Naavi.org

IRCTC has issued a tender document on “Monetization of Data” which has invoked strong reactions from Privacy and Data Protection industry.  A copy of the document is available below.

Tender document

In 2018, UIDAI had issued another tender request regarding “Monitoring of Social Media”. This was a tender for monitoring reports about UIDAI in the media just like scanning of news papers by reputation management companies. But the Andolan Jeevies raised a hue and cry, the pliant and ignorant Supreme Court obliged and the cowardly Government withdrew the tender notification.

Details of the above UIDAI incident are available in the search link below:

1.Search on Naavi.org for UIDAI+tender

2. “Supreme Court Slams UIDAI”.. Is it a fake news created by Economic times?

3.Supreme Court should make public the suggestions made by Abhishek Manu Singhvi

Now a similar incident has surfaced about a tender document. This tender issue is directly related to the “Privacy” and also is issued by an organization under the Railway Ministry which is supervised by Mr Ashvini Vaishnaw who is also the cabinet minister for IT.

Naturally we should therefore expect a vehement opposition from the Privacy Activists far larger than in the UIDAI case. But at present the MeitY has also withdrawn the PDPB 2019 and created a perceptional vacuum regarding the availability of law in India for data protection. (P.S: I call this vacuum “Perceptional” since ITA 2000 continues to exist at present and Section 43A continues to apply).

Will the Government be capable of standing upto the opposition and justify the tender? or withdraw it is the question.

Already there is one report that suggests that the tender may be withdrawn.

Kindly peruse the following articles:

1. IRCTC plans to sell user data, seeks Rs 1000 crore in revenue, floats tender
2. IRCTC to mothball monetization of data over privacy concerns: Report

However this would be a good case for academic debate and we should discuss this in the interest of creating “Data Protection Jurisprudence”.

We shall therefore analyse the issue in greater detail in the continuation of this article.

Watch out for the continued article..

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

There is an interesting headline appearing in inc42.com today which is a media considered as an anti-Government media. It says “Govt May Drop Centralised Data Protection Authority From New Privacy Bill: Report .

The article confidently proclaims that the concept of DPA as was proposed in the Data Protection Bill would be scrapped and in its place Government is planning to introduce a “Grievance Redressal Mechanism”.

The logic for the same is also provided in the news report which says.. “A lot of the functions that were allotted to DPA were out of its remit; the collection, storage and sharing of personal data will either be worked into the law itself or be included in the rules that will be made under the law, the report quoted an official as saying.”

It proceeds further to say

” According to the official, the government does not want to not overwhelm one authority and increase compliance costs for small companies.”

..and also that “Another official was quoted as saying that the government is looking at making the bill as uncomplicated as possible.”

It appears that there were more than one official who was perhaps sitting across a pub table and talking to journalists at inc42.com and Hindustan Times about what is being contemplated.

I wonder who are the officials who are leaking such views to inc42.com. If any official from Meity is providing such information, the Government should be seriously concerned how such information is leaking out before it is officially announced. Probably an investigation has to be conducted to know if there is any violation of the official secrets act.

A thought however occurs…are these reports being planted…?

Because the Government wants to test the reaction of the public on such suggestions? or

Is  inc42.com which is asking the MeitY to act as suggested and behaving like a super minister?

Either way, the honour of MeitY and that of the Ministers are at stake since it is clear that decisions are being taken by vested interests in the market on what kind of law is required.

I am reminded of the Nirav Modi -PNB fraud case where it is reported that Letters of Guarantee were being issued by the clerks in Nirav Modi’s office instead of the Bank Officers from their  Bank servers.

It appears that inc42.com is the Nirav Modi for the Ministry.

There is a fair possibility that inc42.com may be bluffing just to create an opinion on what is suggested and the reporter could have confused himself/herself with the grievance redressal system suggested under the Intermediary Guidelines under ITA 2000.

It must be stated that this proposition under Intermediary Guidelines is itself ultra-vires ITA 2000 and it was a reflection of the quality of advisors who had finalized the idea. The same set of un-informed persons must be suggesting that the Data Protection Authority can be scrapped and the “Grievance Redressal Mechanism” can take over all the responsibilities of the proposed DPA.

It should be noted that the article of inc42.com quotes Mr Rajeev Chandrashekar and gives the impression that these thoughts including that “Bill would hurt Start ups” are his thoughts.  I am sure that Mr Rajeev Chandrashekar who sat through the JPC is aware that PDPB 2019 provided 3 years of Sand Box provision which could be used by Start ups to postpone the implementation of the provisions.

If a further two years were given for implementation,  then a total of five years time would have been available for start ups to implement PDPB 2019 after its passage.  So it is unlikely that Mr Rajeev Chandrashekar would have held such a view.

It is however necessary that Mr Rajeev Chandrashekar should clear his name and disown the press reports which are being leaked apparently from his office.

For the information of all, we would like to say that the functions of the DPA are not limited to “Grievance Redressal” which is taken care of by the Adjudicator and the Appellate Tribunal. There are other functions of the DPA which perhaps the Inc42.com reporter is not aware.

It is clear that the PR mechanism of the Anti Government lobby is at work and trying to plant such stories from time to time to create a ground for the Government to create a draft which will embarrass the Modi Government.

It is unfortunate that the Ministers are not serious in preventing such fake reports  quoting their names.

This  is part of the Information Warfare which the Government is trying to address through the Intermediary Guidelines.

I hope better senses will prevail with the Ministry which should take steps to curb “Quotes” from their officials. If inc42.com has any suggestions, it is free to make them as their suggestions and not drag the names of ghost employees of the Ministry.

At the same time, if the officials of the Ministry donot openly disown the statements attributed to the officials, it should be considered as an admission that it is correct and there is a conspiracy to let the draft be prepared by the media than the real experts.

We therefore demand that the Secretary of MeitY provides a public clarification about the names of the officials who have been leaking the draft under preparation.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

This is part of a series of articles on the proposed Digital India Act set to replace the ITA 2000 which was once amended in 2008.  Now MeitY is interested in bringing the law upto date to accommodate the current technology eco system which includes Blockchain, Artificial Intelligence, Meta Verse, Crypto Currencies and new crimes like Ransomware.

In this context some discussions have ensued in the media stating the inability of the current ITA 2000 to cover the new IT environment such as Blockchain, Meta Verse etc.

We have already been presenting a series of articles on the New Data Protection Act of India addressing the replacement of the PDPB 2019 which was also shelved.  Since media has already started a motivated discussion on the Digital India Act as a replacement of ITA 2000, we need to simultaneously start a branch  of discussion on ITA 2000 replacement with DIA in addition to the PDPB 2019 replacement with the NDPAI.

I request all interested persons to keep watching this space and add their comments.

Block Chain is a favourite of one section of the society because it is the platform on which the popular Crypto Currency namely the Bitcoin runs. We are all aware that the Bitcoin is the currency of criminals and store house of digital black money and it’s popularity is because it facilitates corruption and monetization of crime.

In order to provide respectability to this Bitcoin platform other applications are often quoted to say that Block Chain is a useful technology. However if Block Chain is a distributed ledger of electronic transactions with a “Consensus Based Authentication”, it has already been overtaken by new technology like Hedera Hash graph.

We understand that there is a strong Bitcoin lobby in the MeitY which would like to legitimize Bitcoins and other Crypto Currencies. The Finance Ministry is also also in favour of Crypto Currency regularization. Supreme Court understands that Bitcoin is a good system for corruption and therefore supported the Bitcoin lobby against the RBI. The RBI is steadfastly opposed to regularization of Crypto Currency and the MHA may also be worried that Crypto currencies would be used for financing terrorism against the country.

In this background, we strongly oppose any backdoor being opened through the Digital India Act to give legal acceptability to Crypto Currencies.

Let us however look at the need for changes to be made to ITA 2000 that would affect the Crypto Currencies and Block Chain.

Block Chain in its popular form is a  technology where bundles of transactions are added to a block and connected to another bundle of transactions in the next block and continue the process of creating a ledger of transactions as a chain of data blocks.

Each Block contains a summary of transactions of a particular type  within a limit set by the block. Each block will have a block identity and the data will be distributed to a group of entities called the nodes. Every node will have a record of the transactions so that no change can be made to the block without it going out of sync with the block copies already with other nodes.  The transactions added into the block will be in encrypted form so that they cannot be altered. In the Bitcoin system a reward may be provided for one node in every block for creating the node along with a proof of work in the form of solving a puzzle.

