India’s Digital Personal Data Protection Bill passed: “it’s a bad law”

Access Now on India’s plan to regulate “non-personal” data: protect personal data first

India is in urgent need of a legal framework to protect individuals’ personal data and define the rights and remedies that will keep them safe. Instead of moving forward with such a framework, lawmakers are advancing plans to regulate “non-personal” data. We are advising the government against this approach. 

The Ministry of Electronics and Information Technology in India has called for comments on a report on a “non-personal” data governance framework for India by a Committee of Experts under the Chairmanship of Mr. Kris Gopalakrishnan. Access Now submitted its comments on September 13, 2020.  

The proposed framework envisages regulations to cover two kinds of data: 1.) data that never related to any identifiable or natural person, and 2.) data which were initially personal data, but were later made anonymous. 

While we welcome plans to regulate non-personal data not related to any identifiable or natural person, information that was initially personal data but was later anonymised is much more tricky. India currently lacks a comprehensive data protection framework or regulator. It is chronologically counter-intuitive and counterproductive to regulate non-personal data before regulating personal data, which implies defining its scope. The government should pursue plans to govern non-personal data only after a comprehensive personal data protection and privacy law has been enacted, and a truly independent and strong regulator has been put in place.

Further, as we highlight in our submission, the proposed regulation framework goes against the principle that our personal data belongs to us, not to the companies. It is also important to observe the principles of purpose limitation and data minimisation, and as we explain, the framework runs counter to these principles. We also provide feedback on the issue of community data and data custodians, as well as applying learnings from the approach in Europe.

Finally, we have highlighted the need for an approach to governing personal and non-personal data that is individual-centric and puts human rights first. We hope to continue engaging with the government of India on this important topic.

Read our full submission here.