Naavi.org

(This is a continuation of the previous article)

Data Business

Kris Gopalakrishna Committee (KGC) has defined a new line of Business Activity called “Data Business”. It has also suggested a new regulatory authority and a comprehensive regulation on collection , storage, processing and managing of data.

This proposition is a highly significant recommendation that could be a game changer in the industry.

While Personal Data Protection Act itself is a gold mine of opportunity, yet to be realised, the Data Business suggested by KGC will be another major development that holds lot of promise for those business entities which have the right long term vision.

To put it simply, while every business uses data for it’s internal purpose, over a period some companies acquire so much of data where data management itself can become a business opportunity and law recognizes it as a business to be regulated.

KGC recommends that entities who process large quantities of data have to be recognized as being in “Data Business” irrespective of their core business.  At this stage KGC recommends that the “Data Business” should be regulated separately by a regulator with various regulatory measures such as  regulating collection, storing, processing and sharing of Personal data, as  being addressed in a personal data protection act.

We can therefore expect a mirror image of the PDPA in the form of “Data Governance Act” (DGA) which regulates the “Non Personal Data”.

This business will be an independent industry sector and cuts across different industry sectors regulated by sectoral regulators.

“Data Business Discovery” is an important milestone for industries when they will be required to register with the regulator and become compliant with the law.

The idea suggests that “Companies who are today not recognized as either a Personal Data Company or even an IT Company may suddenly find themselves as a Data Business company” and would be subjected to new regulations.

Some of the “Data Business Companies” may also be “Personal Data Fiduciaries/Processors” under the PDPA.

Such companies may simultaneously also be “Non Personal Data Fiduciaries/Processors”.

In such cases, the Company will have with one set of regulations under PDPA being managed by a Data Protection Officer and another set of regulations under DGA managed by a Data Governance Officer (DGO).

We will therefore have DPOs and DGOs as new designations for professionals in many companies.

While DPOs will have more people from the IT/IS background, DGOs will have more from the MBA type who have to manage Data as an asset and ensure that after giving away the Personal data to the custody of the DPO, manage the Non Personal Data for the company’s benefit under the new regulation.

Just as some of the CEOs were feeling relieved after appointing a DPO and entrusting him with the responsibilities of Personal Data Protection, they are suddenly confronted with the Data Governance Act which needs to be managed by a DGO failing which there could be adverse consequences.

At this time we donot know what would be the compliance requirements and consequences of non compliance but we can definitely expect that the regulations will have some teeth of its own for industries to contend with.

The Data Business companies will be required to share some data with the Government and negotiate with the Government if any price can be extracted. IoT companies and service organizations in Smart City projects will have a wealth of data which can be packaged and converted into value products.

AI and Big Data companies will have to contend with the regulatory measures that may define the do’s and dont’s  and make the industry interesting.

The ISPs and MSPs will be another set companies who will be prominent players  “Data Business” with a collection of “Meta Data” that would be considered “Non Personal Data”.

Technology people will have a lot to work on Differential Privacy and Anonymization with related professional opportunities.

All in all the concept of “Data Business” is exciting and we look forward to a new world of opportunities opening up.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Ownership of Data

KGC has articulated a legal basis for establishing rights over “Data”.

Apart from recognizing the “Data Sovereignty” concept where the State has a primary right of ownership of assets collected in/from India which applies to Non Personal Data (NPD) also, the KGC has iterated that the term “Ownership” holds full meaning only in terms of physical assets and in respect of knowledge and data, it should be applied to the st of primary “Economic” and “Statutory rights” over the intangible asset. Hence the notion of “Beneficial Ownership/interest” has been adopted by the Committee as regards NPD.

As a result the committee recommends that

a) In case of Non Personal Data derived from the personal data of an individual, the data principal for personal data will continue to be the data principal of the NPD, which should be utilized in the est interest of that individual.

b) The rights over community Non Personal data collected in India should vest with the trustee of that data community, with the community being the beneficial owner and suchd data should be utilized in the best interest of that community.

