We focus on India and Europe, where frameworks for the regulation of non-personal data are emerging. We add a bit of SolarWinds followup, and peek at ICANN hiding in the corner

Governance of Non-Personal Data

Although most data governance efforts in recent years have been focused on the collection, storage, processing and transfer of personal data, some countries are contemplating or putting in place frameworks for regulating non-personal data (NPD). This would include a vast range of informational activity, ranging from industrial data, infrastructural sensors, to meteorological data. Both India and Europe are establishing frameworks for NPD governance

In India, a committee of experts established by the government to propose a regulatory framework to address the governance gaps around non-personal data (NPD) has issued its final report and is inviting comments before January 31, 2021. The committee has recommended creating “a single national-level regulation to establish rights to non-personal data (NPD) collected and created in India” and establishing the Non-Personal Data Authority (“NPDA”)  for “unlocking value in non-personal data for India”. The NPDA has a broad set of responsibilities including enabling availability of NPD for the community, enforcement of data-sharing framework adjudicating disputes, and addressing privacy harms.

In 2018, after the implementation of the General Data Protection Regulation (GDPR), the European Union (EU) adopted a regulation with the aim of ensuring the free movement of non-personal data (NPD) across the EU. Among other things, the regulation prohibits data localization requirements by Member States. Non-personal data also finds a mention in the European Commission’s Data Governance Act (DGA), published in November, 2020.

We will publish a deeper analysis of these NPD governance initiatives soon.

SolarWinds followup

In a joint statement released by the U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Office of the Director of National Intelligence and the National Security Agency, the US now formally says the SolarWinds hack was “likely Russian in origin.” They also said it was responsible for “most or all” of the compromises of government agencies it has discovered, and admitted that its purpose was intelligence collection. FireEye released analysis showing that the malware had a kill switch that was triggered for the vast majority of the compromised networks, underscoring the conclusion that this was espionage rather than preparation for a widespread “attack.” The New York Times wrote that JetBrains, a Czech software firm, may have played a role in enabling the compromise. This is interesting because it is a developers’ tool and thus was part of the supply chain of the supply chain.

Effort to fragment DNS jurisdiction falls short

Trademark and copyright lobbyists finally got the US Congress to intervene in ICANN’s attempt to make its handling of domain name registration data comply with privacy rights. But the results were pretty lame. For two years they have been pushing to counter GDPR by means of a U.S. law that would force American registries and registrars to freely publish all domain registration data, thus fragmenting ICANN’s domain name policies into separate jurisdictions. But the Consolidated Appropriations Act of 2021, passed December 27, 2020, did not go that far. Its “Joint Explanatory Statement” merely directs the Commerce Department’s NTIA to “work with ICANN to expedite the establishment of a method of disclosing redacted Whois data;” which it is already doing as it works on the so-called Standardized System of Access and Disclosure (SSAD). It also “encourages” NTIA to “require registries and registrars based in the United States to collect and make public accurate domain name registration information.” But encouragement is not a requirement and NTIA cannot, by itself, require any such thing.

ICANN, bylaws. Bylaws, ICANN

ICANN org still doesn’t seem to understand its own bylaws. Its staff wrote a letter to the European Data Protection Board (EDPB) arguing that the Board’s interpretation of the Schrems 2 decision puts its attempt to provide lawful access to private domain name registration data at risk by unduly restricting international data transfers. While this point is a reasonable and important one, we were shocked to see ICANN assert in the letter that its proposed system for disclosing registration data (SSAD) is “instrumental for stopping and preventing the dissemination of illegal content.” ICANN’s mission and bylaws [Section 1.1(c)] specifically block it from regulating content on Internet services. Aside from its conflict with ICANN’s mission statement, the assertion in the EDPB letter is factually false. Taking down illegal content rarely if ever requires access to private domain name registration data, nor does such access in any way “prevent” the dissemination of illegal content. When will it sink in? ICANN is not a content regulator. It should stop pretending to be one in an attempt to impress governments.