While discussing Data Protection and “Privacy Protection through Data Protection” or “Information Privacy”, the critical aspect is to have a clear definition of what is “Personal Data”.
We may recall that under “Shape of Things to Come” series of articles Naavi suggested that the New Data Protection Law of India should define “Protected Data”, “Protected Person” and go ahead to prescribe the obligations of the data fiduciary. However this suggestion was ignored and DPDPB2022 has defined “Personal Data” and “Data Principal” in a conventional manner as under.
“personal data” means any data about an individual who is identifiable by or in relation to such data”
“Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;
It is observed that the definition of Personal data in DPDPB 2022 is that “personal data” means any data “about” an individual who is identifiable by or in relation to such data;
On the other hand, at present, the Data Protection Law of India which is Section 43A of ITA 2000 defines Personal Information as
“Personal information” means any information that relates to a natural person,
which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. “
At the same time GDPR defines Personal Data and data subject using the following definitions
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
…an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
In all these definitions, there are two elements namely the “Data” and the “Data Principal or Data Subject”. The nature of data that is defined as personal data is “About” and is “Related to the data subject/principal” and is capable of being identified as related to or about the individual who is recognized as the data subject/principal.
GDPR uses the term “Identifiers” while ITA 2000/DPDPB2022 does not. The concept of “Identifier” is absent in DPDPB 2022 and it can have its own consequences in some instances.
In GDPR we need to distinguish between “Identifier” and “Identified Information” as two distinct elements of personal data. In the Indian Context, “Identifier” itself becomes “Information” that is identifiable with a data principal. This leaves us an enigmatic challenge “Is a person identified with the identifier” or “Identifier identifies a person”
(Reminds me of a devotional composition in Kannada by saint Kanakadasa and made immortal by the singing of late Dr Rajkumar,titled “Nee Mayeyolago, Ninnolu Maayeo“, (This composition discusses whether the human being is within the consciousness or consciousness is within the human being as a philosophical concept. Translation of lyrics in English )
This discussion is relevant in defining the “Profile”, “Data Portability”, “Right to Forget” which are all concepts that form part of the Data Protection debate.
In the Kerala Judgment on Right to forget the judgement held inter-alia that the copy of the Judgement containing the identity of the individuals is part of “Personal Data” of the individual and went about discussing circumstances when the identities have to be redacted and circumstances when they are part of the Open Data etc. It is also presumed that this concept has been recognized under the Puttaswamy Judgement as well as the other discourses on Data Protection.
According to this hypothesis, personal data with a data fiduciary consists of
a) Data Supplied by the data principal
b) Data Generated by the Data fiduciary during his encounter with the data principal
c) Data gathered about the data principal from other sources and tagged with the data principal
d) Inferences drawn from all data tagged with the data principal as well as other data some of which can even be non personal data, environmental data etc.
All these are together considered as the “Profile” of the data principal.
In exercising the Right to Portability and Right to Forget, we try to include this entire profile as the personal data of the individual.
In this context, the Health Data created by a hospital, Financial data created by a lending organization, Mobile usage data created by a Telecom operator, Buying habit data created by an E Commerce company, The criminal profile created by a Law Enforcement Agency and the Judgement created by a Court are considered part of the Profile to be ported or purged.
This often gives raise to a conflict between the IPR of the data fiduciary in creating the profile whether it is the property of the data principal or is the property of the data fiduciary. In “Porting” it may be acceptable to delete that part of the profile that constitutes “Trade Secret” but this is a small part of the profile since most of the profile consists of “Copyrightable” material and not trade secret and hence if we accept that the information built by the data fiduciary is part of the personal data then the entire profile becomes the presumed property of the data principal which needs to be ported or purged or transferred to a nominee when such requirement arises.
Under Naavi’s “Theory of Data” which we have discussed in several articles in this website we had identified a hypothesis titled “Additive Value Hypothesis” where I had advocated that the value of data changes during its life cycle and at different stages different stakeholders may add value and that should belong to the stake holder who adds such value. (Ed: Since the same theory advocates that Data is the eyes of the beholder, addition of value to one person may be reduction in value for another person)
Under this hypothesis, when a data fiduciary generates “Knowledge” from the data provided by the data principal, the “Additional knowledge” belongs to him and is not part of the profile to be ported or purged (or transferred under nomination if available) as the case may be.
I therefore would like to suggest that the “Judgement of a Court about an individual” is not to be considered as “Personal Data” on which the individual has a right of modification or right to dictate restricted disclosure. This data is “Sovereign Data” belonging to the Court and the Court alone has the right to dispose it in a manner it deems fit.
Hence I would like to advocate a modification to the Kerala Judgement and not recognize the Right to Forget as extending to the Court judgements.
(P.S: This is proposed as a academic thought by Naavi a Research Student of Theory of Data or Theory of Privacy and not an advisory for compliance by Naavi the Data Protection Consultant)
In the “Shape of Things” series of articles, I had therefore suggested the definition of data to include a category of data which I had called “Joint Data” where multiple persons may hold a right on a data element. The disposal of “Data Generated during a transaction between multiple parties” should therefore be subject to the principle of “protecting the interests of all joint owners” and such data cannot be considered as an exclusive property of an individual.
Once this argument is accepted, there will be problems regarding health data or financial data etc. The business may start monetization of the data to the detriment of the data principal.
This is the “Risk of Harm” of which “Advertising” and “Monetization” could lead to risk of loss of reputation etc.
I had addressed all these aspects in the “Shape of Things” series of articles though I believe no body observed the in depth meaning of many of my suggestions. I had suggested a higher level of consent for “Advertising Profiling” and “Monetization” of personal data to take care of preventing privacy harms to the individuals.
I re-iterate that
“Data Principal” only has a right of disposal regarding the data supplied by him to a data fiduciary and the value and right of information built over it by the data fiduciary belongs to the data fiduciary. The Data Fiduciary should be able to obtain an appropriate consent including “Discovery Consent” to use the personal data supplied by the data principal for the commercial benefit of the Data Fiduciary.
Further the Court in the case of Judgements is not a “Data Fiduciary” in the normal sense (even lesser so than a Hospital that generates medical records or a Bank that generates financial records of an individual) and hence is not obligated to protect the Privacy of the individual by redacting the names of the litigants, or witnesses or counsels or the judges.
If however, the Court has reasons of security such as witness protection or need to protect the dignity of an individual as in cases that deserve in-camera hearings, it may exercise its discretion to redact the identity of individuals from public gaze while retaining it in its own records just like pseudonymization of disclosed data by private data fiduciaries.
In the case of commercial entities such as Hospitals and Banks or Data Analytics companies who also generate value added data, the consent should cover whether there are rights of use of the data in identified or pseudonymized or anonymized form by the data fiduciary since it also has a right on the profile.
These may be considered as thoughts for academic debate. I request academicians to participate in the debate.
(P.S: As already stated this is proposed as a academic thought by Naavi a Research Student of Theory of Data or Theory of Privacy and not an advisory for compliance by Naavi the Data Protection Consultant.
These conflicts have been resolved for compliance purposes in the Data Protection Compliance Standard of India which incorporates the concepts of higher level of consents such as monetization consent or witnessed consent)
Naavi
Other Recent Articles on the Right to Forget: