Naavi.org

We have already started a series of discussions under the “Shape of Things to Come-New Data Protection Act of India” in which so far we have released 11 articles. At the same time a discussion has ensued on the part of the law which could replace the ITA 2000. We may need to parallelly work on another series of articles just to counter the motivated media reports that have started appearing.

Naavi.org  has been a watch dog on the attempts of vested interests who try to twist the arm of the Government to get laws made for themselves. We see a scent of this attempt in the withdrawal of PDPB 2019 after the JPC report and an attempt to also scrap and replace the ITA 2000.

While we continue to place positive suggestions for the Government to consider if they are trying to create better laws in good faith. But we will also call out any attempt to create “Criminal Friendly laws” in the guise of modernization of law.

We will therefore parallelly start releasing our views on the squealing that has started about the “Digital India Act”. When articles start appearing in unison in Quint, Media Nama, Economic Times, INC42 etc and speak in common voice on what needs to be done, it is clear that the vested anti India gang is at work.

Since yesterday, we have spotted the following articles.

1. Digital India Act to police social media and OTT Platforms- Economic Times
2. Digital India Act will monitor Social Media, Meta Verse, OTT Platforms: Report…inc42.com
3. Big Tech, OTT platforms stare at uncertainty as center plans to push through Digital India Act this winter session… Economic Times

It is clear that the first wave of attack is coming from the Social Media and OTT who have been at loggerhead with the Ministry since a long time.

In December 2018, a “Draft Intermediary Guidelines 2018″ was issued for public comments. It was vehemently opposed by the vested interests and the Government chickened out and did not take follow up action.

Then Mr Ravishankar Prasad and Prakash Javadekar mustered courage jointly holding each other’s hand and came up with the 25th February 2021 guideline. This was a courageous attempt by the usually hesitant Government to introduce a “Digital Media Ethics Code” It gave 6 months time for implementation .

But the vested interests immediately worked probably at the PMO level to strip both the ministers of their ministry berths and Ravishankar Prasad was banished to the oblivion for having taken on Twitter.

Even the JPC head Mrs Meenakshi Lekhi who appeared to be not pliable was eased out of the JPC with an offer of a ministry. Following Mrs Lekhi’s exit, the JPC recommendations were changed to such an extent that its root purpose was forgotten.

Today when the Ministry quotes “81 Amendments suggested by JPC” as one of the reasons for its decision to scrap the PDPB 2019, it is clear that the post Meenakshi Lekhi work at JPC was only to spoil the possibility of PDPB 2019 being passed.

We should not forget that the new JPC brought in from no where a recommendation on Crypto Currencies into the PDPB recommendations.  This indicated the forces which were at work in getting the law modified to meet the needs of the “Digitally Corrupt”.

It is stated that the Digital India Act will be used to legislate on Meta Verse and Block Chain as per the reports and also address the Crypto Scams.

The intentions are therefore clear enough for those of us who have been closely watching the politics of Crypto currencies. We can  understand that  “Anti India interests” are at work again to get  a law of their choice and all patriotic followers of Cyber Law development in India need to keep a watch on the developments from Delhi.

Who are the members of this Special Committee?

From the articles that have appeared, it appears from the quotes of as usual a “Ghost informant” that Meity has formed a “Special Committee” which is working on the draft.

We the Indians want to know the composition of this committee, who are the members, what are their antecedents and more specifically will they all give a declaration that they donot hold any “Crypto Currency” in their name or in their relatives names. If they have holdings of Crypto Currencies, they need to give a declaration of their holdings since they are going to suggest legislation on Crypto currencies.

Will the Government come out openly about its agenda on why JPC was scrapped and ITA 2000 is being amended wholesale? .

Recently the Minister of Urban Development made an announcement of providing shelter to Rohingyas and the MHA had to step in to correct it. Similarly we expect that the MeitY may come up with a “Criminal Friendly” and “Corruption Friendly” legislation and it will have to be corrected by MHA once again.

If things happen the way we donot want it to happen, Naavi.org will once again stand up against the injustice and fight for the people of India.

