JPC recommendation on Children Data

Posted on December 21, 2021 by Vijayashankar Na

In designing the Data Protection regulations, problem areas have been

a) Deceased data principals

b) Legacy holdings of personal data

c) Personal data of minor children.

Having adopted “Consent” as a basic form of establishing lawfulness of processing, it is essential that the “Consent” itself should be lawful.

As we have repeatedly held, a “Consent is a contract” and its validity expires on the death of the person.  hence personal data of a deceased person moves out of the contours of a data protection law. This is also reasonable since the basic purpose of such legislation is to protect the privacy of a citizen of a country and I presume that it is not in the citizenship act to recognize a deceased person to have rights equivalent to a living citizen.

In the pdpa 2021, an attempt has been made to introduce a concept of “Nomination” where in the data principal can record his instructions for handing over the personal data to the nominated person.  The legality of such nomination would be debated separately by experts. At present, we consider that this is only an operational instruction and does not amount to legal inheritance of the deceased digital assets by the nominee.  This issue needs a more serious consideration than what has been done now in the form of a minor modification of Section 17 . (Recommendation 39).

This recommendation suggests that a legal heir or legal representative may be nominated by the data principal to exercise the right to be forgotten, or to append the terms of agreement with regarding to processing of personal data in the event of death of such data principal.

This provision is ultra-vires the ITA 2000 and survives only because DPA 2021 is a more recent special law. But it presumes that “Data” is a “Property” the rights of which survive death and can be transferred to another person. Section 17(4) does not specifically mention that the right is limited to carrying out some duties towards bringing back the data asset for the use of legal heirs and not to enjoy the benefits of the data by the nominee.

Further “Right to Processing of data” by consent is like transfer of a “Right to use” for a limited purpose and similar to an “Assignment”. The nomination is therefore an exercise of the right of assignment already exercised. This clarity is also not present in the amendments.

However, presence of 17(4) does provide an outlet for data of deceased persons to be brought to open.

On the treatment of legacy holding of personal data and how to handle it after the new act comes into effect, the recommendations are not clear.

However, an indication of the thinking of the committee is available in the suggestions related to the handling of the consent in respect of the children. While the consent for a child (person of less than 18 years of age) is to be obtained from the parent, 3 months before the personal attaining the majority, the Data Fiduciary should start making an attempt to get a fresh consent from the erstwhile minor. But this consent can be obtained effectively only after the minor completes 18 years. Hence sending of a notice 3 months in advance can only to prepare the parent to give up his consent.

In the contingent event that no renewal of consent is received, the section 17(4) DPA 2021 suggests that the “Discontinuity of service should be avoided”. This is a contradiction since this would mean that the consent provided earlier would continue to be held valid even after the minor attains majority and not specifically opted in.

This however may be considered as a practical decision to ensure that “Mere silence” of the minor should not be considered as “Withdrawal of consent”.

If this principle is extended to cases of personal data collected and processed before the law comes into existence, it appears that there is a case to argue that

“In the case of legacy personal data in which valid consents are available from data principals (though  under notice issued prior to DPA 2021), a notice for renewal with a new notification has to be sent and after three months  if there is no opt out request, the processing may continue”. … (This is only an interpretation of Naavi)

We can await if the DPAI gives any clarity on this interpretation.

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

 

Posted in Cyber Law | Leave a comment

JPC recommends DPA to watch on Incident Register

Posted on December 19, 2021 by Vijayashankar Na

One of the recommendations (Recommendation 4) of the JPC regarding DPA 2021, is that the “Authority should ask the data fiduciaries to maintain a log of all data breaches (both personal and non-personal data breaches) to be reviewed periodically by the authority, irrespective of the likelyhood of the harm to the data principal.

This provision means that the Incident Register maintained by the Data Fiduciary should be made available to the DPA from time to time. Since the normal Incident register of an organization may contain many issues which cannot be classified as “Data Breach”, it becomes necessary to maintain the incident register separately for “Data Breach Incidents” and if possible “Personal Data Breach Incidents” separately from “Non Personal Data Breaches”.

The possibility of the DPA having access to the Incident register could mean that if there is a delay between the “Getting the knowledge of a data breach” and the “Reporting of the data breach” then the DPA may be able to penalize the company. The committee suggests that if harm is caused on account of the delay in reporting of the breach, the data fiduciary would be responsible.  However, in the event the data breach is reported despite precautions and arising out of business rivalry or espionage, the DPA may consider a temporary reprieve to the data fiduciary regarding reporting of the data breach to the data principal.

