Experts warn of a high re-identification risk in the Personal Data Protection (PDP) Bill. The public policy experts and senior industry executives said that it may lead to legal complications for stakeholders.
“High value data-sets that have been created using personal data by anonymising it continue to carry risks with them. There is a very very clear danger of re-identification and that’s a danger that keeps compounding. It is not too much to claim that there is no anonymised data set that is permanently anonymised,” a senior industry executive said.
Section 91 of the latest version of the PDP Bill gives the central government powers to direct data processors to get access to all anonymised or non-personal data. This will surely create a high risk of re-identification. But the adepts also opined that as technology, including mathematical algorithms are evolving day be day, the re-identification science will also get better with time.
“Anonymised data is often easily re-identified and it causes significant privacy harms. Establishing standards for anonymisation and providing more clarity on how various stakeholders will have to collect and store data to avoid regulatory arbitrage will help” said Kazim Rizvi, founder of public policy group The Dialogue.
Another issue likely to come over time is that the release of new data by companies and other stakeholders will be overlaid with previously available data sets. This will be a threat to privacy. In such cases, companies would be held liable under the upcoming Data Protection Bill. Experts further added that the lack of a clear definition of what constitutes non-personal data is a matter of concern.