We hope things will turn out better and our fears are unfounded. We proceed with this premise and continue our discussion on what amendments should be considered in the new DIA.

(This is a personal fight of Naavi and does not the views expressed here are personal and does not reflect the views of any organization. At present  however, we place the trust in Narendra Modi Government to do what is good for the Indian Society though not all arms of the Government may be in sync with this Pro public stance)

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

The  Privacy Protection law applied to “Data” revolves around

a) Collection of Personal information based on a proper consent of the data subject

b) Processing of collected personal information  according to the wishes of the data subject

c) Use of the processed personal information according to the consent of the data subject.

While “Consent” is the principal basis for personal data collection, processing and use, necessity of Governance and Business require recognition of certain circumstances where the “Consent” has to be deemed to exist. Such situations can be described as “Legitimate Interest”.

“Legitimate interest” covers not only the business requirements of the data controller but also the requirements of the Government and the interests of the Public, other data subjects, emergency situations etc.

Hence “Consent” and “Legitimate Interest” are the two main pillars under which the entire Data Protection Principles can be built.

The normal perception is that PDPB 2019 was “Consent dependent” where as GDPR was not. The reason was that under GDPR, Consent was only one of the several basis on which lawfulness of processing was defined

Article 6  of GDPR recognized the following as legal basis. :

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

In the above, point (b) is directly related to a deemed consent. Point (C) is the right of the data controller, (d) relates to emergencies, (e) relates to (Public interest) and (f) relates to other “legitimate interests” which are commercial in nature.

The business interest included under point (f) should be considered as including the “Advertisement” requirements since “Advertising” is the fundamental right of a business entity since it cannot exist without communicating to its target market, what services or products it sells at what price and how does it distinguish its products from the competition, what are the unique selling propositions etc.

We may notice that under Article 19(1) of the Indian constitution, fundamental rights of citizens include carrying on a business of choice. Curtailing the freedom of conducting a legal business in an efficient manner and earning a reasonable profit is therefore a right of every business entity. If this requires “Advertising”, we should not consider “Advertising” to be a taboo. If “Advertising” is allowed as a fair business practice, then market segmentation and targeted messaging for different markets as well as the profiling of consumers for the purpose of marketing are all legitimate interests of a Data Controller.

Let us therefore shed our misconception that “Advertising” is bad and “Profiling for advertising” is bad and look at what part of advertising and profiling is bad and how they can be avoided or addressed.

So far, no attempt has been made in the data protection laws for regulation of “Advertising” or introducing an “Ethical Code for use of a profile”. Most laws indicate that “Profiling” whether it leads to correct or incorrect perceptions about the data subject is outside the basic purview of “Purpose of Processing”. There is no appreciation that “Advertising” itself can be a “Purpose” for which profiling is created. We need to set right this inadequacy in our laws.

In most cases of personal data processing, profiling is an automatic occurrence. Just as the moment we see another individual, our mind creates a profile of the person  based on his demeanour. The science of “Body Language” is nothing but making an inference out of the visible profile of a person. It is not possible to prevent this human trait. Similarly, when an organization observes certain activity of an individual, an automatic “profile” gets created.

In GDPR we call this as “Automated Processing” and we require the legal basis. For some thing which automatically happens can there be a legal basis? is the moot point. Suppose a customer of Amazon says don’t profile me by my buying habits, will it be feasible for Amazon to delete all buying information as if there is a “Right to Forget” that exists? Firstly the transaction information that contains the personal data of the data subject is a “Joint Data” and Amazon has as much right as the data subject to keep the data and use it as long as “No harm is caused to the data subject”.

Hence just as before I shake hands with you for the first time, I make a statement, donot judge me by my looks, gender, accent, height or colour, such “Denial of consent” has no validity.

Similarly, “Profiling” is a process which is automatic and it is the essence  of understanding the consumer for the purpose of advertising or service. A blanket ban on “Profiling” or “Automatic Processing” is therefore not reasonable.

However, “Automated Decision Making” is different from “Automatic Processing” since automated decision making may involve a potential harm to the data subject.