While the suggestion of the committee on the sharing of the incident register is appreciated as a measure to ensure prompt reporting, the practicality of the DPA being able to make proper use of this “incident Watch” for the thousands of data fiduciaries coming under its watch is a challenge to say the least. At best these become issues to be considered when there is a data breach report to be investigated.

If we remember, under the CERT IN guidelines for Cyber Cafes, it was stated that monthly reports of the Cyber Cafe server activity has to be shared with the authorities. But it remained an impossible provision completely forgotten by all. This “Incident Report” to be shared with the DPA is also likely to be one such non starter.

However, since this is not part of the actual act, it remains a part of the wish list and is unlikely to be implemented.

Under recommendation 2 it is suggested that the DPA will consider regulations on Non Personal data to be issued in due course. However for several more years, it is unlikely that the DPA will be able to catch up with the burden of regulation of the personal data and the multitude of regulations that needs to be issued from time to time. Hence there would be no time for the DPA to consider regulations on the Non Personal Data. Hence the “Non Personal Data Regulation” is likely to remain only an empowerment for the time being and not likely to be taken up in the first two or three years.

( To be continued…)

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

Posted in Cyber Law | Leave a comment

JPC comments beyond the Amendments-2: Implementation Schedule

Posted on December 19, 2021 by Vijayashankar Na

In the PDPB 2018, a clear road map of implementation of the law had been provided. This had been removed in the PDPB 2019. However in the DPB 2021, the detailed implementation schedule has been suggested.

This may be made part of the notification.

The suggested implementation schedule (Recommendation 3)  is as follows:

  1. The Chairperson and members of DPA to be appointed within 3 months.
  2. DPA commences its activities within 6 months
  3. Registration of Data Fiduciaries to commence in 9 months
  4. Adjudicators and Appellate Tribunal to be appointed within 12 months
  5. Complete act to be effective within 24 months.

It has been suggested that the Government shall be in consultation with the stakeholders during the time if implementation and also keep the legitimate interests of business in mind so that it does not detract too far from the Government’s stated objective of promoting ease of doing business in India.

It is to be noted that though the principal objective of the DPA 2021 is to provide protection of Privacy right of the Indian citizens, the objectives of the Bill as also stated in the Preamble reiterate that the Business also has a stake in this law and its interest cannot be ignored.

In comparison, GDPR is clearly pro-privacy in its implementation and some of the decisions of the supervisory authorities are blatantly anti-business. Such an approach is counter productive to development and the JPC has therefore taken a stand not to treat business as outcasts. While this will continue to be debated by privacy activists as anti-Puttaswamy judgement, it is essential for the Government to balance the needs of different stake holders and one manifestation of this is contained in the Recommendation 2 stating that the legitimate interests of business has to be kept in mind while fixing the time line of implementation.

Two years has been the general time given in many other laws including GDPR and though Government could have curtailed this to about an year  given the delay that has already occurred, the JPC has stuck to the standard 24 month time line.

Hopefully industry would consider this reasonable.

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

 

Posted in Cyber Law | Leave a comment

JPC comments beyond the Amendments-1-Priority of law

Posted on December 19, 2021 by Vijayashankar Na

The JPC report on PDPB 2019 contains 91 recommendations many of which are included in the main bill as amendments to PDPB 2019. The main amendments have been already discussed in several of our earlier articles. There are many small amendments in the nature of typo corrections which add up to the numbers but may not require specific discussions. However there are a few recommendations which are significant but for some reason have not been included in the amendments. They may however become guidelines for the DPA to incorporate in the regulations later on or for the Government to include during the Parliamentary debate. In order to keep track of such recommendations which are part of the legislative history of DPA 2021, we shall try to bring it on record through the following presentation.

Some of these comments would be referred to in a manner similar to the reference to “Recitals” under GDPR.

  1. During the final stages of passage of the bill there was a discussion on whether the State Governments should be allowed to have their own “Data Protection Authority”.  If this had been agreed to, it would have given room to the State Governments coming up with their own data protection legislations to counter the DPA 2021 and create issues of their own. We have seen such attempts in bringing amendments to ITA 2000 through some state laws.

