Data anonymity

Panel's proposals on governance framework need a relook

The nine-member committee set up by the Ministry of Electronics and Information Technology on non-personal data (NPD) governance framework submitted its recommendations recently and this is open for public comment until August 13. The committee, chaired by Infosys co-founder Kris Gopalakrishnan, has made a commendable effort to rigorously define NPD, and suggested how it can be shared and monetised. It has recommended setting up a regulator with the powers to request data, supervise data-sharing requests, and settle disputes. However, several recommendations are open to question. The committee suggests the government should have access to all NPD, which it may use, disseminate, or sell, as it chooses. This has huge commercial implications, many of which are undesirable.

The committee also suggests the NPD regime should explicitly favour NPD access for Indian companies. This is consistent with India’s refusal to sign a G-20 treaty allowing cross-border data access and data-sharing between nations. But this stance has caused friction with trading partners, including the US, and it begs the question of how “Indian” companies are to be defined. The report defines all data collected without personal identifiers, or data anonymised by removing such personal identifiers, as NPD. It categorises NPD into three classes. The first is public data collected by the government like census data, health ministry records, and municipal records. The second is community NPD. This could, for example, be electricity consumption in a locality or eating habits in a neighbourhood. This category would also include telecom services data. The third category is anonymised sensitive personal NPD such as may be collected by a hospital. In all cases, data will be anonymised with personal identifiers removed. Companies which collect NPD will have to register with the government and make their data mandatorily available after anonymisation. They will also have to disclose how they collect such data and store it devoid of personal detail.

Once such a repository is created, data sets could be compared and mixed. This data could also be sold at market-related fees to private entities, according to a suggestion by Mr Gopalakrishnan. He estimates that this could create a $500-billion opportunity in the next five years. There are several issues with such a mandatory data regime. One is that NPD is often easily de-anonymised if tied to other data sets. For example, anonymised NPD data sets may be collected from food-delivery businesses, relating to eating habits in specific areas. If that NPD is tied to electoral rolls and telecom records, it can easily de-anonymised and becomes identifiable personal data. The government already possesses vast sensitive personal data, which is not anonymised. If it also receives a huge number of NPD data sets, this could lead to de-anonymisation and loss of privacy on a vast scale.
 

There are commercial issues as well. Smart 21st century businesses depend on collecting and monetising data to generate revenue and profit. If that data is to be mandatorily handed over to the government, which can sell it to a rival, the business model is severely impacted. Moreover, if businesses must reveal methods of collection, anonymisation, and so on, the value of intellectual property is eroded. If implemented, this regime could retard both investment and innovation, and lead to caution on the part of investors. Such a system of mandatory data collection and nationalised data warehousing doesn’t exist anywhere and this recommendation needs rethinking.