This recommendation will create a slight conflict of concept since, NPD which is “Anonymized” is not “Personal Data” and there is no way it can be or should be linked to the Data Principal whether it is for his benefit or not.

The process of anonymization should cut the umbilical cord between the Data Principal’s identity associated with the data and the anonymized data set should be left free to be harnessed by the industry. Any attempt to link it with the beneficiary will defeat the very purpose of anonymization.

Otherwise, the KGC speaking about the Community NPD recommends that the benefits accrue not only to the organizations that collect such data but also equally to the community that typically produces the raw/factual data that is being captured. Accordingly the committee suggests that such data (Community NPD) may be shared in instances where there are defined grounds or purposes for sharing of NPD with Citizens, Startups, Indian companies, Government etc.

KGC also highlights the role of the Data Trustee in ensuring that the community interests are protected.

In the light of the above, KGC has placed the recommendation that

a) Data derived from public efforts should be considered as national resource.

b) Sharing of data benefits should be recognized among multiple parties.

c) Legal basis should be established to enable collection and use of community data by private data custodians or public organisations.

d) Raw/factual data sets comprising of anonymised user-information data collected by private data cusodians like telecom/ecommerce operators may be considered as community data

e) raw data should be maintained under open license free standard

f) There must be appropriate incentives to recognize and reward collectors of community data

g) As the processing value-add ver the raw data increases appropriate mechanisms may be leveraged for data sharing. (P.S: Here the recommendation appears to be closely aligned with the concept of “Additive value hypothesis” discussed in the Naavi’s theory of data.)

(To Be Continued)

Naavi

(This is a continuation of the previous article)

Key Roles

As a means of developing a robust Non Personal Data eco-system, KGC recommends  a set of roles/stake-holders and data infrastructures.

The Key roles defined as per the recommendation are

1. 1. Data Principal
   2. Data Custodian
   3. Data Trustees
   4. Data Trusts

Data Principal

KGC recognizes that in the case of Personal Data, the term Data Principal refers to a natural person only. But in the context of Non personal data, it uses the term in relation to the type of NPD namely Public, Community and Private data as well as on different possible kinds of subjects of data.

Accordingly, Government, Companies and organizations can also be considered as “Data Principals” under the NPD regulation.

Data Custodian

Data Custodian is an entity that undertakes collection, storage, processing, use etc of data in a manner that is in the best interest of the data principal.

The GKC considers the Data Custodian as a “Data Fiduciary of NPD” and emphasizes the “Duty to Care” that is expected from the Custodian in the interest of the Data Principal.

This recommendation seals the interpretation of the term “Data Fiduciary” even in the PDPB by inference.

It is expected that the regulation will define the framework for collection and processing of NPD on the lines of “Notice”, “Consent”, “Obligations” “Compliance”, etc. In a way this may translate into a law similar to the PDPB but related to NPD.

Data Trustees

KGC has also picked up another concept used in PDPB namely the “Consent manager” and envisages a role for a “Data Trustee” who will assist the Data Principals to exercise their rights.

KGC leaves it to the detailed regulation to determine who will exercise the rights to constitute and appoint a Data Trustee to represent a group.

GKC also recognizes the need for mandatory data sharing in certain instances as envisaged  under Section 91 of the PDPB.

Data Trusts

In addition to Data Trustees, an institutional structure identified as “Data Trust” comprising of specific rules and protocols for containing and sharing a given set of data is also recommended.

While Data Trustees are appointed by Data Principals, the Data Trusts may be manged by public authorities constituted by the Government to which Data Principals may voluntarily share data.

Though the terms “Data Principal”, “Data Trust” and “Data Trustees” have the potential for confusion and alternate terminologies could be considered, the concepts are interesting and captures the needs of the ec0-system.