Once a profile is created, the information may be used either by the Data Controller himself for the improvement of his business or the information may be shared with a third party advertiser. This “Sale” of personal profile is another taboo in data protection law and we often consider it as unacceptable.

A time has come for data protection professionals and the law makers to take a fair view of the needs of “Advertising” and allow certain level of personal data processing which is reasonable and not harmful to the data subject.

We can achieve our objective of protecting the privacy rights of individuals without unduly hurting the business interests by focussing our regulations on the “harm” that may be caused by the misuse of personal information rather than banning certain aspects of its “Use”.

If therefore “Advertising” is declared as a collateral or incidental purpose of personal data processing and a consent is sought from the data subject at the time of collection, it should be considered as a fair request.

For the time being, considering the revolutionary nature of this suggestion, I would like to consider that use of personal information for “Advertising” should be considered as a special use and an “Explicit Consent” may be obtained instead of an ordinary consent or deemed consent.

We can achieve this by declaring that an “Advertising Profile” of a data subject as a “Sensitive Personal Information”.

Now if we go back to our definition of sensitive personal information and processing, we recall that we stated as follows: (refer article 8)

Processing 

“Processing” is defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.

This was purely a technical definition and was not related to the purpose of processing and did not include “Profiling”.

We may now add the following for definition of Profiling:

Profiling

“profiling” means any form of processing of personal data that directly or indirectly analyses or predicts the behaviour, attributes or interests of a data principal.

Explanation:

Profiling includes purpose oriented collection and arrangement of personal data elements such as Advertising profile, Health Profile, Financial Profile etc.

Sensitive Personal Data 

Personal Data which which may reasonably cause significant harm to the individual  in the hands of unauthorized person is classified as “Sensitive personal data” and includes 

a) Credentials for accessing restricted data

b) Health data

c) Financial data

d) Sex related data

e) Biometric data

f) Genetic data

We shall now modify the definition of “Sensitive personal Information” by including item

(g) Advertising Profile.

Correspondingly, we shall define “Advertising profile” as follows:

Advertising Profile

Advertising Profile means a collection of personal data elements of a data subject/Data Principal that represents the profile of the individual in terms of his commercial activities such as buying of goods and services and includes the intelligent insights that may be developed about the individual that may be used for advertising purpose.

Kindly note that when we use the word “Profile” instead of “Data” to define “Sensitive Personal Information” we are clearly defining that it is not one single parameter that we are defining in this definition but a “Profile” which is a collection of several parameters.

Under this consideration, we can perhaps make corresponding changes in the list of “Sensitive personal information” to replace Health Data, Financial Data or Genetic data etc with corresponding profiles.

We therefore re-define the “Sensitive Personal Information” as follows.

Sensitive Personal Data

Personal Data which may reasonably cause a significant harm to the individual  in the hands of unauthorized person is classified as “Sensitive personal data” and includes 

a) Credentials for accessing restricted data

b) Health Profile

c) Financial Profile

d) Sex Profile

e) Biometric Profile

f) Genetic Profile

(g) Advertising Profile.

As regards the restrictions to be placed on use of information for Advertising, we shall cover it under the compliance requirements since it is related to prevention of harm to the data subject.

By focussing the regulation from “Collection and Processing” to “Misuse and Harm”, the industry would be relieved from the restrictive regime of business involving personal data collection and legitimate use and focus more on the harm caused by the misuse.

This shift of focus may be used by unscrupulous business entities who may take advantage of the weaknesses in the enforcement mechanism. Hence these suggestions need strict vigilance and enforcement.

Currently we use the Data Protection Impact Assessment and the Privacy By Design Policy as instruments to capture the intentions of a Data Controller or Data Fiduciary and follow up with the Concurrent audit and mandatory annual audit as well as the 4% turnover based penalty.

In order to increase the deterrence, any intentional contravention of a “DPIA” or “Privacy By Design Policy” (which in PDPB 2019 required registration) should be considered as “Breach of Trust” and made punishable as a criminal offence subject to a safe harbor clause based on “Due Diligence”. (These will be discussed in detail in subsequent chapters)

It may be necessary that the Due Diligence should include DPIA to be used in any profiling process and should be mandatorily subjected to a DPIA which will be filed with the regulatory authority.