If each data block is “Data” as defined in ITA 2000, there is no change of law required to provide legal recognition to a “Block Chain”.  Existing ITA 2000 recognizes electronic documents excluding those which are listed under Section 1(4)-Schedule I.

The exclusions provided in ITA 2000 are not based on what technical type of document it represents such as whether it was created on Microsoft Windows OS or Linux or Apple iOS or a Block Chain. The exclusions are based on the functional utility of the electronic document for the human users such as

a) Promissory Note and Bill of Exchange

b) Power of Attorney

c) Trust Deed

d) Will

e) Document of Title to an immovable Property

Any of the above documents created as an electronic document does not have “Legal Recognition” as any other document such as a contract document  created in electronic form.

If Block Chain is used for creation of any of these documents they would not be legally recognized. However in all other documents including “Smart Contracts”, a block chain document would be legally recognized and hence even under the current law, a block chain document for purposes other than the excluded documents, is usable.

Encryption and Digital Signature if it is part of the document, ITA 2000 has corresponding provisions which is legally acceptable as authentication.

The use of Block Chain for Crypto Currency would however be not possible because the RBI Act prohibits the any person other than RBI to issue an instrument which can be used as a “Currency” for general purpose exchange for goods and services.

A Crypto Currency by nature is an “Electronic Document” and it is recognised as such under ITA 2000. However if two persons exchange Crypto Currency with an understanding that it is “Currency” or “Notes”, it is prohibited under law and it is punishable.

In order to be more specific, it is possible to mention under Schedule I of the ITA 2000 that “Any instrument used as Crypto Currency” is one of the excluded documents.

As regards NFT, it is not necessarily considered as “Currency” since it is non fungible and unique. Hence it is valid under ITA 2000. However, purchase and sale of an NFT has to be done through legit currency like INR and not with any Crypto Currency.

In view of the above, we donot need any new law to address the Block Chain. It is therefore in-correct to say that ITA 2000 is archaic and cannot handle the issue of blockchain. If at all any body wants the new law to address Bitcoins or Crypto Currency, it is only to regularize the usage of Crypto Currency in violation of the RBI Act.

As regards crimes related to NFTs, it is within the Section 66 of ITA 2000 and does not need a new law as it relates to modification or alteration of the electronic document or  denying its access to the legitimate owner. Hence both Section 43 and 66 are applicable.

I wish MeitY consults persons who are aware of the law under ITA 2000 before releasing statements that ITA 2000 cannot handle modern technology.

Problems related to crime investigation in Crypto world arises because of anonymity of the transactions and the PKI encryption used. ITA 2000 has the power to demand decryption but like the “Proton Mail” the Crypto Exchanges are not co-operative.  Crypto Exchanges are however intermediaries and they will be not only liable for money laundering for their own transactions but also for the customers if they cannot identify them.

Under the new Intermediary guideline every user needs to go through KYC process at the time of registration and log records of every transaction need to be maintained. If the Exchanges and Wallet Account companies are foreign companies, the Government will find it difficult because this is a Criminal Mafia and will not co-operate with any Government agency.

In view of the above, the MeitY will be acting in violation of the law of the land if they donot specifically ban Crypto Currencies. If there is any attempt to legitimize the Crypto Currency in the new Act, then it will be ultra vires the law of the country.

We need to see if the power of corruption will provide courage to MeitY to regularize Bitcoins and Crypto Currencies in one pretext or the other. If so, we need to see if Mr Narendra Modi can understand the problem and take action.

RBI should not compromise its principles and it is unlikely to happen as long as the current Governor is in place. We donot know if RBI is compromised later.

We trust that the Supreme Court under the current CJI does not cave in  like the bench which heard the in-famous Crypto Currency case which was a fraud on the Indian legal system.

Let us keep our fingers crossed….

(More will follow)

Naavi

This is part of a series of articles on the proposed Digital India Act set to replace the ITA 2000 which was once amended in 2008. Another small set of amendments proposed by a single man committee of T K Vishwanathan in 2017 was scrapped. Now MeitY is interested in bringing the law upto date to accommodate the current technology eco system which includes Blockchain, Artificial Intelligence, Meta Verse, Crypto Currencies and new crimes like Ransomware.

