Naavi.org

The Shape of Things to Come..The New Data Protection Act of India-10 (Exemptions-Privacy)

Posted on August 17, 2022 by Vijayashankar Na

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

In discussing Privacy Regulations, it is important for us to appreciate that problems related to Privacy arise from two important concerns namely the “Surveillance” by the authority and “Advertising” by companies.

Surveillance concerns arise because of the distrust in the Government of the jurisdiction and is inseparable from the politics. It is not easy to raise above politics and look at the needs of “Governance” and “Law Enforcement” beyond the fact that today there is a a particular regime in place. In constructing a new dispensation of the law, it is important that we raise above politics and look at issues only and not which party in power when we discuss how much of leverage should be there for the law enforcement agencies in terms of exemptions and derogations.

“National Security”, “Public Public Safety” and “Law Enforcement” are “Duties” of a Government enforced through the Constitution. No Government can abdicate its duty to maintain Sovereignty Integrity of the Country and hence cannot create a Privacy Law in which its powers to enforce law is limited by design. It is therefore ultra vires the constitution to expect that there will be restrictions placed on the requirements of National Security as well as Public Safety and Law Enforcement.

Every Citizen also has a duty to ensure that “Sovereignty and Integrity” of the nation as well as public safety is maintained and hence should cooperate with the enforcement of the law for this purpose. Not providing such cooperation could therefore be considered as a punishable offence.

Indian Constitution recognizes and the Privacy Judgement of the Supreme Court (Puttaswamy Judgement) endorses that the “Right to Privacy” of an Indian Citizen is subject to the following “Reasonable Restrictions” under article 19(2) which states as under.

Article 19(2) in The Constitution Of India 1949

Nothing in sub clause (a) of clause ( 1 ) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence

The above sub section refers to Article 19(1) which states as follows:

Article 19(1) in The Constitution Of India 1949

(1) All citizens shall have the right

(a) to freedom of speech and expression;
(b) to assemble peaceably and without arms;
(c) to form associations or unions;
(d) to move freely throughout the territory of India;
(e) to reside and settle in any part of the territory of India; and
(f) omitted
(g) to practise any profession, or to carry on any occupation, trade or business

“Right to Privacy” is derived from Article 21 of the constitution which states as follows.

Article 21 in The Constitution Of India 1949

21. Protection of life and personal liberty

No person shall be deprived of his life or personal liberty except according to procedure established by law.

Though Article 21 itself does not by itself mention the reasonable exceptions, it is considered as applicable to all fundamental rights and the Supreme Court has further ratified this stand.

In the PDPB 2019, the Government was more conservative than what the Constitution provided by providing exemptions under Section 35 restricted only to

“the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; or for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,”

It is interesting to note that the Constitutional provisions support exemption in respect of “Decency and Morality” or in relation to “Contempt of Court”, “Defamation” and “Incitement of an offence ( in general and not necessarily considered cognizable)” but Section 35 omitted the exemptions under the considerations of Decency and Morality” or in relation to “Contempt of Court” and “Defamation”.

It also reduced the scope of “Preventing incitement to an offence” to only “Cognizable offence” and further only in respect of the sovereignty and integrity of India, security of state, friendly relations with foreign states or public order, again omitting the “Decency and Morality” as well as “Contempt of Court” and “Defamation”.

Section 35 of PDPB 2019 was therefore more conservative than what was required under the constitution and also well within the limits of the Indian Constitution .

However, there was a strong opposition to this section and probably such opposition could be ascribed to the judiciary which was perhaps unhappy that “Contempt of Court” was removed from the exemption. I do not think that removal of “Decency and Morality” or “Defamation” from the exemption was much of a concern. However, public were not able to understand the motivation in opposing the provisions of Section 35.

It is a separate debate whether the Government could have avoided the controversy by simply not making any change in the “Reasonable Exception”. But in that case the clauses such as “Decency” and “Morality” as well as “Any offence even if it is not cognizable and only related to sovereignty and integrity of India, security of state, friendly relations with foreign states or public order” and “Defamation” could have been considerations under which exemptions could be claimed by the Government. This would have provided more sweeping powers to the Government which could be misused later by another regime.

