Does NPD Governance Framework give Government a backdoor into private companies
Ministry of Electronics and Information Technology (MEITY) had released a report 1 on the “Non-Personal Data Governance Framework” in July 2020 2. The report recommends the establishment of a Non-Personal Data Regulatory Authority with an enabling role as well as enforcing role. 2 Along with this, the report defines Non Personal Data as: 3
Non-personal data: When the data is not ‘personal data’ (as defined under the PDP Bill), or the data is without any personally identifiable information (PII). It could be:
- Data that never related to an identified or identifiable natural person, such as data on weather conditions, data from sensors installed on industrial machines, data from public infrastructures, etc., or
- Data that was initially personal data but was later made anonymous. “Data which are aggregated and to which certain data transformation techniques are applied, to the extent that individual specific events are no longer identifiable, can be qualified as anonymous data”.
Every tech company, which collects non-personal data would be obliged to register itself as a Data Business.
Access to non-personal data may be requested for three purposes, one of those being: 3
- Sovereign purposes such as national security, law enforcement, legal or regulatory purposes. These purposes could include mapping physical and cyber security vulnerabilities, mapping crime and taking preventive measures, a regulator wanting to stay abreast of developments in the sector, or national security (via telecommunications metadata, geospatial or financial data, etc.)
Putting two plus two together, it is easy to understand that this could mean that the government could get private tech companies to anonymize and give data collected of its users, that could be private in nature, and hand it to them. Another failure here is that it is clearly understood by the tech community that using metadata, it is often trivial to de-anonymize data. Now the scope and urgency of the matter is not specified. Neither is any recommendation given by the report to limit the usage of this under exceptional circumstances, or maybe atleast only when warranted by say the judiciary. Even though the report has mentioned the need of “adequate checks against abuse of power by government or other representative agencies” there is little emphasis on what these will be. This was even mentioned in the Medianama article on the concerns 6.
Here I would like to invoke the Iron Law of Data Collection, by Jon Snader 4, which states that no matter what the original rationale given for its collection new uses will be found for it and will eventually be abused.
DEA expresses an interest in providing its agents “ ‘unlimited access to patient de-identified data’ on re/filled prescriptions, daily supply, payment type, dosing information and gender, among other characteristics, until at least 2025.” 5
He gives a concrete example of how even anonymized data collected for the medical use is being appropriated by law enforcement and is going to be essentially abused.
Now the issue here is that, when unlimited and multi-genre data collected by private entities, lands into the laps of the government; how creative will our government be?