In this context some discussions have ensued in the media and provide our comments. Viewers may be aware that there is no other website in the world which has more comprehensive discussions of Cyber Law in India starting from around 1998 till date. If you click on the menu link on ITA 2008 and the next link on The Evolution of Amendments , you will reach the page where you can catch all discussions from E Commerce Act 1998 to ITA 2000, the Expert Committee suggestion of ITA 2005, then ITA 2008 etc.  (Click for the link here)

Now we will start our discussions on the Digital India Act as well from the news paper generated discussions now until the Act is finally passed. 

I request all interested persons to keep watching this space and add their comments.

We shall create a “Block Chain” of suggestions

Naavi

Previous Article

The Digital India Act appears to be the brainchild of Mr Rajeev Chandrashekar and the success or failure of the same may both be attributed to him.

While any clarifications in terms of a new law is welcome since many of our lawyers and even the Courts donot understand the Technology environment, let us also see how the old ITA 2000 itself can be applied for some of these issues arising out of new technological developments.

In one of the articles which appeared in Economic Times yesterday titled “Digital India Act to Police Social Media and OTT Platforms”, a ghost digital expert who is privy to the discussions appeared to have raised the following question in justification of the need for the new law.

Quote:

So, for instance, if a metaverse avatar bullies or sexually abuses another avatar, how does one even register such a crime?”

“Or, someone is stealing my crypto assets, replicating my NFTs, or for that matter, who could access my digital credentials, including Aadhar card data, or my finance data, or the food that I order on apps?”

Now let us try to interpret the status of the “Meta Verse Avatar” and the impact of its actions in the “Meta Verse Platform”.

In techno legal terms, a “Meta Verse Avatar” is an electronic document with a specific characteristics.  While an “e-mail address” is an electronic document with an associated name and any e-mails sent under that name can be attributed to the owner of the e-mail (May be with a digital signature to back or the intermediary to substantiate), the “Meta Verse Avatar” is also an electronic document with a more detailed set of parameters which gets converted on a computer screen not as abc@gmail.com but as a 3D picture. Just as one can send a series of messages in a WhatsApp account and each such message is an electronic document including an audio or a video, the actions of a meta verse avatar is also a video. While normal videos are pre-recorded, the Meta Verse avatar is a participant in the video in real time.

Hence laws applicable to an electronic document under ITA 2000/8 can be applied to the Meta Verse avatar.

The “Abuse” can be recognized that the victim avatar can identify herself and produce a Section 65B certified evidence about the conduct of the accused avatar whose identity may not be known to the victim. But the police can investigate and find out the identity of the accused avatar with the help of the Meta Verse platform which is the “Intermediary”.

It is possible that the “Abusive Act” might have happened in a “Public Meta Verse space” or a “Private Meta Verse Space”. A Public Meta Verse space is one where there are other avatars other than the accused and the victim. There is an element of “Virtual Defamation” in the crime. On the other hand if the abuse occurs in a private space where only the victim and the accused alone were there, then we are looking at “harassment” and consequences arising there of.

Current IPC has sections to address both defamation and harassment and they can be applied in this case using ITA 2000 along with the assistance of the Intermediary obliged to cooperate under Section 79.

We must however recall that our honourable Supreme Court did not understand the concept of “Digital harassment” when it struck down Section 66A under the wrong perception that “Publishing” and “Messaging” are same and hence “Harassment through messages” could be considered as “Free Speech” and hence restricting it through Section 66A was not correct. It came to the conclusion that Section 66A had a chilling effect on free speech and hence should be scrapped.

We can use the same incorrect judgement of the Supreme Court now and say that the so called sexual abuse of one avatar by another avatar is the free speech right of the accused avatar and hence Section 66A kind of legislation cannot be applied. Any way, now that Section 66A has been scrapped, one can use an appropriate section under IPC including sexual harassment and say that the “Psychological impact of the abuse on the victim avatar was equivalent to the physical sexual abuse” and hence can be brought under IPC provided the evidence is proved as per the ITA 2000 and Section 65B of Indian Evidence Act.