We therefore not only should support the version of the PDPB 2019 as regards the exemptions, but also re-iterate in the proposed New Data Protection Act of India by a specific section in the “Preliminary Chapter” on Applicability.

Remember that PDPB 2019 did not define Privacy or Information Privacy directly and left it to the interpretation under the Supreme Court judgement. We considered this as inappropriate and suggested that it is the responsibility of the Government to come up with a definition and not leave it to the interpretation of the complying organizations. Expecting a complying organization to define what they are expected to “Protect” when the nine member Supreme Court bench or the Government abdicates their responsibility to provide clarity is considered unfair.

We therefore recommended the definition of Privacy to be included in the Act as follows:

Privacy

“Privacy is a fundamental right under the Constitution of India as an independent right under the Right to life and liberty that guarantees an individual that shall not be infringed except under due process of law as defined in this Act and includes the following.

(a) “Physical Privacy” means the choice of an individual to determine to what extent the individual may chose to share his physical space with others.

(b) “Mental Privacy” means the choice of an individual to determine to what extent the individual may chose to share his mind space with others

(c) “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others

(d) “Information Privacy” means the choice of an individual to determine to what extent the individual may share data about the individual with others.

Explanation:

1.“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.

Now we propose that we can add a second explanation to this section as follows.

2. The Right to Privacy referred to in this section is subject to the reasonable restrictions in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; and for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

Naavi

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..

Posted in Cyber Law | Leave a comment

Naavi has no relationship with Navi.co

Posted on August 16, 2022 by Vijayashankar Na

Posted in Cyber Law | Leave a comment

Telecom Regulations-Public Comments

Posted on August 16, 2022 by Vijayashankar Na

The Government of India has released a press note as follows:

Inviting comments on the Consultation Paper on ‘Need for a new legal framework governing Telecommunication in India’

Legal framework for telecommunication in India is governed by Laws which were enacted long before India’s independence. Technology has evolved significantly in the recent decades.

Stakeholders have been demanding evolution of legal framework to keep it in tune with changing technology. Therefore, Ministry of Communications has prepared a consultation paper on need for a new legal framework in telecom sector.

The consultation paper may be accessed at https://dot.gov.in/whatsnew/consultation-paper-need-new-legal-framework-governing-telecommunication-india.

Comments may be sent on the email ID : naveen.kumar71@gov.

Some of my immediate observations on the consultation paper are captured below for the comments of the readers.

The objectives of the proposed new legal framework governing telecommunication in India to bring better administrative clarity is welcome.
Today, telecommunication has merged with the Digital world and the Telecommunication network has become a network for carrying digital data. It is therefore similar to a Wide Area Network of electronic data. It has hardware which includes the “Tower Network” and “Content” which is “Data” that flows between users. The carrier is the “Spectrum” which is a unique “Virtual” asset. The regulations should cover all these segments of business.
Out of the above three segments, regulation of Towers in the form of licensing, prevention of harm through the radiation, the right of way etc are one kind of regulations that need to be put in place.
Second type of regulation is related to the “Spectrum” management which is a right to use a certain frequency band. The “Electro Magnetic Radiation” emanating from the towers is a similar phenomenon of something travelling through air and having a consequence but difficult to conceptually describe in a law. “Spectrum Management and “Radiation Management” are special areas of regulation unique to this industry.
Third type of regulation is related to the content. Since the content generated, transmitted and stored by the telecom industry is mostly “Digital” the regulation can be merged with the regulation of digital content. In order to regulate the small part of analog communication, the digital law itself may be used by a “Deeming effect” by declaring that Analogue communication for the purpose of regulation in this industry is deemed to be “digital” in form and regulations meant for digital content may be extended to analog content as well.
Fourth type of regulation is related to the end user equipment for receiving and transmitting telecom signals which may include the “Set Top Boxes”, the Routers” etc. These are also similar to the digital data transmission and processing devices such as “Computers” and “Mobiles” and hence care should be exercised not to create overlapping regulations.
Since the MeitY has made some announcements that they may consider a “Unified” law for Telecommunications and Information Technology, the DOT may consider to restrict the “Telecom Law” to the special requirements of the Telecom industry which relate to “Spectrum Management” and place the issues related to tower management, content management, Set top management etc to the “Unified Digital Law” that may be drafted for integration of the Data Protection law and Information Technology Act.
The entire telecom network may be declared as “Protected System” under the current Section 70 of the ITA 2000 and declared as “Critical IT Infrastructure” . Special powers may be notified to regulate the Critical IT Infrastructure which may include the “Right of Way”.
Framework for mergers, acquisitions and Insolvency provisions etc are also similar to the issues that arise in IT (eg insolvency of Net4India and merger of CIBIL with TransUnion) and can be handled by the Unified law.
The Universal Service Obligation can also be merged with the IT regulations under the Unified law.
Penalties, as well as Public Safety and National Security also can be merged with IT regulations under the Unified law.
Hence if the Telecom regulations address “Spectrum” issue, most of the legal requirements would be adequately addressed. Since “Spectrum” also has relations to the “WiFi” which is a concern of the IT industry, it may not be impossible to merge the spectrum regulation also with the Unified law though it requires some innovative thinking.

