Californian Senate has reportedly approved Bill SB 1223 which is meant to protect the individual’s neural data from misuse. The Bill was authored in the name of Josh Becker and co-sponsored by Professor Rafael Yuste who incidentally had virtually addressed the IDPS 2022.
The copy of the Bill is available here.
The bill places neural data in the category of sensitive personal data within the provisions of CCPA.
“Neural Data” is defined as information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.
Naavi had similarly suggested that India should bring neural data under protection within the DPDPA 2023.
At present, DPDPA 2023 does not define “Sensitive Personal Data”. It also has tried to avoid the defining of “Harm” to include “Psychological manipulation” which was present in the previous versions of the PDPB. Now the Consumer Protection Act has by defining the “Dark Pattern” as a prohibited consumer practice stepped in to fill up the void left by DPDPA 2023.
However the nature of “Privacy” is such that the definition of “Sensitivity” and “harm” cannot be completely avoided . In 2005 when people proposed amendment of ITA 2000 to avoid liabilities of the industry like in the case of the “Bazee.com” case, it boomeranged on the industry as the title of the section was changed but the essence remained.
The intermediaries continue to be liable under the Guidelines of 6th April 2023 and the concept of “Due Diligence” is haunting the industry sufficient enough to take the issue to Supreme Court and contend that the Intermediary guidelines notification unconstitutional.
A similar situation seems to have arisen in DPDPA. The industry wanted to dilute the law and ensured that PDPB 2018/2019 was simplified to DPDPA 2023.
But by removing the definition of “Sensitive Personal Data”, MeitY has made all the general obligations apply to all Data Fiduciaries. At first glance it appeared that SDPI guidelines will go and industries can breath freely. But the situation now is different.
Now it appears that all obligations under Section 8 and 9 of the Act are applicable for processing of non sensitive personal data also.
The “Significant Data Fiduciaries” to whom the requirement of DPO, Data Auditor and DPIA apply, bring the concept of sensitivity of information back in contention for determining whether an organization is a significant data fiduciary or not.
In the first version of the “Draft of the Draft Rules” made available for discussion, there was no definition of “Significant Data Fiduciary” (SDF) and it is possible that even in the final version, Meity may refrain from defining a “Significant Data Fiduciary”.
It would therefore be left to a Data Fiduciary (DF) to decide if he is a SDF or not. When things go wrong, the DF who should have been SDF but classified himself as DF may be liable for penalties related to the special obligations of a SDF. It is natural to consider that a DF which is processing Neural Data needs to be classified as posing a significant risk and the organization should be considered as SDF.
Since Section 10 (1) states that the Central Government may “notify” any DF based on the “Risk to the rights of Data Principal” as a SDF, absence of such notification can also be interpreted as if there will be no SDFs at all. But such an argument would be fallacious and would be difficult for Courts to accept. At best, Government may take some time to notify the criteria for determining a SDF but it would be difficult to avoid it all together.
Under Section 16, Government has decided to give a “Negative List” of countries to which transfer of personal data from India could be restricted. If the Government wants to avoid defining what constitutes “SDF”, they can chose to declare which types of industries are exempted from being considered as Significant Data Fiduciaries.
Unless the MeitY declares that “Processors of Neural Data” are not Significant Data Fiduciaries, it would be unwise for DFs processing Neural data not to consider themselves as SDFS.
Let us wait if Government takes this route of avoiding a decision.
In the meantime, DGPSI will consider processors of Neural Data as Significant Data Fiduciaries only.
Naavi
