Share on facebook
Share on twitter
Share on linkedin

Non-Personal Data Governance Framework, 2020

The realm of the internet has become an information powerhouse and data has become the new endowment of resources that governments and corporate entities are eager to tap into. The transformation in the digital environment and the emergence of information-intensive services has made data a necessary raw material for most undertakings.

Reports suggest that every minute Instagram is flooded with 277,000 stories, Google has 4.4 million searches and Uber has over 9700 rides in 2019. Today, data is an asset to various businesses and holds importance while making investments, mergers, and acquisitions, and/ or direct monetization.

 

While the discussion on ‘personal data’ has been revolving around privacy and security concerns, non-personal data is being eyed as an economic opportunity to augment public or private interest which must not be squandered. Considering the value proposition attributed to non-personal data, the legal aspect was sought to be dealt separately from ‘personal data’ which would be governed by the Personal Data Protection Bill, 2019 that is in the brink of finalization.

 

Consequently, an Expert Committee (“Committee“) was constituted by the Ministry of Electronics and Information Technology (“MeitY“) to study various issues relating to non-personal data. The Committee submitted its Report on Non-personal Data Governance Framework for comments from stakeholders in July 2020.

 

The report highlighted that data regulation is essential to utilize the maximum potential in data by realizing its economic, social, and public value. The need to regulate data stems from the imbalances in bargaining power between the companies that lead to the creation of data monopolies. Moreover, the privacy concerns revolving around the dilution of shared data must be tackled.

 

Non-Personal Data (“NPD“) is the data that cannot be identified with a particular individual, for example, weather forecast, traffic details, geospatial information, production processes, anonymized personal data, etc.

 

  1. Committee’s Proposal to Non-Personal Data Regulation

 

The NPD Governance Framework outlines norms for collection of data and data sharing by entities. The salient features of the proposed framework are:

 

  • The NPD framework provides key roles for all the participants such as Data Principal, Data Custodian, Data Trustees and Data Trusts.
  • Classification of NPD: Non-personal Data is further classified into Public NPD, Community NPD and Private NPD. Public NPD is NPD that is collected or generated by the government or by the agency of the government and includes data collected or generated in the course of execution of all publicly funded works (e.g. public health information, vehicle registration, etc.) excluding the one that is explicitly declared as confidential under the law. Community NPD is data about inanimate or animate phenomenon about a particular community of natural persons (e.g. data collected by e-commerce platforms or by telecom). Private NPD is NPD collected or produced by non-governmental entities or persons.
    • Ownership of non-personal data: In cases wherein, non-personal data is derived from personal data of an individual, the data principal for personal data will be the data principal for the NPD too. Further, the rights over the community NPD collected in India will vest in the trustee of such a community.
    • Sensitivity of NPD: The Committee has also defined a new concept of ‘sensitivity of NPD’, as NPD can also be sensitive from the perspective of: a) national security or strategic interests; b) sensitive or confidential information relating to businesses; and c) anonymized data, that bears a risk of re-identification.
    • Data Businesses and data disclosures: There is also the creation of a new horizontal classification called ‘Data Business’ which is when any existing business collects data beyond a threshold level. Such Data Businesses have to get themselves registered and furnish information on what they do/ collect, their purpose, and the nature of data stored. However, registration of Data Businesses collecting data below the threshold is not mandatory.
    • Non-Personal Data Regulatory Authority: NPD Regulatory Authority shall ensure that data is shared for sovereign, social and economic welfare, for regulatory and competition purposes, and also that all stakeholders adhere to the rules and data sharing requirements.
  1. Unanswered Questions: Shortcomings of the proposed Framework:

 

Attempting to govern the NPD is a commendable effort, however, it seems that there is a slew of questions that are left unanswered. The following are the issues relating to the proposed framework:

 