(Welcome Comments)

Naavi

Posted in Cyber Law | Leave a comment

The Shape of Things to Come..The New Data Protection Act of India-9 (Definitions-Roles)

Posted on August 15, 2022 by Vijayashankar Na

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

We have so far discussed the definitions of “Privacy” and “Data” in the previous two articles. In this article let us discuss the definition of different entities and their roles.

In GDPR, important roles for the data handlers are Data Controller Data Processor, c) Recipient and Joint Data Controller,

On the other hand, PDPB 2018/2019 defined the roles as “Data Fiduciary”, “Data Processor” and “Consent Manager”.

In the NDPAI, it is suggested that the Data Fiduciary should be considered as “Data Manager”. The reason why we are suggesting this change is that the “Role of Data Fiduciary” as a “Trustee ship” for the entity which is determining the purpose and means of personal data processing is a good measure. But this “Trusteeship” responsibility is not very practical and it is difficult to expect the commercially minded “Data Controllers” to faithfully discharge the responsibility as a “Trustee”. The Conflict of interest is too strong for the concept to work efficiently.

At the same time, “Data Controller” reduces the importance of the Data Subject/Data Principal as if he is enslaved by the Data Controller. It is therefore necessary to identify a more balanced role to the entity which is today referred to as the Data Controller or Data Fiduciary.

I therefore suggest that the role of the entity which determines the purpose and scope of personal data processing as the “Data Manager”. This retains the superior position of the Data Principal who appoints the “Data Manager” for a specific task.

Also the GDPR defines “Means of Processing” and “Purpose of Processing” as the criteria for identifying the “Controller” status. This needs a re-look. “Collection” and “Purpose” could be two better parameters to fix the responsibility of an entity as a “Controller”. “Collection” is a key criteria because it is only a “Collector of Personal Data” who is having a relationship with the data subject and can obtain a proper consent where required. It is not feasible for a “Controller” appointing another entity as a “Processor” to collect the personal data.

Secondly, once the “Controller” specifies the “Purpose” and hands over the personal data to a processor, the “Means of Processing” can be left to the processor to determine. In many practical instances, we find that Cloud Service providers offer many services for processing personal data under proprietary technology. They would like to offer their service with a commitment on the required output but would be reluctant to pass on the technology secrets on which they may have intellectual property rights. Presently, all such processors need to be treated as “Joint Data Controllers” only and not “Data Processors”.

A “Data Processing Contract” specifies the purpose for which the data has to be processed and also specifies the “Security” requirements. Security would automatically include the provision that the data cannot be used for any “Unauthorized purpose”. Hence with a control on “Purpose” and “Security” under a contractual obligation, the processor can be provided the freedom to preserve his intellectual property rights.

Under these considerations the definition of a “Data Manager” which replaces the term “Data Fiduciary” would be

Data Manager

Data Manager in the context of personal data is any person who collects personal data and determines the purpose of processing.

Data Processor

Data Processor in the context of personal data is any person who processes the personal data received from a Data Manager strictly in accordance with the specified purpose for which the personal data was collected from the data subjects.

The associated definition would be that of a “Person”. The term person may be used both as an “Individual” who could be a data subject and a Data Manager or Data Processor”.