I request the readers to send their comments on the above.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In discussing Privacy Regulations, it is important for us to appreciate that problems related to Privacy arise from two important concerns namely the “Surveillance” by the authority and “Advertising” by companies.

Surveillance concerns arise because of the distrust in the Government of the jurisdiction and is inseparable from the politics. It is not easy to raise above politics and look at the needs of “Governance” and “Law Enforcement” beyond the fact that today there is a a particular regime in place. In constructing a new dispensation of the law, it is important that we raise above politics and look at issues only and not which party in power when we discuss how much of leverage should be there for the law enforcement agencies in terms of exemptions and derogations.

“National Security”, “Public Public Safety” and “Law Enforcement” are “Duties” of a Government enforced through the Constitution. No Government can abdicate its duty to maintain Sovereignty Integrity of the Country and hence cannot create a Privacy Law in which its powers to enforce law  is limited by design. It is therefore ultra vires the constitution to expect that there will be restrictions placed on the requirements of National Security as well as Public Safety and Law Enforcement.

Every Citizen also has a duty to ensure that “Sovereignty and Integrity” of the nation as well as public safety is maintained and hence should cooperate with the enforcement of the law for this purpose. Not providing such cooperation could therefore be considered as a punishable offence.

Indian Constitution recognizes and the Privacy Judgement of the Supreme Court (Puttaswamy Judgement) endorses that the “Right to Privacy” of an Indian Citizen is subject to the following “Reasonable Restrictions” under article 19(2)  which states as under.

Article 19(2) in The Constitution Of India 1949

Nothing in sub clause (a) of clause ( 1 ) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence

The above sub  section refers to Article 19(1) which states as follows:

Article 19(1) in The Constitution Of India 1949

(1) All citizens shall have the right

(a) to freedom of speech and expression;
(b) to assemble peaceably and without arms;
(c) to form associations or unions;
(d) to move freely throughout the territory of India;
(e) to reside and settle in any part of the territory of India; and
(f) omitted
(g) to practise any profession, or to carry on any occupation, trade or business

“Right to Privacy” is derived from Article 21 of the constitution which states as follows.

Article 21 in The Constitution Of India 1949

21. Protection of life and personal liberty

No person shall be deprived of his life or personal liberty except according to procedure established by law.

Though Article 21 itself does not by itself mention the reasonable exceptions, it is considered as applicable to all fundamental rights and the Supreme Court has further ratified this stand.

In the PDPB 2019, the Government was more conservative than what the Constitution provided by providing exemptions under Section 35 restricted only to

“the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; or for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,”

It is interesting to note that the Constitutional provisions support exemption in respect of “Decency and Morality” or in relation to “Contempt of Court”, “Defamation” and “Incitement of an offence ( in general and not necessarily considered cognizable)” but Section 35 omitted the exemptions under the considerations of  Decency and Morality” or in relation to “Contempt of Court” and  “Defamation”.

It  also reduced the scope of “Preventing incitement to an offence” to only “Cognizable offence” and further only in respect of the sovereignty and integrity of India, security of state, friendly relations with foreign states or public order, again omitting the “Decency and Morality” as well as “Contempt of Court” and “Defamation”.

Section 35 of PDPB 2019 was therefore  more conservative than what was required under the constitution  and also well within the limits of the Indian Constitution .

However, there was a strong opposition to this section and probably such opposition could be ascribed to the judiciary which was perhaps unhappy that “Contempt of Court” was removed from the exemption.  I do not think that removal of  “Decency and Morality” or “Defamation” from the exemption was much  of a concern. However, public were not able to understand the motivation in opposing the provisions of Section 35.