  • The foremost need to govern NPD as highlighted by the Committee is the imbalance in the digital ecosystem. However, neither the sources of these imbalances have been identified or analysed nor has it been clarified how the proposed regulations resolve these inequities.
  • Ambiguous classification of NPD: The various types of NPD have a potential overlap, but then again, clearly demarcating a line between the three types would be a difficult task. Also, one of the three types of NPD is Community NPD, however, there is no clarification as to how the ‘community’ would be determined. The definition of ‘community’ is wide, under the same even religious groups, residents of the same locality or same educational background would be a valid community, which may have conflicting interests over data shared with the government. Further, without any guiding principles, companies will be forced to make legally binding decisions on what they deem to be a valid community, the scope of data to be shared and for the resolution of competing claims, which is problematic at various levels. Moreover, on a particular dataset, there could be various interests, and in such cases, who would be entrusted with the data remains ambiguous.
  • Anonymization of Personal Data to Non-Personal Data: The process of converting personal data into Non-Personal Data by removing certain identifiers or credentials is termed as ‘anonymization’. Anonymization would undoubtedly convert a set of personal data into non-personal data but, such data runs the risks of re-identification. Further, although anonymization is essential, high anonymization could render the data over-generalized and futile.
  • Reactions of Stakeholders to the sharing of data: Mandatory data sharing is highly criticized by stakeholders, as it undermines the investments put in business and the value of intellectual property information the competitors would suffer. This ‘forced data sharing’ is counterproductive and would have a rather negative effect on foreign trade and investments. NPD can constitute trade secrets, that may be protected by IP laws, sharing this data raises concerns around the right to carry business and India’s obligation under international trade law. The purposes for data sharing under the framework are ‘sovereign’, ‘core public interest’, and ‘economic’ purposes which essentially covers all the data held by companies, and must be narrowed down.
  • Lack of Clarity on who really are trustees of Data: There is ambiguity regarding who will be a data trustee. Whether private, for-profit organizations or private entities within the government could be data trustees is not apparent. Also, the position regarding a data trustee’s independence and conflict of interest remains murky. It is essential that the roles and functions of these bodies are comprehensively defined.
  • User-Consent: NPD Framework also proposes that before the anonymization of data the consent of the user must be taken. It remains particularly unclear as to how would the consent be taken from them. Further, a company needs to invest in resources and obtain user consent, and sharing data may provide no incentive to such companies and would drown them into losses.
  • Over-Regulation by Non-Personal Data Authority: Creating altogether a new authority for NPD would lead to potential regulatory overlap given Data Protection Authority addresses and enforces privacy concerns and the Competition Commission of India looks over consumer welfare.
  1. Conclusion

This effort of the Ministry to set up a Committee to study the NPD which may subsequently lead to a legislation governing the NPD in India is praiseworthy, however, a lot of issues need reconsideration. Stakeholders have expressed anguish over the mandatory sharing of data and data disclosures as it conveniently overlooks the humungous investments put in by the companies. Further, the roles and functions of various entities under the framework are not clearly defined. The NPDA established under the framework may have functional overlaps with the CCI and the Data Protection Authority.

 

Moreover, there is ambiguity regarding Community NPD and user consent. There is no doubt that the ever-evolving nature of information technology is demanding as far as regulatory mechanism is concerned therefore the road ahead is arduous. Hopefully, the concerns raised are adequately addressed by the Committee and constructively resolved in favour of all the stakeholders.

Photo by Franki Chamaki on Unsplash

This effort of the Ministry to set up a Committee to study the NPD which may subsequently lead to legislation governing the NPD in India is praiseworthy, however, a lot of issues need reconsideration. Stakeholders have expressed anguish over the mandatory sharing of data and data disclosures as it outrightly overlooks the humungous investments put in by the companies.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

Core Legal Issues with Artificial Intelligence in India

The adoption and penetration of Artificial Intelligence in our lives today does not necessitate any more enunciation or illustration. While the technology is still considered to be in its infancy by many, so profound has been its presence that we do not comprehend our reliance on it unless it is specifically pointed out. From Siri, Alexa to Amazon and Netflix, there is hardly any sector that has remained untouched by Artificial Intelligence.

Thus, the adoption of artificial intelligence is not the challenge but its ‘regulation’ is a slippery slope. Which leads us to questions such as whether we need to regulate artificial intelligence at all? If yes, do we need a separate regulatory framework or are the existing laws enough to regulate artificial intelligence technology?

Artificial intelligence goes beyond normal computer programs and technological functions by incorporating the intrinsic human ability to apply knowledge and skills and learning as well as improving with time. This makes them human-like. Since humans have rights and obligations, shouldn’t human-likes have them too?

But at this point in time, there have been no regulations or adjudications by the Courts acknowledging the legal status of artificial intelligence. Defining the legal status of AI machines would be the first cogent step in the framing of laws governing artificial intelligence and might even help with the application of existing laws.

