Google’s chief privacy officer, Keith Enright, has warned policymakers that frequent and large-scale sharing of citizen data, even if anonymized, can damage users’ privacy.
Pointing to research that shows data sets lose their anonymity if shared consistently over time, he said: “I would encourage policymakers and companies to be extremely circumspect while proceeding in that direction.”
Anonymization is a technique that removes or modifies personally identifiable information, resulting in data that cannot be associated with any one individual.
Google says it can build safe and valuable products for its search services by using anonymised data.
On May 26, India’s ministry of electronics and information technology came out with a new draft framework for governance of citizen data that proposed ways to ensure that non-personal and anonymized data sets from both government as well as private entities were safely accessible by the research and innovation ecosystem.
The new draft did not talk about monetizing this data, which an earlier draft of February this year had and triggered a furore from privacy activists.
Enright, speaking to journalists in India from the United States during a virtual meeting, conceded that use of anonymous data posed fewer risks to personally identifiable information.
However, the issue, he said, was how ‘anonymous data’ was defined.
“Anonymous tends to mean different things in different contexts.
"Different legal regimes have defined anonymous or anonymization differently… We need to be thoughtful and deliberate about how we define anonymous data,” he said.
Enright had a similar word of caution on localization of data. Governments worldwide think localizing data would help in law enforcement and taxation, or bring other economic benefits.
But, he said, none of these areas had gained from data localization in the last 10 years.
Instead, such localization risked fracturing the benefits of a globally distributed cloud.
“The cloud was optimized for security, availability, efficiency, and data localization sort of retreats for many of those benefits,” he said.
India’s Data Protection Bill, which has been in the works, mandates data localization for storage of sensitive or critical personal data only in India.
The contentious issue, according to the big technology companies, is that there is no clear definition of what constitutes sensitive or critical personal data.
Recent media reports suggest the changes being made to the Bill will take care of this.
Enright went on to say that giving users control over their data and a sense of safety on the internet was vital. It was for this that Google recently offered the ‘auto delete’ feature, which gives users the ability to delete certain data from their account.
“Because we have made auto delete the default setting for all new Google accounts, it means activity data in a month is being automatically deleted for more than 2 billion users every day,” said Enright.