The Committee has made a categorical observation that this Act falls within the exclusive legislative domain of the Union Government.(Recommendation 1). Hence the State Governments cannot bring their own legislations. This would avoid a situation like what prevails in USA where each state wants to have a data protection law for its own citizens or situations that prevail in Canada and UK where provincial Governments may have some rights of their own through constitution to keep separate laws like what we had in Kashmir prior to the Article 370.

One India-One Data Protection law is therefore the policy pursued by the JPC and is welcome.

JPC has also clarified that this is a special law and overrides any other pre-existing laws that may govern the subject incidentally.

JPC has also clarified that the law would apply irrespective of any other law governing contractual relations between a data fiduciary and a data principal.

In Section 43A of ITA 2000 (Which will be removed after DPA 2021 becomes effective),  the “Reasonable Security Practices”  had given precedence to contractual agreement between parties  over other aspects  including law in force.

P.S: Section 43A Explanation :

 “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

The JPC has in its recommendation tried to clarify this point..

With the removal of Section 43A from ITA 2000 it will be deemed that DPA 2021 is the principal law in India covering personal data while ITA 2000 may continue to cover some aspects of personal data not addressed in DPA 2021.  The coverage of ITA 2000 will be considered mainly as restricted to “Protection of Non Personal Data” and the  “Criminal punishments  on the abuse of Personal Data” and any other application of ITA 2000 to personal data would be considered as “Incidental” application. As a result, if there are any contradictions, DPA 2021 would prevail.

It is important to note that the clarification that the provision would apply irrespective of other law governing contractual relations between the data principal and the data fiduciary will have an impact on all the Data Processing contracts currently being used by the Data fiduciaries either with the Data Principals or with other Data Processors.

A review of all such contracts may therefore be necessary.

(To Be continued…)

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

Posted in Cyber Law | Leave a comment

Clarifications from the JPC Chairman on DPA 2021

Posted on December 19, 2021 by Vijayashankar Na

Since the release of the draft PDPB 2021, there have been many views expressed by different organizations and some of them are listed below:

    1. Comparing the Draft Data Protection Bill 2021 with its predecessors: thequint.com
    2. Data Protection Bill: Hits and Misses: bloombergquint.com
    3. Explained: How India’s data protection Bill compares with EU regulation: Indian Express
    4. Data Protection Bill is Orwellian, loaded in favour of the Government: Justice B N Srikrishna: Moneycontrol.com
    5. PDP Bill recommendations will have higher compliance burden on Startups: IAMAI
    6. Decoding Data Protection Bill: Economic Times
    7. Key Takeaways: The JPC Report and the Data Protection Bill, 2021#SaveOurPrivacy: internetfreedom.in
    8. Data Protection Bill 2021: MP Amar Patnaik bats for Data Regulators at state level: medianama.com

MR P P Choudhary in his interview with news18.com has also expressed some views which are important to understand what went on the minds of the committee in the final stages before the draft was released. Some of the views expressed by him are highlighted here.

On the need for inclusion of Non Personal Data in the Act, he said-

“… Non personal data as on today is not included but for future govt can formulate the policy under section 92 to deal with violations related to it.”

We note that he had admitted that this is an empowerment for the future and as on today Non Personal data is not included.

Regarding the powers to the Government, he has said-

“We can’t put government and private entities in same basket….If you compare birth of section 35, it is article 21 of Constitution of India which is a fundamental right. It says no person shall be deprived of personal liberty except in accordance with the law. So, this is a condition by Constitution. More safeguards have been provided in bill. It says only data can be processed if authorised by the government and will be based on rules framed by the government. On basis of those rules, government can authorise agencies to process the data. The purpose is given in the section 35. Processing of data is only for purpose is national security, protect the sovereignty and integrity. The individual right to privacy will be over-ridden if they clash with national interests”

As regards the dissent on the exemption of Consent for Government Mr Choudhary categorically stated…

” These dissent notes are basically misconceived and unfounded. These notes do not stand legally anywhere. The dissent was not limited to Section 35 but also about Section 12 without consent data shall not be processed. Meaning there will be a complete embargo. It means government can’t process the data. I am asking them, if we don’t process the data of farmers while making them the payments of government schemes what will happen. Should we ask each one one of them separately about their consent. Whether it is expected from the government to obtain consent from 10crore farmers.

If government want to transfer payment to NREGA labourers to public distribution, should we seek consent from everyone. We say government can process the data in accordance to the law. The section say personal data can be processed for benefit for data principal.