Hence we donot need to scrap the ITA 2000 to take the Meta Verse crimes to the Adjudicator or the Cyber Crime police.

The argument that we need to scrap the current ITA 2000 because it is incapable of meeting the current technological environment is therefore wrong.

( to be continued…)

Naavi

We have already started a series of discussions under the “Shape of Things to Come-New Data Protection Act of India” in which so far we have released 11 articles. At the same time a discussion has ensued on the part of the law which could replace the ITA 2000. We may need to parallelly work on another series of articles just to counter the motivated media reports that have started appearing.

Naavi.org  has been a watch dog on the attempts of vested interests who try to twist the arm of the Government to get laws made for themselves. We see a scent of this attempt in the withdrawal of PDPB 2019 after the JPC report and an attempt to also scrap and replace the ITA 2000.

While we continue to place positive suggestions for the Government to consider if they are trying to create better laws in good faith. But we will also call out any attempt to create “Criminal Friendly laws” in the guise of modernization of law.

We will therefore parallelly start releasing our views on the squealing that has started about the “Digital India Act”. When articles start appearing in unison in Quint, Media Nama, Economic Times, INC42 etc and speak in common voice on what needs to be done, it is clear that the vested anti India gang is at work.

Since yesterday, we have spotted the following articles.

1. Digital India Act to police social media and OTT Platforms- Economic Times
2. Digital India Act will monitor Social Media, Meta Verse, OTT Platforms: Report…inc42.com
3. Big Tech, OTT platforms stare at uncertainty as center plans to push through Digital India Act this winter session… Economic Times

It is clear that the first wave of attack is coming from the Social Media and OTT who have been at loggerhead with the Ministry since a long time.

In December 2018, a “Draft Intermediary Guidelines 2018″ was issued for public comments. It was vehemently opposed by the vested interests and the Government chickened out and did not take follow up action.

Then Mr Ravishankar Prasad and Prakash Javadekar mustered courage jointly holding each other’s hand and came up with the 25th February 2021 guideline. This was a courageous attempt by the usually hesitant Government to introduce a “Digital Media Ethics Code” It gave 6 months time for implementation .

But the vested interests immediately worked probably at the PMO level to strip both the ministers of their ministry berths and Ravishankar Prasad was banished to the oblivion for having taken on Twitter.

Even the JPC head Mrs Meenakshi Lekhi who appeared to be not pliable was eased out of the JPC with an offer of a ministry. Following Mrs Lekhi’s exit, the JPC recommendations were changed to such an extent that its root purpose was forgotten.

Today when the Ministry quotes “81 Amendments suggested by JPC” as one of the reasons for its decision to scrap the PDPB 2019, it is clear that the post Meenakshi Lekhi work at JPC was only to spoil the possibility of PDPB 2019 being passed.

We should not forget that the new JPC brought in from no where a recommendation on Crypto Currencies into the PDPB recommendations.  This indicated the forces which were at work in getting the law modified to meet the needs of the “Digitally Corrupt”.

It is stated that the Digital India Act will be used to legislate on Meta Verse and Block Chain as per the reports and also address the Crypto Scams.

The intentions are therefore clear enough for those of us who have been closely watching the politics of Crypto currencies. We can  understand that  “Anti India interests” are at work again to get  a law of their choice and all patriotic followers of Cyber Law development in India need to keep a watch on the developments from Delhi.

Who are the members of this Special Committee?

From the articles that have appeared, it appears from the quotes of as usual a “Ghost informant” that Meity has formed a “Special Committee” which is working on the draft.

We the Indians want to know the composition of this committee, who are the members, what are their antecedents and more specifically will they all give a declaration that they donot hold any “Crypto Currency” in their name or in their relatives names. If they have holdings of Crypto Currencies, they need to give a declaration of their holdings since they are going to suggest legislation on Crypto currencies.

Will the Government come out openly about its agenda on why JPC was scrapped and ITA 2000 is being amended wholesale? .

Recently the Minister of Urban Development made an announcement of providing shelter to Rohingyas and the MHA had to step in to correct it. Similarly we expect that the MeitY may come up with a “Criminal Friendly” and “Corruption Friendly” legislation and it will have to be corrected by MHA once again.

