of Personal Data”.
Anonymized data was completely out of the Data protection regulation and “Re-identification of anonymized data” was a punishable offence/civil wrong in some of these regulations. Similarly, Corporate data was out of the purview of these legislation, though some ambiguities remained on “Employee Data” and “Business E-Mail”.
The “Data Governance Framework” of pre-data protection regulation era and also the “Anonymized and Non Personal Corporate Data” in the “Post-data protection regulation era” was dictated by frameworks such as the Information Security models of ISO.. In the post data protection regulation era, the GDPR/PDPA compliance framework assumed importance and supplemented the earlier ISO frameworks. Some of the ISO frameworks like ISO27001 voluntarily added ISO27701 like provisions as extensions so that it can assist companies for securing both corporate and personal data.
The PDPSI (Personal Data Protection Standard of India) as proposed by Naavi was a “Data Governance Framework for personal data and suggests a similar approach to Corporate/Non personal data.
Now the Kris Gopalakrishna Committee (KGC) on Data Governance Framework has flagged the “leveraging the economic value of data” for the benefit of the citizens. This “economic value” gets generated by the aggregation and derivation out of the individual data accumulated from different sources. If the source is “Anonymized pool” of personal data (Which may include the IoT data), the economic value of the aggregated data is what the Big Data industry is today exploiting.
The Justice Srikrishna committee however flagged a different type of data where one person provides an identified data under a consent but it automatically reveals the personal data of his family or community and on aggregation reveals certain value added behavioural information and raised a concern that this needs to be regulated.
It is not clear if KGK committee will restrict its recommendations to the processing of ” Anonymized personal data” only or “Identified community information” which relates to “Community Privacy”.
The views of Kris Gopalakrishna indicates that contributors of individual data should benefit by their contribution even when anonymized, and converted into value added data. This is the concern raised by Naavi in his article on Dynamic Data.
There is an IPR issue in the case of such value creation and whether the citizen can be provided a part of the benefit through a legislation and if so, how needs to be explored.