The vast accumulation of data by organisations has given rise to highly comprehensive digital profiles of individuals, reaching an unprecedented level of granularity. Not all of this is happening with their consent. Also, companies are collecting all kinds of data on the presumption that all data is valuable.
Deanonymisation is performed by combining anonymised datasets to identify information about a particular user in different contexts, which can reveal layered and comprehensive personal information about an individual.
Last month, the Gopalakrishnan Committee released the revised report (
Report) on the regulatory framework governing non-personal data (
NPD) for public consultation. While the European Union regulates the flow of non-personal data across borders of different states, through an unprecedented framework, India may become the first to regulate the flow of NPD within national borders.
The Report defines non-personal data as data which is without any personal data (
PD). While the Report does not define PD, the Personal Data Protection (
PDP) Bill defines PD to include inter alia any information which is directly or indirectly capable of identifying an individual. Significantly, the Report considers PD which has been ‘anonymised’ (i.e. irreversibly de-identified) as NPD.