This Time, It’s (No Longer) Personal: NPD in the DPB
In December 2021, the Joint Parliamentary Committee changed the name of India’s privacy bill from the Personal Data Protection Bill (PDPB) to the Data Protection Bill (DPB) now that the Bill seeks to protect non-personal data, along with personal data.
Non-personal data (NPD) is data that does not contain personally identifiable information (PII), or, as the DPB defines it, “data other than personal data.” Forms of NPD include public NPD (i.e. anonymized data of vehicle registration), community NPD (i.e. datasets from public utility companies), and private NPD (i.e. data created or collected from private systems).
It seems collecting NPD would be harmless since it does not explicitly reveal sensitive information. However, “it is impossible to distinguish between personal data and non-personal data, when mass data is collected or transported.” This is in part due to anonymized personal data being included in NPD, which can lead to individuals being reidentified. The current version of the DPB aims to protect NPD. Below are the pros and cons of incorporating NPD into the DPB:
Pros:
· Far reaching consumer protections.
o Large volumes of NPD are taken from anonymized sets of personal data. By protecting all NPD, user data is extremely safeguarded.
o Sharing NPD.
· NPD can be shared in the interest of national security or legal requirements.
· NPD can be shared for an economic purpose like leveling playing fields.
· NPD can be shared for the public interest.
· The government can collect any non-personal data or anonymized personal data from data fiduciaries for creating policies surrounding the digital economy (Clause 91 of the DPB).
o Consumers can expect progressive privacy policies regarding security and prevention of misuse.
o A breach now includes PII and NPD.
· Uniformity.
o The DPB and the Data Protection Authority (DPA) will handle PII and NPD. This prevents potential confusion of having multiple laws and agencies dictate different types of data.
· Innovation.
o All entities have access to metadata of data that businesses and the government have collected.
o Companies’ shared data will promote innovative ideas by making previously private information public.
Cons:
· Anonymized personal data
o The process of anonymizing data is not perfect and could subject individuals to being reidentified if the “anonymous” personal data contains identifiers to whom the personal data belongs.
· Examples of reidentifying information include health data, caste data, tribe data, and other sensitive personal data.
· Mandatory NPD sharing (Clause 91 of the DPB).
o Non-personal data may include propriety business information, which could compromise business plans, strategies, and investments.
o Law enforcement using NPD poses a privacy risk to individuals if the data can subject individuals to reidentification.
· India is unprepared to implement a NPD framework.
o There are too many gray areas and unknowns with NPD to implement it in the Bill. India’s privacy laws are not mature enough to create a non-personal data approach yet.
o Experts recommend considering NPD separately from PII.
· Vagueness.
o It is unclear what provisions of the DPB apply to non-personal data. If NPD is going to be incorporated in the DPB, clarifications need to be made.
o NPD’s definition can be seen as too broad.
o Nuances of PII and NPD regulations need to be considered separately.
Thank you to Sajai Singh and Ramakant Mohapatra for sharing their invaluable data privacy insights during iapp’s KnowledgeNet session and follow-up inquiries.
About Ardent Privacy
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information visit https://ardentprivacy.ai/and for more resources here.
Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.