India's Personal Data Protection (PDP) Bill

Jurisdiction

Clause 91 allows for the collection of Non Personal Data (NPD). Members and representatives from the startup and investor community in India have shared strong opinions that India needs a PDP Bill first before NPD regulation can be considered ¹.

Definition of personal and non-personal data

Definitions of what is personal and non personal data needs overhauling. Currently, the definitions of personal data and sensitive personal data (Clauses 3, 15) are broad and they intersect with each other. Non personal data is not a binary, but a continuous spectrum where data is generated and over time, spreads across this spectrum, acquiring different levels of inference and value.

There also needs to be a clear baseline of data that businesses collect which needs to be kept in mind when creating legislations.

According to Privacy Mode’s research on NPD[^NPD research], one of the primary concerns with regulating NPD is that de-anonymizing data presents the risk of identifying communities and users’ from broad datasets, thereby directly contradicting the mandate of PDP to protect data and identity.

We believe that Non Personal Data should not be governed under PDP. It is important that both data regulation frameworks be kept separate for the time being, while attention is being paid to the implementation of PDP.

[^NPD research]:NPD research and documentation from the outreach is published at: https://hasgeek.com/PrivacyMode/non-personal-data/