(To Be Continued)

Naavi

(This is a continuation of the previous article)

The Kris Gopalakrishna Committee (KGC) considers that data is valuable and must be regulated in an appropriate manner for which a clear definition of Non-Personal Data (NPD) and the Key roles in the NPD eco system must be articulated.

Definition of Non Personal Data

The KGC has identified that Data can be categorized in many different ways

Category I: Personal Data

a) Arising from the subject of data

b) In relation to its purpose

c) Sector to which it belongs

d) Level of processing

e) Based on the extent of involvement of stakeholders

Category II: Non Personal Data

Non Personal Data where data is not “Personal Data” as defined under the PDPB/PDPA

Category III: Non Personal data according to Origin

a) Data that never related to an identified or indientifiable natural person

b) Data which were initially personal data but were ater made anonymous

Category IV: Different types of Anonymous Data

Based on the types of anonymization techniques

Considering the need o have a clear single definition of Non Personal data,(NPD)  the Committee has recommended three kinds of NPD

1. Public NPD
2. Community NPD
3. Private NPD

The Committee has also further categorized NPD into

a) Non-Sensitive NPD

b) Sensitive NPD

i) relating to national security or strategic interests

ii) related to sensitivity of business and confidentiality

iii) Anonymous data bearing the risk of re-identification

Public NPD consists of data such as data generated by Government excluding those which have been afforded confidential treatment under law, and includes land records, public health information, vehicle registration data etc

Community NPD consists of data generated by any group of people bound by common interests and purposes including anonymised personal data, electricity usage, telephone usage etc, excluding the derived insights (profiling).

Private Non Personal data includes inferred or derived data, global data set pertaining to non-Indians etc

It is interesting to note that the GKC brought the concept of “Sensitivity” to Non Personal Data also to take care of such data that is related to national security and strategic interests, bearing the risk of collective harm to a group, etc.

GKC also recognized the limitations of Anonymization techniques and flagged the possibility of re-identification of anonymized data in terms of classifying them as “Sensitive NPD”.

GKC recommends

“that Non-Personal Data inherits the sensitivity characteristic of the underlying Personal Data from which the Non-Personal Data is derived”

In the light of the above GKC recommends

Consent should be obtained from data principals even for “Anonymisation”.

This suggestion may be incorporated in the PDPB. Even if PDPB does not consider it necessary to add this in the current version and leave it to the new act which may be drafted for regulation of NPD,

this would be adopted as one of the implementation specifications under the PDPSI (Personal Data Protection Standard of India)

(…Continued)

The Kris Gopalakrishna Committee (KGC) has released its report on “Data Governance” which is available for public comments till August 13. The report is a rich collection of thoughts that need some churning before recommendations can be formulated.

There are many legal experts who were objecting to Section 91 of the PDPB which empowered the Government to frame any policy for the digital economy involving non personal data. Elaborate but erudite arguments have been made on why this is “Unconstitutional”. However these are not relevant since Personal Data and Non Personal data are the two sides of the same coin and if I say this side of the coin is heads, the other side is Tails and hence regulation or exemptions under the Personal Data Protection Act automatically mean creation of non personal data and hence regulation of Personal data is intertwined with the regulation of non personal data.

Personal Data regulation through PDPB tries to maintain a distance with the Non Personal data by defining “Personal Data” and therefore defining “Non Personal Data”. It also exempts the “Anonymized Data” and “Data that does not contain the identity of a natural person” from its regulations and leaves it open for further regulation.

Now when the regulation for Non Personal Data may come forth separately as recommended by the KGC, with a new regulator, there is a need for the new regulation to also make efforts to keep a distance from PDPB.

The KGC report is not the law but at some points may make a more than necessary comments on the regulation of Personal Data which needs to be avoided when the new law is contemplated. If the legal experts who are objecting to Section 91 of PDPB have any logical reason for their objections, then they may also have objections on the KGC for the same reason.

However, for practical reasons, we need to note that KGC has made a distinct recommendation that there needs to be harmony between not only the Personal and Non Personal Data Regulations but also the Competition Act.

