© Copyright Notification: This video is originally produced by IranTV on youtube (youtube.com/IranTV) and all rights are preserved for us. using our contents without permission results in our legal claim.
The most headline-worthy recommendation made by the Committee is to not limit the Personal Data Protection Bill to personal data but include non-personal data. For the uninitiated, personal data simply put, is data through which an individual can be identified. Eg. someone’s name or a photograph. All other data is non-personal data, that includes data that was personal to begin with but is now anonymised (like a blurred photograph that cannot be reasonably unblurred).
The Committee believes that such non-personal data should also be included within the ambit of this bill. It offers three justifications- first, non-personal data can also affect privacy; second, it is difficult to distinguish between personal and non-personal data and; third one cannot have two different data protection authorities to deal with two different kinds of data.
Its first argument, for which it offers no justification, is simply incorrect. Non-personal data cannot affect privacy because an individual cannot be identified through the data. If an individual cannot be identified, her privacy cannot be affected.
The only way in which the first argument could have some justification is if the protocols for anonymisation are not strong enough, thereby enabling re-identification (i.e. the second argument). It is precisely to offset this concern that the bill, in Clause 82, makes reidentification a criminal offence. It is crucial to note that this is the only criminal offence in the entire bill showing how seriously everyone takes this issue. This is a significant deterrent to any slipshod anonymisation being done.
Apart from this possibility that an individual is re-identified (for which there is a deterrent), there ought to be no difficulty in distinguishing personal data from its non-personal counterpart. In making its case that such distinction is difficult, the committee has missed the wide swathes of non-personal data that has nothing to do with individuals and no question of re-identification arises in the first place. Military data with our armed forces, corporate data with our companies, reams of multilingual training data sets to enable AI-based translation are all now conceptually part of the data protection bill as a consequence. If there is a definition of overkill, this is it.