Naavi
The applicability of DPDPA 2023 to what can be called “Business Contact Address” is a much debated issue in Privacy circles.
DPDPA 2023 is applicable to “Personal data” and there are many obligations associated with the collection and use of personal data. However whether the same rules apply to “Business Contact Data” such as the business email etc is a point which has been left to Privacy Jurisprudents to debate.
In DPDPA 2023, there is one mention of “Business Contact Address” under Section 8(9) where it states “..A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer,…”.
This indicates that the term “Business Contact Information” is recognized in Indian law though it is not defined presently under the definitions section of the Act.
The Singapore PDPA 2012 provides a clear definition as follows:
“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes;
Under GDPR, there may be no definition for Business Contact information but given the general approach of GDPR which has extreme views on Privacy, it is a general understanding that if the information relates to an individual then it would be considered as Personal Data even if it is a work email such as vijay@ujvala.com. On the other hand if Vijay is the Director of Ujvala and the work email is director@ujvala.com, most people agree that it is considered as business contact information and “Not Personal Data”.
In the Cavauto S.R.L case the Italian supervisory authority held that an employee who under an email “Customercare@cavauto” stored his personal data could still be considered owner of such data as personal data and it is not accessible by the company without consent. This essentially upheld the view that the corporate email account was personal data.
However this extreme view of GDPR authorities cannot be considered as a general guideline and needs to be considered an aberration and not a “Precedent”. Judicial authorities often make mistakes and such decisions are over ridden by superior authorities. This is one such incident where we may say that the decision was a context specific decision and not to be treated as determining a jurisprudential view.
Our view has always been that a property like work email which is assigned by the employer, hosted in the server of the employer, with the company also having the power to deactivate on termination of the employee, should be considered as the property of the employer and not the employee. Hence business email without any doubt should be considered as a “Business Asset” and not “Personal Asset”. Hence work email or any corporate identity provided by the company is better considered as ” Non personal data”.
As regards classifying an email address as personal or business, it is also necessary to look at the context. Since Privacy is the “Right of Choice” of an individual to share what he considers as a “personal Data”, the final choice of whether vijay@ujvala.com is a personal mail or not is left to the individual himself. If he uses it in a personal context, then in that context it becomes personal email though by default it may not be. On the other hand vijay@gmail.com may be considered by default as personal email but could be declared by the individual as a business email also.
Hence it is un-necessary and improper to discuss whether an email is personal or not based on the domain attached to the email server. It is for the information gatherer (data fiduciary) to get the indication from the data principal whether a certain email is to be treated as personal email or business email. This should be taken care of during the stage of consent gathering.
Under DPDPA 2023, since the act recognizes that an email can be “Business contact”, the argument that
“@company name is by default a non personal data but could be considered as personal data under the choice of the individual”
and also that a
“personal name@gmail.com is by default a personal data though the person has the choice of making it a business contact (non personal data)”
should be considered relevant.
An email address such as designation@company name is also by default a non personal data but perhaps requires an explicit confirmation to be treated as personal data and not be treated entirely on the context.
i.o.w: our view is personalname@company.com can by context be considered as business contact while designation@company.com can be converted to a personal email by explicit consent only and not deemed as per the context.
..Open for debate
Naavi