The PDPB has recognized data as

1. General Unclassified Data
2. Personal Data (of Natural Persons)
3. Sensitive Personal Data
4. Critical Data and
5. Minor’s Personal Data

The profiling data which consists of interpretations of personal data is also considered equivalent to raw personal data for regulation.

The General Unclassified data which is defined by what is not a Personal data includes

a) Data of Companies and organizations which are not natural persons

b) May include personal data of deceased persons

c) Anonymized Personal Data

d) Aggregated data which may be classified as Community data

e) Data about the observations of the surroundings of  non personal nature such as weather data.

Some types of data such as “Personal Data generated between two individuals during a transaction”  such as a telephone conversation or “Group Data” such as a group photo, CCTV footage of a public space etc.

These data elements present some challenges in classification as “personal data” which may be controversial despite some interpretations available in GDPR scenario.

For example, a telephone conversation has an issue of determining who has a right to share the conversation since both parties have created the conversation as a “Transaction”.

Similarly a Group Photo is a “Group Transaction” and the right to share may have to be recognized for all the group members.

In the Case of CCTV footages, the camera captures the pictures but not identifies the people and hence the footage is “Unidentified to an individual”. However, at the back end the data can be processed to identify the persons using a face recognition feature or by the observer bringing his personal knowledge to the evaluation of what the data means. This means that the footage is essentially “Anonymous” or “Identity independent” and the identity gets added during the back end processing.

Some of these challenges were sought to be brought to better clarity when the undersigned proposed the “Theory of Data” where in three hypothesis were postulated namely

a) Data is created by technology but interpreted by humans

b) Data exists in different avatars as it passes through a “Reversible life cycle”

c) Data ownership is additive as data moves through the life cycle.

(See articles on the topic here)

A question had been raised at that time whether the Personal Data Protection Act and the definitions used there in would be compatible with this theory.

Now the KGC has come up with many more complex categorization of Data and it is interesting to look at these and also evaluate it with the Naavi’s theory of data before we dive deeper into the recommendations of the KGC.

(To Be continued…)

Naavi

Consequent to the EU Court’s decision to reject the US Privacy Shield, EU has expressed its lack of confidence in the US state to monitor the Privacy Shield without adversely affecting the Privacy rights of the EU Citizens. It has also failed to let the US Government to specify the checks and balances that it wants to establish to protect the Privacy rights of EU citizens in good faith and enter into a negotiation on the due process.

Instead the EU Court has objected to the powers of the US  intelligence agencies to demand personal data from the US based Data Controllers or Data Processors  having access to EU data subject’s personal data. As a result even if the US authorities want the data in connection with the national security requirements, it would be considered unacceptable. The appointment of the Privacy Shield Ombudsperson and his/her reporting to the Secretary of State is also not acceptable to EU.

It is ironic that in June 2019 when Ms Keith Krach was confirmed by the US Senate to become the first Permanent Privacy Shield Ombudsperson, the EUDB had praised the appointment.

But the decision of the EU Court now means that this appointment cannot be trusted to protect the EU Citizen’s privacy. In Other Words the Court is suggesting that the Privacy of the EU Citizen supersedes the power of the US President and the Senate and the responsibilities they can be trusted with.

It appears that the EU Court has by this decision gone beyond its  jurisdictional limits and expressing a view on a sovereign foreign Government and its functioning. It is expressing a distrust on the Government machinery that has to be trusted by the whole world for holding the nuclear button.

This decision means that EU businesses need to abide by this ruling and enforce the Standard Contractual Clauses.

I am reminded by the recent Chinese Law on Hong Kong which is reported to also state that “China has a power to prosecute Non Hong Kong Citizens”. Just as China is using the Hong Kong as an excuse to establish its extra territorial jurisdiction, EU Court is trying to establish its hegemony over non EU sovereign states.

There is a need for other Governments including India to wake up to this development and protect its own rights.