Where do they want to take the country? Do they want to take the country back to paper economy from digital economy. The opposition is trying to halt the progress of digital economy. Suppose the government need to raid someone, should income tax authorities seek consent? Is it practical or feasible, should we seek permission from terrorist before processing this data.”

We appreciate the clear and bold statement from the JPC chairman on the dissent notes. The tenor of this interview suggests that even when the dissent is raised in the Parliamentary debate, the Government will defend it with force.

Naavi.org has already provided its views on some of the aspects of the new Bill in the following articles:

1. Anonymisation is like Encryption with a destroyed decryption key 

2. PDPA 2021: The data breach notification regarding Non Personal Data

3. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

5. PDPA 2021: Regulating the human perceptions

6. PDPA 2021: Definition of Harm to include psychological manipulation

7. PDPA 2021: Should Big Data and Data Analytics industry be worried?

The discussions on the Bill will continue.

Naavi in association with FDPPI (Foundation of Data Protection Professionals in India) has started a “Privacy and Data Protection Awareness Campaign” addressing

a) The Public

b) The Data Fiduciaries

c) The Data Protection Professionals

Various programs have been undertaken to address the requirements of each of these segments, details of which will be announced as we go forward.

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

Posted in Cyber Law | Leave a comment

Anonymisation is like Encryption with a destroyed decryption key

Posted on December 18, 2021 by Vijayashankar Na

If we follow the discussions around the DPA 2021, it appears that there is a confusion regarding the term “Anonymization” and its effect on Personal Data. It is strange that after so much of discussions on the GDPR and the Data Protection laws, we come back to the basics of what is “Personal Data”.

Personal Data is such data which either directly or indirectly can identify a living natural person. This means that set of characters such as  “Chandrashekar” is an element that can identify a living natural person. But the string of data “Chandrashekar” alone has no identity with a living individual since there could be several persons with such name. Further, whether it is a name or not is itself a factor of the knowledge of a recipient of the data. An Indian would recognize it as a name.

Will a person from interior Africa would recognize it even if he is aware of the English Alphabets? or will a person in China who does not know the English alphabets recognize it as a name?

If not, why should we consider “Chandrashekar” as a “Personal data”?. Is it not just  a stream of binaries which one software renders  as text in English  “Chandrashekar”. In another rendition it may look different and may not appear to be a name.

The fundamental principal this suggests is that “Data” is neither personal nor non personal per-se. In a context it may be perceived as “Personal” by some and not by others. (Please refer to Naavi’s Theory of Data for a more detailed discussion)

Can any data that can be perceived as “Personal” by  some body in the world be considered as “Personal Data” by all under law? … Certainly not.

Hence just because we sit in India and get a feeling that “Chandrashekar” is the name of a person, does not mean that “Chandrashekar” should be considered as “Personal Data”.

Another example….What does a string called “Bhajji” or “Submarine” represent?. Is it the name of a dish in South India or name of a naval contraception?.

For a Cricket follower in India, Bhajji  may be a nickname of Harbhajan Singh and Submarine may be the nick name of Mr Subramanyam (Former test cricketer from Mysore).

Hence “Chandrashekar” by itself should not be considered as “Personal Information” no more than Bajji, or Submarine. This is the part of the “Theory of Data” and the hypothesis is that “Data is in the beholder’s eyes”.

Recently, A German Court in an order related to GDPR held that an IP address is a “Personal Data” and if any American Company is touching the IP address then it would be considered as a disclosure of personal data to a US entity which is not permitted by the cross border data transfer restrictions under GDPR. (See this article).

In this instance, the IP address is related to an action by an individual (Such as visiting a website).  But if the data is merely the “IP address” it is not sufficient to identify a living natural individual. Hence it should not be treated as “Personal Information” but be classified as “Non Personal Information”. However if the recipient of the data (IP Address) has in possession more information and his full particulars are available then it may be considered as personal information like the profile information.

This is to be considered as Privacy Jurisprudence .

In India, even the JPC members seem to have an unresolved doubt about what is “Anonymised Data” and how does it relate to “Personal Data”.

Personal data by definition contains elements that lead to an identifiable individual. These identity parameters such as the name, PAN number, E Mail address, IP address, Cookie information etc in combination represent the identity parameters that render a piece of information as “Personal Information” to which the data protection law becomes applicable.