A pertinent step in the direction of having a structured framework was taken by the Ministry of Industry and commerce when they set up an 18 member task force in 2017 to highlight and address the concerns and challenges in the adoption of artificial intelligence and facilitate the growth of such technology in India. The Task Force came up with a report in March 2018[1] in which they provided recommendations for the steps to be taken in the formulation of a policy.

The Report identified ten sectors which have the greatest potential to benefit from the adoption of artificial intelligence and also cater to the development of artificial intelligence-based technologies. The report also highlighted the major challenges which the implementation of artificial intelligence might face when done on large scale, namely (i) Encouraging data collection, archiving and availability with adequate safeguards, possibly via data marketplaces/exchanges; (ii) Ensuring data security, protection, privacy and ethical via regulatory and technological frameworks; (iii) Digitization of systems and processes with IoT systems whilst providing adequate protection from cyber-attacks; and (iv) Deployment of autonomous products and mitigation of impact on employment and safety.[2]

The Task Force also suggested setting up of an “Inter–Ministerial National Artificial Intelligence Mission”, for a period of 5 years, with funding of around INR 1200 Crores, to act as a nodal agency to coordinate all AI-related activities in India.

 

Core Legal Issues

When we look at the adoption of artificial intelligence from a legal and regulatory point of view, the main issue we need to consider is, are the existing laws sufficient to address the legal issues which might arise or do we need a new set of laws to regulate the artificial intelligence technologies. Whilst certain aspects like intellectual property rights and use of data to develop artificial intelligence might be covered under the existing laws, there are some legal issues which might need a new set of regulation to overlook the artificial intelligence technology.

 

  • Liability of Artificial Intelligence

 

The current legal regime does not have a framework where a robot or an artificial intelligence program might be held liable or accountable in case a third party suffers any damage due to any act or omission by the program. For instance, let us consider a situation where a self-driven car controlled via an artificial intelligence program gets into an accident. How will the liability be apportioned in such a scenario?

The more complex the artificial intelligence program, the harder it will be to apply simple rules of liability on them. The issue of apportionment of liability will also arise when the cause of harm cannot be traced back to any human element, or where any act or omission by the artificial intelligence technology which has caused damage could have been avoided by human intervention.

One more instance where the current legal regime may not be able to help is where the artificial intelligence enters into a contractual obligation after negotiating the terms and conditions of the contract and subsequently there is a breach of contract.

In the judicial pronouncement of United States v Athlone Indus Inc[3] it was held by the court that since robots and artificial intelligence programs are not natural or legal persons, they cannot be held liable even if any devastating damage may be caused. This traditional rule may need reconsideration with the adoption of highly intelligent technology.

The pertinent legal question here is what kind of rules, regulations and laws will govern these situations and who is to decide it, where the fact is that artificial intelligence entities are not considered to be subject of law.[4]

 

  • Personhood of Artificial Intelligence Entities

 

From a legal point of view, personhood of an entity is an extremely important factor to assign rights and obligations. Personhood can either be natural or legal. Attribution of personhood is important from the point of view that it would help identify as to who would ultimately be bearing the consequences of an act or omission.

Artificial intelligence entities, to have any rights or obligations should be assigned personhood to avoid any legal loopholes. “Electronic personhood”[5] could be attributed to such entities in situations where they interact independently with third parties and take autonomous decisions.

 

  • Protection of Privacy and Data

For the development of better artificial intelligence technologies, the free flow of data is crucial as it is the main fuel on which these technologies run. Thus, artificial intelligence technologies must be developed in such a way that they comply with the existing laws of privacy, confidentiality, anonymity and other data protection framework in place. There must be regulations which ensure that there is no misuse of personal data or security breach. There should be mechanisms that enable users to stop processing their personal data and to invoke the right to be forgotten. It further remains to be seen whether the current data protection/security obligations should be imposed on AI and other similar automated decision-making entities to preserve individual’s right to privacy which was declared as a fundamental right by the Hon’ble Supreme Court in KS Puttaswamy & Anr. v Union of India and Ors[6]. This also calls for an all-inclusive data privacy regime which would apply to both private and public sector and would govern the protection of data, including data used in developing artificial intelligence. Similarly, surveillance laws also would need a revisiting for circumstances which include the use of fingerprints or facial recognition through artificial intelligence and machine learning technologies.