In the light of this development, it is most unlikely that the Indian DPA will ever be acceptable to the EU and the “Adequacy” status for India under GDPR is out of question.

Standard Contractual Clauses are equally problematic

In the coming days therefore we will focus more on the Standard Contractual Clauses (SCC).

We shall therefore look at some of the provisions of the SCC which to my mind appear objectionable.

Following is the extract from one of the recommended SCC documents meant for transfer of personal data to data processors. (This is a 2010 document which EU has not been able to update to GDPR but has accepted as also applicable under GDPR)

1. Data Subject can enforce rights against the Data Importer

The Data Subject in this context is a EU citizen and the Data Importer is a company or Individual who is a citizen subject to the laws of the third country like India or US which are sovereign countries.

The SCC says

“The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.”

This means that when there is a default (read as fraudulent disappearance) by the EU’s Data Controller, the responsibility and liability shifts to the citizen of the third country.

Obligations of the Data Importer

The obligations mentioned here as Clause 5(a) to (e) and (g) include not only the obligation to maintain technical and organisational security measures,  but also cover data breach notifications, rights of access, disclosure of sub processing contracts, disclosure to law enforcement authorities etc.

It also provides an acceptance that  the EU Data Subject can bring a claim of compensation  in the EU Country’s jurisdiction under the laws governing in that country. This also has to be extended to the sub processors.

It is clear that these SCC provisions donot respect the fact that the data importer is a citizen of another country and is bound to comply with the laws of that country. He does not have a right to abdicate his responsibility to the local Government and Constitution through a business contract though the economic power of the data exporter may force the data importer to sign on the dotted line and use his own economic power to make his sub processors also sign on the dotted line.

These contracts cannot be considered as contracts entered into through “Free Will”.

Indian PDPA

The Indian PDPA as envisaged under the current Bill, has one provision that tries to keep the processing of personal data of foreign citizens under a data processing contract separate from the obligations of the Indian law (Section 37).

It appears that Section 37 of the Indian PDPB is reminding EU that it is perhaps presuming that  EU can lord over the world through the GDPR.

When India was discussing the framing of its laws and Justice Srikrishna committee visited Bangalore, the undersigned had raised the need for Indian law to protect the interests of Indian companies from the unreasonable demands of the GDPR like laws.

These were discussed in this article ” Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights”.

Out of these suggestions, the suggestion of “Data Trust” was adopted in the concept of “Consent manager” under PDPB and may also be used in the Non Personal data governance suggested by the Kris Gopalakrishna Committee report.

The other two ideas namely the Jurisdictional Umbrella and Reciprocal Enforcement Rights have not yet been included in our law and assume more relevance now after seeing the attitude of the EU Court in respect of the Privacy Shield.

I had suggested

“….However, when it comes to enforcement of the rights of any foreign agency including private citizens as well as GDPR authorities or even the Contractual beneficiaries aborad, on any Indian Citizen or Indian Data Controller or Data Processor, it should be mandatory that the dispute is resolved only with the involvement of the Indian Data Protection Authority.

Indian Data Protection Authority shall be the sole adjudicating authority for all disputes in which an Indian Citizen or an Indian Corporate or an Indian Government agency is a party.“

It had also been suggestted that

”  Recognition of any data protection law of any country outside India shall be only on a reciprocal basis where equal rights are available from the other country which may include

a) Enforcement of the privacy rights of an Indian Citizen or a Company in the foreign jurisdiction

b) Enforcement of penalty of any description on an Indian Citizen or a Company vis a vis similar rights for the Indian companies or individuals on the foreign citizens and companies. “

I wish the JPC on Personal Data Protection Bill will keep these suggestions in mind so that the DPA is given enough powers to ensure that India can enforce its Data Protection Law for protection of the Privacy of its citizens in such a manner that EU or any other country using their economic clout donot try to create a “Data Colony” in India.

Naavi

PS: All opinions expressed at Naavi.org are the personal opinions of Naavi