The Kris Gopalakrishna Committee (KGC) has released its report on “Data Governance” which is available for public comments till August 13. The report is a rich collection of thoughts that need some churning before recommendations can be formulated.
There are many legal experts who were objecting to Section 91 of the PDPB which empowered the Government to frame any policy for the digital economy involving non personal data. Elaborate but erudite arguments have been made on why this is “Unconstitutional”. However these are not relevant since Personal Data and Non Personal data are the two sides of the same coin and if I say this side of the coin is heads, the other side is Tails and hence regulation or exemptions under the Personal Data Protection Act automatically mean creation of non personal data and hence regulation of Personal data is intertwined with the regulation of non personal data.
Personal Data regulation through PDPB tries to maintain a distance with the Non Personal data by defining “Personal Data” and therefore defining “Non Personal Data”. It also exempts the “Anonymized Data” and “Data that does not contain the identity of a natural person” from its regulations and leaves it open for further regulation.
Now when the regulation for Non Personal Data may come forth separately as recommended by the KGC, with a new regulator, there is a need for the new regulation to also make efforts to keep a distance from PDPB.
The KGC report is not the law but at some points may make a more than necessary comments on the regulation of Personal Data which needs to be avoided when the new law is contemplated. If the legal experts who are objecting to Section 91 of PDPB have any logical reason for their objections, then they may also have objections on the KGC for the same reason.
However, for practical reasons, we need to note that KGC has made a distinct recommendation that there needs to be harmony between not only the Personal and Non Personal Data Regulations but also the Competition Act.
The PDPB has recognized data as
- General Unclassified Data
- Personal Data (of Natural Persons)
- Sensitive Personal Data
- Critical Data and
- Minor’s Personal Data
The profiling data which consists of interpretations of personal data is also considered equivalent to raw personal data for regulation.
The General Unclassified data which is defined by what is not a Personal data includes
a) Data of Companies and organizations which are not natural persons
b) May include personal data of deceased persons
c) Anonymized Personal Data
d) Aggregated data which may be classified as Community data
e) Data about the observations of the surroundings of non personal nature such as weather data.
Some types of data such as “Personal Data generated between two individuals during a transaction” such as a telephone conversation or “Group Data” such as a group photo, CCTV footage of a public space etc.
These data elements present some challenges in classification as “personal data” which may be controversial despite some interpretations available in GDPR scenario.
For example, a telephone conversation has an issue of determining who has a right to share the conversation since both parties have created the conversation as a “Transaction”.
Similarly a Group Photo is a “Group Transaction” and the right to share may have to be recognized for all the group members.
In the Case of CCTV footages, the camera captures the pictures but not identifies the people and hence the footage is “Unidentified to an individual”. However, at the back end the data can be processed to identify the persons using a face recognition feature or by the observer bringing his personal knowledge to the evaluation of what the data means. This means that the footage is essentially “Anonymous” or “Identity independent” and the identity gets added during the back end processing.
Some of these challenges were sought to be brought to better clarity when the undersigned proposed the “Theory of Data” where in three hypothesis were postulated namely
a) Data is created by technology but interpreted by humans
b) Data exists in different avatars as it passes through a “Reversible life cycle”
c) Data ownership is additive as data moves through the life cycle.
(See articles on the topic here)
A question had been raised at that time whether the Personal Data Protection Act and the definitions used there in would be compatible with this theory.
Now the KGC has come up with many more complex categorization of Data and it is interesting to look at these and also evaluate it with the Naavi’s theory of data before we dive deeper into the recommendations of the KGC.
(To Be continued…)
Naavi
A very good write up, gives a good insight on personal and non personal data regulations.