At this point in time there are a lot of loose ends to be tied up like the rights and responsibilities of the person who controls the data for developing artificial intelligence or the rights of the data subjects whose data is being used to develop such technologies. The double-edged sword situation between development of artificial intelligence and the access of data for further additional purposes also needs to be deliberated upon.

Concluding Remarks

In this evolving world of technology with the capabilities of autonomous decision making, it is inevitable that the implementation of such technology will have legal implications. There is a need for a legal definition of artificial intelligence entities in judicial terms to ensure regulatory transparency. While addressing the legal issues, it is important that there is a balance between the protection of rights of individuals and the need to ensure consistent technological growth. Proper regulations would also ensure that broad ethical standards are adhered to. The established legal principles would not only help in the development of the sector but will also ensure that there are proper safeguards in place.

In this evolving world of technology with the capabilities of autonomous decision making, it is inevitable that the implementation of such technology will have legal implications. There is a need for a legal definition of artificial intelligence entities in judicial terms to ensure regulatory transparency. While addressing the legal issues, it is important that there is a balance between the protection of rights of individuals and the need to ensure consistent technological growth.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

Bulk Data Sharing & Procedure Notification - A Data Breach?

In this digital era, data has become one of the most valuable assets to own. Elections have been won and international alliances have toppled because of support that could be garnered by utilizing data analytics. While heated debate surrounding data breaches by private entities baffles the world, at home, it is accused that the Indian Government has monetized from sale of personal data of Individuals, in the pretext of public purposes” under a notification released by the Ministry of Road Transport and Highways in March 2019 titled “Bulk Data Sharing & Procedure”.

In July 2019, a parliamentary debate pertaining to “sale of data” by the State was raised because the Government had provided access to databases containing driving license and vehicle registration details to private companies and Government entities and generated revenue out of them.  The two databases of Ministry of Road Transport and Highways named Vahan and Sarathi were under discussion.  These databases contained details such as vehicle owner’s names, registration details, chasis number, engine number, and driving license related particulars of individuals.  These details amount to personal information by which an individual could be identified (“Personal Data”).  

The sale of data was pursuant to a notification released by the Ministry of Road Transport and Highways in March 2019 titled Bulk Data Sharing & Procedure wherein a policy framework on sale of bulk data relating to driving license and vehicle registration was introduced.  Among other things, this writeup discusses whether such sale of Personal Data for revenue generation is acceptable in light of privacy as a fundamental right and the Data Protection Bill 2018? and whether such access constitutes data breach? 

 

Bulk Data Sharing & Procedure Notification 

The “Bulk Data Sharing & Procedure” notification by the Ministry of Road Transport and Highways states the purpose for which bulk data access would be  provided: 

it is recognized that sharing this data for other purposes, in a controlled manner, can support the transport and automobile industry.  The sharing of data will also help in service improvements and wider benefits to citizens & Government. In addition, it will also benefit the country’s economy”.  

As per the notification, only such entities that qualify the eligibility criteria would be provided access to bulk data.  The eligibility criteria are that an entity should be registered in India with at least 50% Indian ownership, such bulk data should be processed/stored in Servers/Data Centers in India, and the entity should have obtained security pre-audit report from CERT-In empanelled auditor.  The bulk data access would be provided for a price.  

Commercial organizations could have such data for an amount of INR 3 crores and educational institutions could have them for 5 lakhs.  As per the notification, the bulk data will be provided in encrypted form with restricted access.  Such entities would be restricted from any activity that would identify individuals using such data sets.  The entities would be required to follow certain protocols for data loss prevention, access controls, audit logs, security and vulnerability.  Violation of these protocols is punishable under the Information Technology Act, 2000. 

The Ministry of Road Transport and Highways has in accordance with this policy framework provided database access to 87 private companies and 32 government entities for a price of 65 crores resulting in Personal Data of all individuals being accessible to them.  The Data Principal (the individual whose information is in the database) has no knowledge or control over any use or misuse of his/her information.   

In any data protection framework worldwide, the Data Principal’s consent should be sought stating the purpose for which data ought to be used.  It is only pursuant to Data Principal’s consent that any information can be processed.  On the contrary, providing access to Personal Data to third party private companies without any consent of the Data Principal will keep them out of effective control.  This is against the basic principles of data protection. 