The definition of a “Person” could be

Person

A “Person” in the context of personal data means

a) the individual whose personal data is collected by a Data Manager for an agreed purpose.

b) the entity of any description which processes the personal data as a data manager or a data processor and includes an individual, corporate entity, partnership firm, society, association of persons, a Government department or any other juridical entity recognized under law.

The role of a “Consent manager” is recognized in PDPB 2019 and not in GDPR. It is an excellent proposition and in the context of the Indian environment where the data principals are less educated, and also have to grapple with language issues in understanding the consent requests and would benefit by the assistance that a “Consent Manager” can provide. “Consent manager” always is the “Collector of the personal data” and hence under the above definition of a “Data Manager” the “Consent Manager” is also a Data Manager. However, the “Consent Manager” is a specialized Data Manager since the only purpose for which he collects personal data is to act on behalf of the data subject for providing consent to other Data Managers and to exercise the rights of the Data Principal.

His role therefore is more as a “Privacy Protection Advisor” of the Data Principal. This role can be created by a “Power of Attorney” document without the need for this provision in the law. However, in order to ensure responsibility and accountability, to this important function, it is better for the law to declare this role under the term “Privacy Protection Advisor” instead of “Consent manager”. This will avoid the clash of the term with a similar term used under the “Account Aggregator” concept of the RBI besides addressing the function of exercising of Rights on behalf of the data principal.

Considering the needs of the Indian society, it is suggested that the Act should encourage both corporate entities and individuals to take on the license as “Privacy Protection Advisors” (PPA) under a suitable accreditation system regulated by the data protection authority. In this system, the PPA s could be called Category I, Category II or Category III advisors where the lowest category of advisors would be the professionals with necessary knowledge and commitment where as Category II could be firms of Category III advisors and Category I would be independent Corporate entities with a specified capital base and larger responsibilities to technically safeguard the data principals.

The Category III advisors would be like the Chartered Accountants or or advocates who act individually within their respective professional responsibilities and Category II advisors would be like the CA firm or Lawyer firm where individual professionals who are Category III advisors can work together as a loose association.

This will enable development of professionals who can not only act as Privacy Protection Advisors for individuals but also as “Data Auditors” and would require to fulfill some accreditation criteria of the regulator.

Under this premise, the Consent Manager could be defined as follows.

Consent Manager

Consent Manager is any person or association of persons or a company or any other juridical entity under any law and capable of being able to sue or be sued upon, which is authorized by the Data Protection Authority and may offer services as advisors to assist the individual data principals for providing informed consent to the data managers and to provide assistance for exercising their rights guaranteed under the Act.

Joint Data Manager

Joint Data Manager in the context of personal data means any combination of two or more data managers who have agreed to share the responsibilities jointly and severally under this Act.

The GDPR defines a role as a “Recipient” who is neither a Data Controller or Data Processor. However, in the GDPR, since “Storing” of personal data is also considered as “Processing”, every recipient of identified personal data will automatically be a “Data Processor” or a “Data Controller”.

In the definition of a “Data Processor” which we used yesterday (article 8) we did not specifically include “Data Storing” as a “Processing activity”.

We defined “Processing” as follows.

“Processing” will be defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.

In this definition, we captured only such processes that alter the data as “Processing”.

In GDPR and PDPB 2019, “Storing” is also considered as “Processing”. However, considering that there are many service providers who only store data some times the containers of data in safe custody without any access to the data, it may be better to carve out “Storage of Data” as a separate activity not amounting to “processing”.

We therefore suggest that under the “Roles”, we can define a “Data Storage Agent” as a separate entity with a definition as follows.

Data Storage Agent

A Data Storage Agent in the context of personal or non personal data management means any person who is entrusted with the custody of data for the purpose of safe custody only whether in a data container or otherwise and does not have right to access and will however be responsible for secure storage.

…Discussions will continue…. Comments and suggestions are welcome.

Naavi

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..