If things happen the way we donot want it to happen, Naavi.org will once again stand up against the injustice and fight for the people of India.

We hope things will turn out better and our fears are unfounded. We proceed with this premise and continue our discussion on what amendments should be considered in the new DIA.

(This is a personal fight of Naavi and does not the views expressed here are personal and does not reflect the views of any organization. At present  however, we place the trust in Narendra Modi Government to do what is good for the Indian Society though not all arms of the Government may be in sync with this Pro public stance)

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

The  Privacy Protection law applied to “Data” revolves around

a) Collection of Personal information based on a proper consent of the data subject

b) Processing of collected personal information  according to the wishes of the data subject

c) Use of the processed personal information according to the consent of the data subject.

While “Consent” is the principal basis for personal data collection, processing and use, necessity of Governance and Business require recognition of certain circumstances where the “Consent” has to be deemed to exist. Such situations can be described as “Legitimate Interest”.

“Legitimate interest” covers not only the business requirements of the data controller but also the requirements of the Government and the interests of the Public, other data subjects, emergency situations etc.

Hence “Consent” and “Legitimate Interest” are the two main pillars under which the entire Data Protection Principles can be built.

The normal perception is that PDPB 2019 was “Consent dependent” where as GDPR was not. The reason was that under GDPR, Consent was only one of the several basis on which lawfulness of processing was defined

Article 6  of GDPR recognized the following as legal basis. :

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

In the above, point (b) is directly related to a deemed consent. Point (C) is the right of the data controller, (d) relates to emergencies, (e) relates to (Public interest) and (f) relates to other “legitimate interests” which are commercial in nature.

The business interest included under point (f) should be considered as including the “Advertisement” requirements since “Advertising” is the fundamental right of a business entity since it cannot exist without communicating to its target market, what services or products it sells at what price and how does it distinguish its products from the competition, what are the unique selling propositions etc.

We may notice that under Article 19(1) of the Indian constitution, fundamental rights of citizens include carrying on a business of choice. Curtailing the freedom of conducting a legal business in an efficient manner and earning a reasonable profit is therefore a right of every business entity. If this requires “Advertising”, we should not consider “Advertising” to be a taboo. If “Advertising” is allowed as a fair business practice, then market segmentation and targeted messaging for different markets as well as the profiling of consumers for the purpose of marketing are all legitimate interests of a Data Controller.

Let us therefore shed our misconception that “Advertising” is bad and “Profiling for advertising” is bad and look at what part of advertising and profiling is bad and how they can be avoided or addressed.

So far, no attempt has been made in the data protection laws for regulation of “Advertising” or introducing an “Ethical Code for use of a profile”. Most laws indicate that “Profiling” whether it leads to correct or incorrect perceptions about the data subject is outside the basic purview of “Purpose of Processing”. There is no appreciation that “Advertising” itself can be a “Purpose” for which profiling is created. We need to set right this inadequacy in our laws.

In most cases of personal data processing, profiling is an automatic occurrence. Just as the moment we see another individual, our mind creates a profile of the person  based on his demeanour. The science of “Body Language” is nothing but making an inference out of the visible profile of a person. It is not possible to prevent this human trait. Similarly, when an organization observes certain activity of an individual, an automatic “profile” gets created.

In GDPR we call this as “Automated Processing” and we require the legal basis. For some thing which automatically happens can there be a legal basis? is the moot point. Suppose a customer of Amazon says don’t profile me by my buying habits, will it be feasible for Amazon to delete all buying information as if there is a “Right to Forget” that exists? Firstly the transaction information that contains the personal data of the data subject is a “Joint Data” and Amazon has as much right as the data subject to keep the data and use it as long as “No harm is caused to the data subject”.

Hence just as before I shake hands with you for the first time, I make a statement, donot judge me by my looks, gender, accent, height or colour, such “Denial of consent” has no validity.

Similarly, “Profiling” is a process which is automatic and it is the essence  of understanding the consumer for the purpose of advertising or service. A blanket ban on “Profiling” or “Automatic Processing” is therefore not reasonable.

However, “Automated Decision Making” is different from “Automatic Processing” since automated decision making may involve a potential harm to the data subject.