 

Proposed Legislation for Data Protection 

India is on the verge of a new Data Protection Act as the bill is being placed in the Parliament.  The Data Protection Bill, 2018 contains certain provisions to address the above-mentioned issues.  Section 5 of the Data Protection Bill states when personal data can be processed.  Personal Data shall be allowed only for such purposes that are  clear, specific, and lawful.  Section 5 is extracted below: 

  1. Purpose limitation— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.

Moreover, the relevant enactment regulating driving license and vehicle registration i.e. Motor Vehicle Act does not explicitly permit the State to sell or provide third parties access to Personal Data for generation of revenue.  Therefore, there is no clear, specific, or lawful indication of such access in the enactment.  The question arises whether access to bulk Personal Data can be interpreted as an “incidental purpose” that “data principal would reasonably expect”.  The data principal has provided this information only for the purpose of grant of motor vehicle license and vehicle registration.  The Data Principal ought not have expected his/her data to be sold by the Government. 

Section 13 of the Data Protection Bill is also of relevance here because it authorizes the State to process Personal Data for provision of services, benefit or issuance of certification, licenses or permits.  Section 13 is extracted below: 

Section 13 – Processing of personal data for functions of the State. — Personal data may be processed if such processing is necessary for excise of the functions of the State authorised by law for: (a) the provision of any service or benefit to the data principal from the State. (b) the issuance of any certification, license, or permit for any action or activity of the data principal of the State. 

 

By this section, the State is authorized to use Personal Data for grant of license or permits or to provide any benefit or service.  However, whether the State is authorized to give access to Personal Data to third party private companies is unclear. 

Section 17 of the Data Protection Bill tries to shed some light on this anomaly.  The section states that Personal Data may be processed for “reasonable purposes” after considering if there is any public interest involved in processing the same.  What constitutes reasonable purpose is yet to be specified by the Data Protection Authority to be constituted.  Section 17 is extracted hereunder: 

  1. Processing of data for reasonable purposes. — 

(1) In addition to the grounds for processing contained in section12 to section 16, personal data may be processed if such processing is necessary for such reasonable purposes as may be specified after taking into consideration— 

(a) the interest of the data fiduciary in processing for that purpose; 

(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal; 

(c) any public interest in processing for that purpose; 

(d) the effect of the processing activity on the rights of the data principal; and 

(e) the reasonable expectations of the data principal having regard to the context of the processing. 

(2) For the purpose of sub-section (1), the Authority may specify reasonable purposes related to the following activities, including— 

(a) prevention and detection of any unlawful activity including fraud; 

(b) whistle blowing; 

(c) mergers and acquisitions; 

(d) network and information security; 

(e) credit scoring; 

(f) recovery of debt; 

(g) processing of publicly available personal data; 

(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall: (a) lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals; and (b) determine where the provision of notice under section 8 would not apply having regard to whether such provision would substantially prejudice the relevant reasonable purpose. 

 

Section 17, therefore, clarifies that when there is any public interest involved, the State may provide access to publicly available personal data to third parties.  This read with Section 13 indicates that State is not required to get the consent of Data Principal in order to provide services and benefits.   

 

Whether the State has provided access to personal data for public interest or to provide services and benefits? 

The Bulk Data Processing & Procedure notification states that the purpose of providing access of bulk Personal Data is to “support the transport and automobile industry” & “help in service improvements and wider benefits to citizens & Government”.  Supporting the transport and automobile industry and improving services may qualify as public interest, whereas, mere revenue generation will not.  However, there is no clarification from the Government as to how these private companies to whom database access is being provided assist in public interest.  Further, whether all driving license and registration details related data can be classified as publicly available information is again contentious and questionable as the information provided therein is intended to be provided only to license holders & vehicle owners and is partially masked. 

In the event if this Personal Data is not construed as public data or these public companies have been given access to personal data in the absence of any public interest, it would result  in personal data breach by the Government Departments where the head of Department will be held liable as per section 96 of the Data Protection Bill. 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.  Whether it results in the exploitation of personal and private data on the pretext of public interest without an individual’s consent needs to be ascertained. 

Image Credits:

Photo by Markus Spiske on Unsplash

 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.

POST A COMMENT