Non-Personal Data Policy: Citizens cite risks of targeting, surveillance, data misuse
The citizen feedback on the Non-Personal Data draft policy is not positive as people say there is very little to gain and the risk is of increased targeting, surveillance and data misuse
The citizen feedback on the Non-Personal Data draft policy is not positive as people say there is very little to gain and the risk is of increased targeting, surveillance and data misuse.
According to Local Circles, Non-Personal Data draft policy has gotten the dialogue started amongst citizens and businesses, it needs to be revisited considering the findings of a survey. "From a citizen standpoint, there is very little to gain and the risk is of increased targeting, surveillance and data misuse," it said.
The nine-member committee set up by the Ministry of Electronics and Information Technology, released a draft non-personal data policy in mid-July giving the public two months to provide feedback. Per the policy, any data which does not contain any personally identifiable information of an individual is termed as non-personal data.
For example, while order details collected by an e-commerce platform will have the name, age, address and other contact information of an individual, it will be considered non-personal data if specific identifiers like name, address and contact information are removed.
NPD also classified non-personal data into three main categories - public non-personal data, community non-personal data and private non-personal data. Although many experts say that this policy is a forward looking step and will create a culture of data sharing of non-personal data which will bring overall benefits to the country, MSME and startups as well as citizens do not seem to be in favour of the policy in its current form.
Citizen databases in India tend to sell for low prices and if one combines 2-3 of the commonly available databases along with say aggregate data from a large company, an individual can almost be fully profiled.
On the small business front, making the data available for a price is a non-starter and most believe they will be spectators to a data purchase war between large businesses.
"The COVID-19 pandemic has pushed most businesses behind by 2 years or more as far as their turnover and profitability is concerned. Another disruption in form of a mandatory aggregate data sharing program where hundreds of requests for data are coming is something that large businesses are bound to shy away from for the next few years. So let us ask again, who are we trying to really help and then redraft this policy," Local Circles said.
The best approach at this point is for the government to embark on a massive data aggregation and eventually sharing exercise of the various central, state and local databases which can then be used by startups and MSMEs to build innovative products and services on.
As far as data sharing by businesses go, a voluntary to mandatory aggregate data sharing program say over 3 years for businesses above Rs 500 crore annual turnover where businesses decide what data they share would be a good starting point.
LocalCircles decoded the 72-page detailed document and converted it into a simple survey on the key issues so common citizens, MSMEs and startups can participate and share their feedback. The survey received over 17,000 responses from citizens while over 15,000 responses were received from the startups and MSMEs spread across the country.
The government, via its Non-Personal Data Policy draft recommendation is mandating that Indian authorities can seek anonymised aggregate data of citizens from businesses to better understand the industry or for any other reason. Such data could include purchases made, services availed, calls made, health condition, etc. was the first issue discussed with citizens.
People were asked if they would be willing to give their consent for this and share their data in anonymised form. In response, 27 per cent said they would never want to share their anonymised data while 35 per cent said they will be willing to do so only in a law-order or an investigation situation. Only 30 per cent citizens said they were willing to share their anonymised data with the government for general purposes.
The kind of concerns that were raised by people included misuse of data for targeting specific communities or people residing in a particular area.
One of the examples cited was targeting around elections in terms of a political party or a candidate being able to find out what people of a particular area were searching on an e-commerce site or on the internet.
According to many respondents, the purpose or objective data should be very clear and specific before such information or consent for such information is sought from them. For instance, if the objective is to improve the government's school education system, the same should be stated beforehand and upfront when the data is sought. Not having to know what the data will be used for in the future creates suspicion according to many citizens.
The Non-Personal Data Policy also proposes that a business that collects user data can sell it to other businesses or a Government body after anonymising it. Citizens were asked if they support such selling of their anonymised data, to which 81 per cent responded in a negative, while only 14 per cent responded in a positive.
Local Circles said this means that only 14 per cent citizens support businesses selling their anonymised data to other businesses and government.
The big concern here amongst people is that if any organisation especially a business is purchasing aggregate data from another business, there is a high likelihood that it will use it to target communities or groups of individuals with their products and services.
This will likely mean unsolicited offers, spam and targeted advertising. Hence, a high majority of the 81 per cent people voted against such a possible move. Even if the purchasing organisation was a government department, people are still concerned that such data will ultimately be misused and reach businesses.
The draft Non-Personal Data policy mandates that a business must sell their customers' anonymised data to other businesses or government if they are willing to purchase the same. The final question asked how such a clause will impact businesses. 19 per cent said it will help large and heavily funded businesses only, 35 per cent said it will help large and heavily funded businesses and the government, 20 per cent said it will help businesses of all sizes, while 26 per cent were not sure what would happen.
This is one of the most important inputs from startups and MSMEs where they believe that while such a policy may have a stated objective of helping small businesses, it will likely do the opposite if the aggregate data of businesses is requested to or sold by the business as a revenue stream for a price.
Many startups and MSMEs believe that this will lead to one large company buying aggregate data of another large company while small businesses struggle to make ends meet. Most small businesses, be it an Indian startup or an MSME will find it extremely difficult in majority of the cases to pay high prices for such data.
Large companies also in some cases are likely to resist selling their data if its core to their business model, leading to rejection of the data request or going to court.
In the next question, businesses were asked that before the Government mandates businesses to share their aggregate anonymised data, should the Government mandatorily share its aggregate anonymised data like municipal, health, traffic, water, environment, court pendencies, etc, so innovators can build new value added services upon them. 72 per cent answered in a 'yes', while 16 per cent said the businesses should do it first. 12 per cent were unsure.