Once a profile is created, the information may be used either by the Data Controller himself for the improvement of his business or the information may be shared with a third party advertiser. This “Sale” of personal profile is another taboo in data protection law and we often consider it as unacceptable.

A time has come for data protection professionals and the law makers to take a fair view of the needs of “Advertising” and allow certain level of personal data processing which is reasonable and not harmful to the data subject.

We can achieve our objective of protecting the privacy rights of individuals without unduly hurting the business interests by focussing our regulations on the “harm” that may be caused by the misuse of personal information rather than banning certain aspects of its “Use”.

If therefore “Advertising” is declared as a collateral or incidental purpose of personal data processing and a consent is sought from the data subject at the time of collection, it should be considered as a fair request.

For the time being, considering the revolutionary nature of this suggestion, I would like to consider that use of personal information for “Advertising” should be considered as a special use and an “Explicit Consent” may be obtained instead of an ordinary consent or deemed consent.

We can achieve this by declaring that an “Advertising Profile” of a data subject as a “Sensitive Personal Information”.

Now if we go back to our definition of sensitive personal information and processing, we recall that we stated as follows: (refer article 8)

Processing 

“Processing” is defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.

This was purely a technical definition and was not related to the purpose of processing and did not include “Profiling”.

We may now add the following for definition of Profiling:

Profiling

“profiling” means any form of processing of personal data that directly or indirectly analyses or predicts the behaviour, attributes or interests of a data principal.

Explanation:

Profiling includes purpose oriented collection and arrangement of personal data elements such as Advertising profile, Health Profile, Financial Profile etc.

Sensitive Personal Data 

Personal Data which which may reasonably cause significant harm to the individual  in the hands of unauthorized person is classified as “Sensitive personal data” and includes 

a) Credentials for accessing restricted data

b) Health data

c) Financial data

d) Sex related data

e) Biometric data

f) Genetic data

We shall now modify the definition of “Sensitive personal Information” by including item

(g) Advertising Profile.

Correspondingly, we shall define “Advertising profile” as follows:

Advertising Profile

Advertising Profile means a collection of personal data elements of a data subject/Data Principal that represents the profile of the individual in terms of his commercial activities such as buying of goods and services and includes the intelligent insights that may be developed about the individual that may be used for advertising purpose.

Kindly note that when we use the word “Profile” instead of “Data” to define “Sensitive Personal Information” we are clearly defining that it is not one single parameter that we are defining in this definition but a “Profile” which is a collection of several parameters.

Under this consideration, we can perhaps make corresponding changes in the list of “Sensitive personal information” to replace Health Data, Financial Data or Genetic data etc with corresponding profiles.

We therefore re-define the “Sensitive Personal Information” as follows.

Sensitive Personal Data

Personal Data which may reasonably cause a significant harm to the individual  in the hands of unauthorized person is classified as “Sensitive personal data” and includes 

a) Credentials for accessing restricted data

b) Health Profile

c) Financial Profile

d) Sex Profile

e) Biometric Profile

f) Genetic Profile

(g) Advertising Profile.

As regards the restrictions to be placed on use of information for Advertising, we shall cover it under the compliance requirements since it is related to prevention of harm to the data subject.

By focussing the regulation from “Collection and Processing” to “Misuse and Harm”, the industry would be relieved from the restrictive regime of business involving personal data collection and legitimate use and focus more on the harm caused by the misuse.

This shift of focus may be used by unscrupulous business entities who may take advantage of the weaknesses in the enforcement mechanism. Hence these suggestions need strict vigilance and enforcement.

Currently we use the Data Protection Impact Assessment and the Privacy By Design Policy as instruments to capture the intentions of a Data Controller or Data Fiduciary and follow up with the Concurrent audit and mandatory annual audit as well as the 4% turnover based penalty.

In order to increase the deterrence, any intentional contravention of a “DPIA” or “Privacy By Design Policy” (which in PDPB 2019 required registration) should be considered as “Breach of Trust” and made punishable as a criminal offence subject to a safe harbor clause based on “Due Diligence”. (These will be discussed in detail in subsequent chapters)

It may be necessary that the Due Diligence should include DPIA to be used in any profiling process and should be mandatorily subjected to a DPIA which will be filed with the regulatory authority.

I request the readers to send their comments on the above.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.