In comparison, there could be data such as the weather, the environment etc which is understood by everybody as “Non Personal Data”. Then there is information about a “Company” which is not a “Living Natural Person” which also is easy to identify as “Non Personal Data”.

However there could be doubt about personal looking data of a non living natural person. In this case there is no doubt that the information may be considered as “Personal information” but there is no need for providing “Privacy Protection through data protection for the deceased individual”.  Hence compliance requirements of a data protection law may not apply to the personal data of a “deceased data principal”.

In the context of compliance therefore the organization can classify the personal data of a deceased individual as different from personal data for which the obligations and rights become applicable. (Unless the law specifically makes it applicable to personal data of deceased persons…like Singapore law)

Yet another category of personal data that creates a problem is the “Anonymized Data” where the identity parameters of the individual contained in a personal data set are removed and irrevocably destroyed so that even the person who created the anonymized data from an identifiable data cannot re-identify the data.

Some people consider that “Anonymization” is reversible and hence anonymised data should be also considered as “Protected Personal Data”. But if the law places a standard for anonymization which includes that the identity parameters separated from the identified information is forensically destroyed, then there is no way of reversing the process of anonymization.

In the case of “Encryption” there is a “Key” with which the encrypted data can be de-crypted. This is similar to the process of “De-identification” or “Pseudonymisation” where identifiable data is rendered unidentifiable through a process of removal of identity parameters and/or substitution with proxy parameters. The person which has the “Key” to de-identification or pseudonymization can re-identify the data. Hence these processes are reversible.

If however we have a very strong encryption and the holder of the encrypted data does not have the decryption key, then such data is considered “Confidential” though the data is in the hands of an unauthorized person. Data Breach notification requirements under HIPAA/HITECH Act do not consider such data breach as breach of PHI. If however the encrypted data is lost along with the key stored in the same data store, the breach is recognized.

In the Case of anonymization, the anonymization process is known to the anonymizer. However just as an encrypting person deliberately throws away the decryption key, the anonymiser forensically deletes the anonymization key so that de-anonymisation is theoretically not possible if proper standard has been followed.

Hence it is correct to consider that “Anonymised Personal Data” is not “Personal Data”. This was the status in the PDPB 2019. However in the PDPB 2021, the JPC has been confused sufficiently by some experts who have held the view that just as a data encryptor having the decryption key can decrypt the encrypted data, an anonymiser of data can de-anonymise it as a matter of routine. This is an incorrect perception of the process of anonymization. An anonymisation process inherently includes the process of forensic deletion of all the identity parameters. Otherwise it is only a de-identification process and not anonymisation process.

Some experts claim that Data Analysts can apply sophisticated algorithms and read meanings into Big data which enable them to de-anonymise. This is a false premise since if the anonymisation process is as per a proper standard, the de-anonymiser can only make a guess like creating a “Profile” out of data which is just a “View” and not “Fact”.

Beyond this, if some body can decrypt encrypted data without a key by use of brute force attack or social engineering, it is called a “Crime” and not the problem  of the encryption system. Similarly if anonymised data can be de-anonymised to a reliable extent by use of some technology, then it would mean that the standard of anonymisation was not good enough or the de-anonymiser was a criminal who with a persistent hacking of the data was able to extract personalized information out of the anonymised information. Such acts should be considered as a crime and PDPB 2019/2021 does consider them as publishable crimes with 3 years imprisonment.

If we are not confident of our Data Protection Authority for his capability of setting a proper anonymisation standard which cannot be broken with a reasonable level of sophistication of an attack, then the user of an unreasonable level of sophistication to break an anonymisation should be considered as a “Motivated Criminal” and the punishment should be raised from 3 years to at least 10 years or more to bring in sufficient deterrence.

Unfortunately without understanding this aspect, PDPB 2021 tries to include “Anonymised Data” as part of the regulations and create an overlap between ITA 2000 and PDPA 2021.

Technically there is no difficulty in segregating data as “Personal” and “Non Personal” using “Anonymisation” as a separator. Just as a strongly encrypted data with the key having been destroyed cannot be recovered, a properly anonymised data cannot be de-anonymised.

I wish JPC gives a serious thought to correct this situation when the Bill is taken up in the Parliament for discussion provided there is no ego issue in making  changes.

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

 

Posted in Cyber Law | Leave a comment