Posted in Cyber Law | Leave a comment

The Shape of Things to Come..The New Data Protection Act of India-8 (Definitions-Data)

Posted on August 15, 2022 by Vijayashankar Na

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

We have discussed the definition of “Privacy” in some detail in the last few articles. In particular, the suggestion that “Sharing” of identifiable data for processing within an algorithm in such a manner that the identified data is not exposed to a human being has evoked a long debate and I have tried to provide clarifications as required.

One residual query was in respect of what would happen if the anonymised processed data is shared as “Non Personal Data” and the recipient later de-anonymizes the anonymized data. Obviously when data which was previously identifiable personal data but was anonymized by one processor and then released as “Non Personal Data”, the processor is expected to use an acceptable standard of anonymization which becomes the “Due Diligence” or “Reasonable Security Practice” on his part. When this is voluntarily shared by Processor A to a recipient B, Recipient B is not expected to de-anonymize the data. If Processor B does de-anonymize then Processor B would be guilty of a criminal offence (we shall discuss this later under penalties). At that time, Processor A would have to defend that it had followed “Due Diligence” and claim protection as an intermediary under Section 79.

I reiterate that the concept that the definition of “Sharing” for defining “Privacy” should be restricted to disclosure to a human being and not an algorithm is a concept which is different from the GDPR jurisprudence. It is however suggested because we feel that there is an opportunity for India to set new standards in designing a Data Protection Act which can be better than GDPR.

In order to recall all the discussions we had in this regard, we reproduce the definition of Privacy as suggested by us to be included in the NDPAI.

Privacy

Privacy is a fundamental right under the Constitution of India as an independent right under the Right to life and liberty that guarantees an individual that shall not be infringed except under due process of law as defined in this Act and includes the following.

(a) “Physical Privacy” means the choice of an individual to determine to what extent the individual may chose to share his physical space with others.

(b) “Mental Privacy” means the choice of an individual to determine to what extent the individual may chose to share his mind space with others

(c) “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others

(d) “Information Privacy” means the choice of an individual to determine to what extent the individual may share data about the individual with others.

Explanation:

“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.

We also re-iterate that it is the responsibility of the Government to define “Privacy” before going to place a responsibility on the industry to protect the Right to Privacy.

Definition of Data

Having defined that “Privacy” is related to protection of Personal data we need to now define

i) Data, Computer, Processing

ii) Personal Data

iii) Non Personal Data

iv) Sensitive Personal Data

v) Neuro data

vi) Harm to individuals

vii) Harm to Entities

viii) Critical Personal Data

ix) Sensitive non personal data

x) Critical Non Personal Data

xi) Significant Harm

xii) Joint Data

xiii) Corporate Data

xiv) Business Data

xv) Minor Data

xvi) Personal Data of non citizens

xvii) De-identified Personal Data

xviii) Pseudonymized Personal Data

xix) Anonymized Personal Data

xx) Encrypted Data

Let us first place before the audience the proposed definitions of these 16 different kinds of data and later debate whether all these categories of data are to be defined.

We have consciously decided that we are pursuing development of a “Privacy Code” that is a combination of present day PDPB 2019 and ITA 2000/8 and the proposed Non Personal Data Governance Act (NPDGA).

Though in the definition of Privacy we have included instruments of personal information contained in “Oral” and “Paper” form, most of our discussions will revolve around “Data” which is the electronic form of storage of information.

When PDPB 2019 was contemplated, we already had ITA 2000 which had defined Data, Personal data, Sensitive Personal data and the legal recognition to Data. Hence PDPB 2019 adopted the same definition of data and only made some changes to the definition of sensitive personal information. Presently there is an opportunity to find an improved definition and hence we are proceeding to suggest definitions which may be slightly at variance with the current ITA 2000/8.

i) Data, Computer, Processing

“Data” means information which is expressed or is capable of being expressed in a binary language and includes data in raw form where the binary elements are distributed in a chaotic state and data which is organized into bytes and sequence of bytes.

Correspondingly, “Computer” will be defined as any device that can generate, process, store or transmit data or delete data by destroying the organized form of binary distribution back to a chaotic form and includes all hardware devices and applications which provide the functionality of generation of an organized set of binary expressions, processing them or storing them or transmitting them or handle them in any other form.