It is a separate debate whether the Government could have avoided the controversy by simply not making any change in the “Reasonable Exception”. But in that case the clauses such as “Decency” and “Morality” as well as “Any offence even if it is not cognizable and only related to sovereignty and integrity of India,  security of state, friendly relations with foreign states or public order” and “Defamation” could have been considerations under which exemptions could be claimed by the Government. This would have provided more sweeping powers to the Government which could be misused later by another regime.

We therefore not only should support the version of the PDPB 2019 as regards the exemptions, but also re-iterate in the proposed New Data Protection Act of India by a specific section in the “Preliminary Chapter” on Applicability.

Remember that PDPB 2019 did not define Privacy or Information Privacy directly and left it to the interpretation under the Supreme Court judgement. We considered this as inappropriate and suggested that it is the responsibility of the Government to come up with a definition and not leave it to the interpretation of the complying organizations.  Expecting a complying organization to define what they are expected to “Protect” when the nine member Supreme Court bench or the Government abdicates their responsibility to provide clarity is considered unfair.

We therefore recommended the definition of Privacy to be included in the Act  as follows:

Privacy

“Privacy is a fundamental right under the Constitution of India as an independent right under the Right to life and liberty that guarantees an individual that shall not be infringed except under due process of law as defined in this Act and  includes the following.

(a) “Physical Privacy” means the choice of an individual to determine to what extent the individual may chose to share his physical space with others.

(b) “Mental Privacy” means the choice of an individual to determine to what extent the individual may chose to share his mind space with others

(c) “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others

(d) “Information Privacy” means the choice of an individual to determine to what extent the individual may share data about the individual with others.

Explanation:

1.“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity  of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.

Now we propose that we can add a second explanation to this section as follows.

2. The Right to Privacy referred to in this section is subject to the reasonable restrictions in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; and  for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

The Government of India has released a press note as follows:

Inviting comments on the Consultation Paper on ‘Need for a new legal framework governing Telecommunication in India’

Legal framework for telecommunication in India is governed by Laws which were enacted long before India’s independence. Technology has evolved significantly in the recent decades.

Stakeholders have been demanding evolution of legal framework to keep it in tune with changing technology. Therefore, Ministry of Communications has prepared a consultation paper on need for a new legal framework in telecom sector.

The consultation paper may be accessed at https://dot.gov.in/whatsnew/consultation-paper-need-new-legal-framework-governing-telecommunication-india.

Comments may be sent on the email ID : naveen.kumar71@gov.

Some of my immediate observations on the consultation paper are captured below for the comments of the readers.

1. The objectives of the proposed new legal framework governing telecommunication in India to bring better administrative clarity is welcome.
2. Today, telecommunication has merged with the Digital world and the Telecommunication network has become a network for carrying digital data. It is therefore similar to a Wide Area Network of electronic data. It has hardware which includes the “Tower Network” and “Content” which is “Data” that flows between users. The carrier is the “Spectrum” which is a unique “Virtual” asset. The regulations should cover all these segments of business.
3. Out of the above three segments, regulation of Towers in the form of licensing, prevention of harm through the radiation, the right of way etc are one kind of regulations that need to be put in place.
4. Second type of regulation is related to the “Spectrum” management which is a right to use a certain frequency band. The “Electro Magnetic Radiation” emanating from the towers is a similar phenomenon of something travelling through air and having a consequence but difficult to conceptually describe in a law. “Spectrum Management and “Radiation Management” are special areas of regulation unique to this industry.
5. Third type of regulation is related to the content. Since the content generated, transmitted and stored by the telecom industry is mostly “Digital” the regulation can be merged with the regulation of digital content. In order to regulate the small part of analog communication, the digital law itself may be used by a “Deeming effect” by declaring that Analogue communication for the purpose of regulation in this industry is deemed to be “digital” in form and regulations meant for digital content may be extended to analog content as well.
6. Fourth type of regulation is related to the end user equipment for receiving and transmitting telecom signals which may include the “Set Top Boxes”, the Routers” etc. These are also similar to the digital data transmission and processing devices such as “Computers” and “Mobiles” and hence care should be exercised not to create overlapping regulations.
7. Since the MeitY has made some announcements that they may consider a “Unified” law for Telecommunications and Information Technology, the DOT may consider to restrict the “Telecom Law” to the special requirements of the Telecom industry which relate to “Spectrum Management” and place the issues related to tower management, content management, Set top management etc to the “Unified Digital Law” that may be drafted for integration of the Data Protection law and Information Technology Act.
8. The entire telecom network may be declared as “Protected System” under the current Section 70 of the ITA 2000 and declared as “Critical IT Infrastructure” . Special powers may be notified to regulate the Critical IT Infrastructure which may include the “Right of Way”.
9. Framework for mergers, acquisitions and Insolvency provisions etc are also similar to the issues that arise in IT (eg  insolvency of Net4India and merger of CIBIL with TransUnion) and can be handled by the Unified law.
10. The Universal Service Obligation can also be merged with the IT regulations under the Unified law.
11. Penalties, as well as Public Safety and National Security also can be merged with IT regulations under the Unified law.
12. Hence if the Telecom regulations address “Spectrum” issue, most of the legal requirements would be adequately addressed. Since “Spectrum” also has relations to the “WiFi” which is a concern of the IT industry, it may not be impossible to merge the spectrum regulation also with the Unified law though it requires some innovative thinking.

