Sharique Hassan Manazir
February 22, 2021 | Reflections
With rising internet access worldwide and government efforts globally to engage directly with its residents through e-participation platforms, the discourse on better understanding about e-participation platform as well as user data has become important. E-participation refers to people’s participation over digital platforms which are owned either by the government or by private entities. The functionality of e-participation platforms ranges from social networking, micro-blogging, video/photo sharing, opinion polls, etc. Thus, Facebook, Instagram, Snapchat etc. come under the category of privately owned e-participation platforms while “myGov” platform by the Indian government, “e-petitions” platform by the government of the United Kingdom etc. are government-owned platforms.
The common element between government-owned and privately owned e-participation platforms are that the user data that it consumes provides access to these services. Apart from user details required to login into these platforms, these platforms also get access to a bundle of real-time information about the user through the devices used to access these platforms.
The digital public sphere in the form of e-participation platforms comes with its own set of opportunities and challenges as far as user data collection and its use are concerned. In the public sphere, the classification of a person as a citizen, resident, non-resident or refugee is a prerequisite for establishing related laws. Similarly in the digital public sphere, the definition and classification of various forms of personal data and their sub-types are prerequisites for regulating the digital ecosystem.
The European Union’s General Data Protection Regulation (GDPR) defines anonymous data as the information that does not relate to an identifiable person, or to personal data that has been rendered anonymous such that the data subject is no longer identifiable. As per the GDPR, the processing of anonymous data does not trigger data protection laws. Yet, it is also well understood that re-identification of anonymized personal data is not impossible and thus comes under data protection jurisdiction.
Data such as climate sensor data are anonymous from the beginning if it is not studied in correlation with demographic data related to the population or any individual specifically. On the other hand, data forms like vehicle number, phone number, purchase or medical record etc. are assumed to be personal data which requires anonymization for converting it into non-personal data. The latter form of data i.e. non-personal data on its face which can be rendered personal using de-anonymization techniques is the one which has most economic value. Private corporations dealing in user data market want easy access to personal data, directly or indirectly, and the easiest catch is personal data with the non-personal facade. Thus, the classification of personal and non-personal requires diligence and precaution both for any regulating body.
In India, there have been proposed legislation, draft frameworks, and consultation papers to legislate personal data and the Non-Personal Data (NPD) Governance Framework is one such initiative of the Ministry of Electronics and Information Technology. The framework draws its inspiration from Personal Data Protection (PDP) Bill 2019 which is pending in parliament for further deliberations. The proposed framework tries to differentiate personal and non-personal data with in-depth classification of various forms of non-personal data types.
The PDP Bill, 2019 defines Sensitive Personal Data as a sub-type of personal data (clause 3.36). The NPD Governance Framework states that ‘sensitive or personal data could lead to privacy harms’ leaving the legal definition of ‘sensitive’ and ‘personal’ data open-ended (section 3.8(ii)). Superficially, there is nothing wrong in that statement but the definition and types of Personal Data could have been coherently defined in line with the original bill.
The NPD Governance Framework defines Anonymized Personal Data as a type of Non-Personal Data and accepts the fact that anonymized data bears the risk of re-identification (section 4.1). It also recommends that ‘data principles should provide consent for anonymization of and usage of their data while providing consent for collection and usage of his/her personal data’ while advocating the treatment of such anonymized personal data as Non-Personal Data.
The problem of re-identification of anonymized data is a known fact and clause 82.1 of chapter XIII of PDP Bill, 2019 states special provisions along with punitive measures of its breach. Section 8.2(VIII) of NPD Governance Framework mentions the same concerns. Hence, the clubbing of Anonymized Personal Data under Non-Personal Data and bringing it under jurisdiction of a proposed Non-Personal Data Regulatory Authority rather than keeping it under the ambit of proposed Data Protection Authority requires discussion and debate. As far as better policy on non-personal data regulation is concerned, there remain possibilities of introspection on various issues related to data conceptualization, classification and monitoring.
In South Asia all countries except Bhutan are at various stages of developing personal data protection bills. The ICT Act, 2016 and Digital Security Act, 2018 by the Government of Bangladesh ; Personal Data Protection Bill, 2020 by Ministry of Information Technology and Telecommunication, Government of Pakistan; The Privacy Act 2018 by the Government of Nepal; Personal Data Protection Bill, 2019 by Ministry of Digital Infrastructure and Information Technology 2019 of the Government of Sri Lanka are some policy initiatives by South Asian countries. While these regulations are at different stages one cannot confirm their robustness on a comparative scale as compared to proposed regulations in India. India can serve as torch bearer of robust and compatible digital policy regime for its neighboring countries, but the question remains how?
In India, a bottom-up deliberative approach which includes state legislature mechanism as a stakeholder in this exercise can be a step in the right direction. There is always scope for a more inclusive, time-bound, transparent, coherent yet deliberative mechanism for arriving at policies for a robust digital democratic regime. Most importantly a clear-cut classification of e-participation platforms and its various forms can be discussed for a better academic and legal perspective on upcoming regulations. This post has discussed some of the data policy challenges in Asian countries in general and India in particular. It is hoped that the interest in data policy and STS in Asia may trigger some discussions in 4S and its upcoming annual STS meeting.
Sharique Hassan Manazir is a PhD candidate of the Centre for Studies in Science Policy at School of Social Sciences, Jawaharlal Nehru University, New Delhi, India. His PhD title is “Digital Democracy & Policy formulation in India: A Study of government enabled e-participation platforms”. His research interests include e-participation platforms, digital inclusion and tech-policy regulations in the global south. He is co-founder of Digital Inclusion Research Forum and is presently Deputy Registrar at Al-Karim University, Katihar (India).
Image courtesy:
Published: 02/22/2021