The inclusion of certain clauses related to non-personal data sets in the Personal Data Protection (PDP) Bill carries a very high risk of re-identification and may lead to legal complications for stakeholders, public policy experts and senior industry executives said.
“High value data-sets that have been created using personal data by anonymising it continue to carry risks with them. There is a very very clear danger of re-identification and that’s a danger that keeps compounding. It is not too much to claim that there is no anonymised data set that is permanently anonymised,” a senior industry executive, who did not wish to be named, said.
For instance, Section 91 of the latest version of the PDP Bill — which gives the central government powers to direct data fiduciaries and processors to grant access to all anonymised or non-personal data — runs a high risk of re-identification.
As technology, including mathematical algorithms, evolve and improve, the re-identification science will also get better, adding to the risk of de-anonymisation of the data-set, experts said.
“Anonymised data is often easily re-identified and it causes significant privacy harms. Establishing standards for anonymisation and providing more clarity on how various stakeholders will have to collect and store data to avoid regulatory arbitrage will help,” said Kazim Rizvi, founder of public policy group The Dialogue.
Apart from problems related to re-identification of anonymised data sets, another issue likely to crop up over time is that every time a new data set is released by companies and other stakeholders, it can be overlaid with previously available data sets, which then becomes becomes a pain point for privacy.
As and when such re-identification happens, companies would be held liable under the upcoming Data Protection Bill, thereby landing them in trouble for little to no fault of theirs. The lack of a clear definition of what constitutes non-personal data is another concern, experts said.
“The last draft that we saw in 2019 didn’t really give us any detail about what kind of non-personal data, the process the government will have to follow, whether there will have to be compensation, how consent and anonymisation will work. None of those things are dealt with. I think it largely leaves the framework for how that will happen in a subsidiary legislation,” Udbhav Tiwari, public policy advisor, Mozilla, told indianexpress.com over a call.
The risks and obligations that accompany transfer of personal data and government asking for non-personal data sets will negatively impact both companies and individuals, another senior public policy executive said. One of the best examples of re-identification, Tiwari said, was companies using browsing history to identify and predict the behaviour of individual users on the internet.
“There’s been some very good technical research that’s been done that says between 60 to 100 items of a user’s browsing history can be used to uniquely identify them on the internet. I don’t have to know your name, your email ID or any other unique identifier. Despite that I can arguably identify you on the internet just on the basis of your browsing history,” he said.
Experts have said that these gaps in the bill are likely to lead to larger problems in the future and have stressed that the non-personal data aspect should be kept out of the final PDP Bill. Though the government committee of experts on non-personal data governance framework had also recommended the same in its report in December 2020, there is no assurance on whether the same would be not included in the bill.
“While the committee recognises that anonymisation can be reversed, it provides very little information with regard to the way it will be governed in different sectors. This draft presents an opportunity to recommend, if not prescribe, that there should be minimal standard for anonymisation technique and the need for a governance mechanism for anonymised data sets,” Rizvi said.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.