The past as a compass for the future

The past as a compass for the future

SMEs and the startup ecosystem in India share concerns about the (retracted) draft Data Protection Bill, 2021 - and the way forward for businesses

Sweta Dash

Mixing of Personal and non-personal data

Submitted Aug 17, 2022

The DPB, after the JPC Report, includes both personal and non-personal data. The JPC report mentioned that the scope of this bill ought to be expanded to include “data other than personal data” - data that is not linked to a natural person or personal data that has been anonymized so that identifiability of the person is avoided. The JPC report said that all of this must come under “a single administration and regulatory authority".

Inclusion of NPD in the DPB was a matter of serious concern for most respondents. The reasons for this are explained in this section.

The transition from PDP to the current DPB defocuses the user, according to a senior engineer from a CRM business. “The centre of the universe is the actual user who is giving you the data. But when it comes to the current DPB, it’s not exactly the user who is at the centre of the universe.” “So that will lead to all kinds of chaos and, you know, lots of ad hoc processes, ad hoc understanding, and so on.”1

Second, respondents felt the inclusion of NPD into the DPB causes ambiguity about the extent to which businesses must store and share data. This cost of storage, processing and keeping the data on premise increases the difficulties in compliance, apart from posing data security risks. The founder of one FinTech business said that this mixing of personal and non-personal data makes things difficult. “Every single byte that you store at your organisation could be non personal - the weather data or logs or whatever - everything suddenly comes under the ambit of this omnibus bill. And just by pulling everything in now, all clarity is lost … It really complicates compliance, implementation and understanding for everyone.”

Additionally, segregating data into non-personal and personal, and then into sensitive and critical is a herculean challenge for all data heavy businesses. And, respondents agreed that NPD would anyway cover at least 90 percent of the data they aggregate.

  1. In a critique of the draft agriculture data management policy issued by the Telangana state government, a similar critique has been made that the user is hardly at the centre of the policy - Policy Reviews : Examining policies around privacy, data governance and usage for being explainable and specific with outcomes: Privacy Mode. Rather, the policy makes gross assumptions about Data Principals, often conflating the individual with a corporation, and therefore fails to see the individual’s data as the actual and original source of non-personal data. ↩︎


{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by