(Welcome Comments)

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

We have so far discussed the definitions of “Privacy” and “Data” in the previous two articles.  In this article let us discuss the definition of different entities and their roles.

In GDPR, important roles for the data handlers are  Data Controller  Data Processor, c) Recipient and Joint Data Controller,

On the other hand, PDPB 2018/2019 defined the roles as “Data Fiduciary”, “Data Processor” and “Consent Manager”.

In the NDPAI, it is suggested that the Data Fiduciary should be considered as “Data Manager”.  The reason why we are suggesting this change is that the “Role of Data Fiduciary” as a “Trustee ship” for the entity which is determining the purpose and means of personal data processing is a good measure. But this “Trusteeship” responsibility is not very practical and it is difficult to expect the commercially minded “Data Controllers” to faithfully discharge the responsibility as a “Trustee”. The Conflict of interest is too strong for the concept to work efficiently.

At the same time, “Data Controller” reduces the importance of the Data Subject/Data Principal as if he is enslaved by the Data Controller. It is therefore necessary to identify a more balanced role to the entity which is today referred to as the Data Controller or Data Fiduciary.

I therefore suggest that the role of the entity which determines the purpose and scope of personal data processing as the “Data Manager”. This retains the superior position of the Data Principal who appoints the “Data Manager” for a specific task.

Also the GDPR defines “Means of Processing” and “Purpose of Processing” as the criteria for identifying the “Controller” status.  This needs a re-look. “Collection” and “Purpose” could be two better parameters to fix the responsibility of an entity as a “Controller”. “Collection” is a key criteria because it is only a “Collector of Personal Data” who is having a relationship with the data subject and can obtain a proper consent where required. It is not feasible for a “Controller” appointing another entity as a “Processor” to collect the personal data.

Secondly, once the “Controller” specifies the “Purpose” and hands over the personal data to a processor, the “Means of Processing” can be left to the processor to determine. In many practical instances, we find that Cloud Service providers offer many services for processing personal data under proprietary technology. They would like to offer their service with a commitment on the required output but would be reluctant to pass on the technology secrets on which they may have intellectual property rights.  Presently, all such processors need to be treated as “Joint Data Controllers” only and not “Data Processors”.

A “Data Processing Contract” specifies the purpose for which the data has to be processed and also specifies the “Security” requirements. Security would automatically include the provision that the data cannot be used for any “Unauthorized purpose”.  Hence with a control on “Purpose” and “Security” under a contractual obligation, the processor can be provided the freedom to preserve his intellectual property rights.

Under these considerations the definition of a “Data Manager” which replaces the term “Data Fiduciary” would be

Data Manager

Data Manager in the context of personal data is any person who collects personal data and determines the purpose of processing.

Data Processor

Data Processor in the context of personal data is any person who processes the personal data received from a Data Manager strictly in accordance with the specified purpose for which the personal data was collected from the data subjects.

