On July 30, I had posted an article here titled “Who Owns Meta Data”. The post evoked several interesting comments on the linked in and in the interest of taking the debate further, I thought I should share these comments here.
Some of the comments are listed here:
Comment 1: I’d argue that fiduciaries need metadata in order maintain logs of processing activities at the very least but also for the essential functioning of their businesses. For instance if I (as a fiduciary) am processing an e-commerce transaction (Say delivering goods ordered on the fiduciary’s website), the legal basis for holding of personal data (name, address, phone) is already established as they are necessary to process and deliver the goods. In the same tone, the metadata is essential for managing operational performance, transaction lineage, reconciliations etc (to understand and improve my business which is indeed the core part of running a business). As long as the fiduciary has established a legal basis for creating a metadata record, then I think they are well within the DPDA ambit. And by the way metadata should never contain personal information in there (and I wouldn’t call it metadata if it did).
Comment 2: If the sender is the fiduciary then fiduciary owns the message and has a recorded legal basis (e.g. consent or lawful processing) for sending the message to the principal. If the sender is the data principal, then the message should no longer be stored beyond the purpose for which it was sent (e.g. requesting for a change and fiduciary deleting the message once the said purpose is served). It may be possible that the fiduciary needs to retain such communication for a period of time which then would be the legal basis for long term storage (in such cases both the fiduciary and the principal could have a copy of the message). I hope I have understood it right.
Na.Vijayashankar (Naavi) Sir, you write up very well sums up the issues DPDPA 2023 opens up, but I feel ownership is not an issue that the law intends to address. The law confers a few rights on the data principals to give them some control over their data. The right to nominate is just an extension of it, in my view. Moreover, the data fiduciaries need not delete the personal data even when requested by the data principal, if they can show that processing is valid on some legal ground of processing. Meta data will anyway qualify as a personal data if it can identify some individual under the DPDPA be it in isolated or aggregated form. Therefore, I would hesitate to call personal data as ones property as it would amount to giving them absolute right over it.
Comment 4: What are your views on ownership of the meta data subsequent to alterations which causes change in meta data?
Comment 5: Thank you for shedding light on the complexities surrounding metadata. I completely agree that metadata is a grey area that often goes unnoticed, yet it has significant implications for privacy. For instance, when I upload a photo, the metadata can include my location, which is clearly personal data. While not all metadata should be considered personal, in certain circumstances it definitely warrants the same protections. It’s crucial that we have a clearer legal framework to address these nuances. Looking forward to more discussions on this important topic!
Comment 6: Sir you are absolutely correct however there are scenarios different to what you mentioned, I am sending one of my selfies as an email attachment to my bank part of my KYC renewal and the bank’s email account get compromised so are you saying that my attachment won’t have any extractable Metadata which may be considered as my personal data? If yes, then isn’t it the responsibility of the Data Fiduciary to ensure the same is removed when an attachment is received by them as they are definitely going to retain the email with the attachment or only the attachment as per legal obligations.
P.S. – I am using a non-paid email domain to send the email which do not have any facility of removing metadata from the attachment. Also let’s consider it is only the email account got compromised which only made for receiving customer’s photographs, nothing else is compromised.
Comment 7: Surely Govt need to think into deep aspect when it comes to nomination and ownership of data. Who is the real owner of the data? Question also looms around the retention period of metadata. Do we need sector wise retention period guidelines to safeguard personal data? Hope Govt is taking into consideration when the final laws are out
Comment 8: Very interesting topic, data ownership is always contentious. Lacking background, just wanted to check your views on the “behavioural data” that is constructed behind the scene. More often, that holds value beyond the context- is that part of the discussion.
I thank all those who by commenting on the post have extended the debate. The comments are self explanatory.
I would like to however add the following points to the debate..
The above debate arose because DPDPA 2023 declared that “Personal Data is some thing that can be nominated” and the industry generally thinks that “Meta Data” that can be used to identify an individual is personal data. Meta Data by definition is associated with some data and that can be personal data. If we donot recognize that there is “Personal Identity” different from “Business Contact Identity”, every message on the internet is “Personal Data” since it is sent by an individual or by a system that is programmed by the individual to send out automated responses. I.O.W. every message on the internet has a originating IP address and perhaps location etc which can be traced to an individual unless it is anonymized.
Hence most of the “Meta Data” is associated with Personal data and hence becomes an extension especially under the GDPR jurisprudence.
There is a similarity of this to data built by a data fiduciary on the data supplied by the data principal which ultimately may be recognized as a “Profile”. Under the “Additive Value hypothesis of the theory of data” , I have discussed how the value built on data should be considered as the property of the builder. This is consistent with the IPR laws as well. Meta Data may not involve special effort of the data fiduciary but nevertheless it is created by him and is a technical requirement in all cases and also a legal requirement in many cases. There are data retention requirements which may require the log records to be maintained. The CERT In guidelines require retention of meta data for security reasons.
Hence there is a clash between the GDPR jurisprudence and Indian Jurisprudence related to Meta Data and this was highlighted in the article taking the cue from the “Nomination as a Right”.
This leads us to the need to define that “Data Generated during a transaction is a joint property and there are joint and several rights available to both”. I have in the past also argued that when there is a “Telephonic Conversation”, the “Conversation” belongs to both and hence “Recording does not need the permission of the other”. This also clashes with the American jurisprudence which requires such permission.
I invite comments on this point….now
Naavi