The associated definition would be that of a “Person”. The term person may be used both as an “Individual” who could be a data subject and a Data Manager or Data Processor”.

The definition of a “Person” could be

Person

A “Person” in the context of personal data means

a) the individual whose personal data is collected by a Data Manager for an agreed purpose. 

b) the entity of any description which processes the personal data as a data manager or a data processor and includes an individual, corporate entity, partnership firm, society, association of persons, a Government department or any other juridical entity recognized under law.

The role of a “Consent manager” is recognized in PDPB 2019 and not in GDPR. It is an excellent proposition and in the context of the Indian environment where the data principals are less educated, and also have to grapple with language issues in understanding the consent requests and would benefit by the assistance that a “Consent  Manager” can provide.  “Consent manager” always is the “Collector of the personal data” and hence under the above definition of a “Data Manager” the “Consent Manager” is also a Data Manager. However, the “Consent Manager” is a specialized Data Manager since the only purpose for which he collects personal data is to act on behalf of the data subject for providing consent to other Data Managers and to exercise the rights of the Data Principal.

His role therefore is more as a “Privacy Protection Advisor” of the Data Principal. This role can be created by a “Power of Attorney” document without the need for this provision in the law. However, in order to ensure responsibility and accountability, to this important function, it is better for the law to declare this role under the term “Privacy Protection Advisor” instead of “Consent manager”. This will  avoid the clash of the term with a similar term used under the “Account Aggregator” concept of the RBI besides addressing the function of exercising of Rights on behalf of the data principal.

Considering the needs of the Indian society, it is suggested that the Act should encourage both corporate entities and individuals to take on the license as “Privacy Protection Advisors” (PPA) under a suitable accreditation system regulated by the data protection authority.  In this system, the PPA s could be called Category I, Category II or Category III advisors where the lowest category of advisors would be the professionals with necessary knowledge and commitment where as Category II could be firms of Category III advisors and Category I would be independent Corporate entities with a specified capital base and larger responsibilities to technically safeguard the data principals.

The Category III advisors would be like the Chartered Accountants or  or advocates who act individually within their respective professional responsibilities and Category II advisors would be like the CA firm or Lawyer firm where individual professionals who are Category III advisors can work together as a loose association.

This will enable development of professionals who can not only act as Privacy Protection Advisors for individuals but also as “Data Auditors” and would require to fulfill some accreditation criteria of the regulator.

Under this premise, the Consent Manager could be defined as follows.

Consent Manager

Consent Manager  is any person or association of persons or a company or any other juridical entity under any law and capable of being able to sue or be sued upon, which is  authorized by the Data Protection Authority  and may offer services as advisors to assist the individual data principals for providing informed consent to the data managers and to provide assistance for exercising their rights guaranteed under the Act. 

Joint Data Manager

Joint Data Manager in the context of personal data means any combination of two or more data managers who have agreed to share the responsibilities jointly and severally under this Act.

The GDPR defines a role as a “Recipient” who is neither a Data Controller or Data Processor. However, in the GDPR, since “Storing” of personal data is also considered as “Processing”, every recipient of identified personal data will automatically be a “Data Processor” or a “Data Controller”.

In the definition of a “Data Processor” which we used yesterday (article 8) we did not specifically include “Data Storing” as a “Processing activity”.

We defined “Processing” as follows.

“Processing” will be defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.

In this definition, we captured only such processes that alter the data as “Processing”.

In GDPR and PDPB 2019, “Storing” is also considered as “Processing”. However, considering that there are many service providers who only store data some times the containers of data in safe custody without any access to the data, it may be better to carve out “Storage of Data” as a separate activity not amounting to “processing”.

We therefore suggest that under the “Roles”, we can define a “Data Storage Agent” as a separate entity with a definition as follows.

Data Storage Agent

A Data Storage Agent in the context of personal or non personal data management means any person who is entrusted with the custody of data  for the purpose of safe custody only whether in a data container or otherwise and does not have right to access and will however be responsible for secure storage.

…Discussions will continue…. Comments and suggestions are welcome.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.