Further, “Processing” will be defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.

ii) Personal data

Personal data means any data that can with reasonable assurance be associated by the receiver with an identifiable living natural person and includes combination of different elements of personal data which in combination create a reasonably assured identity though the different elements might have been acquired from different sources and at different points of time.

iii) Non Personal Data

Any data which is not “Personal data” is “Non Personal Data” and includes Raw data in a chaotic distribution of binary, Corporate Data, Business transaction data, environmental data etc., which donot contain the association with an identity of any specific living natural person.

iv) Sensitive Personal Data

Personal Data which contains such personal data, which may reasonably cause a significant harm to the individual in the hands of unauthorized person is classified as “Sensitive personal data” and includes

a) Credentials for accessing restricted data

b) Health data

c) Financial data

d) Sex related data

e) Biometric data

f) Genetic data

An associated definition with Sensitive Personal Information would be the definition of “Harm” and “Significant harm”.

v) Neuro data

Neuro data means the electromagnetic signals that are collected from or fed into the human brain by a Brain Computer Interface in binary form.

vi) Harm to Individuals

“Harm” means any wrongful and adverse impact on the body, mind or property of an individual and includes

a) Physical or Mental injury

b) Loss, distortion or theft of identity

c) financial loss or loss of property

d) Loss of reputation or humiliation

e) Loss of Employment or source of income

f) Threat to life and property including causing harassment or subjecting to extortion

g) Causing discriminatory treatment in the society.

h) Psychological or Neurological manipulation which alters the ability of an individual to take autonomous decisions

vii) Harm To Entities

“Harm” in the context of entities means any wrongful and adverse impact on the entity in terms of its property, reputation, business continuity, impairment or cost escalation.

viii) Critical Personal Data

Critical Personal Data means such personal data, deprivation, incapacitation or destruction of which would cause significant harm to an individual and includes biometric data or genetic data or unique official identifiers and personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.

ix) Sensitive Non Personal Data

Sensitive Non Personal Data means such non personal data which the deprivation, modification, deletion or wrongful sharing of which may reasonably cause a significant harm to any organization including

a) Loss of Business

b) Loss of Money or Property

c) Loss of Reputation

d) Disruption of Business Continuity

e) Unreasonable increase in cost of operation

x) Critical Non Personal Data

Critical Non Personal Data means such non personal data, deprivation, incapacitation or destruction of which would cause significant harm to an entity and includes non personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.

xi) Significant Harm

Significant Harm means such harm caused to an individual or any other entity, which is irreversible or is reasonably difficult to correct once caused.

xii) Joint Data

Joint Data whether personal or non personal means such data that is generated during a transaction involving more than one individual or entity

xiii) Corporate Data

Corporate Data means data that can with reasonable assurance be associated with an identifiable non living individual including Government agencies or Partnership firms, proprietary concerns or association of individuals, Not for profit entities, and further includes combination of different elements of data which in combination create a reasonably assured identity though the different elements might have been acquired from different sources and at different points of time.

xiv) Business Data

Business Data means any data related to a business or Governance transaction whether inclusive of elements of personal data or corporate data or not.

xv) Minor Data

Minor Data means any personal data associated with an individual who is of age less than 18 years.

xvi) Personal Data of Non Citizens

Personal Data of Non Citizens means any personal data of an individual who is not a Citizen of India as per the Citizenship Act of India.

xvi)i De-Identified Personal Data

De-Identified personal Data means such personal data from which all parameters of identity that may with reasonable assurance determine the association of the data with a living natural individual is removed and made inaccessible to the person to whom the data is disclosed.

xviii) Pseudonymized Personal Data

Pseudonymized personal Data means such personal data in which all parameters of identity that may with reasonable assurance determine the association of the data with a living natural individual are replaced with comparable but randomly altered data elements and made inaccessible to the person to whom the data is disclosed.

xix) Anonymized Personal Data

Anonymized personal Data means such personal data from which all parameters of identity that may with reasonable assurance determine the association of the data with a living natural individual are removed and irrevocably destroyed so that the identity of the individual is rendered indeterminate to any person who is in possession of the residual data including the entity or person who caused the anonymization.

xx) Encrypted Data

Encrypted Data means such data that has been converted into a different data and rendered unusable and unreadable by unauthorized persons .

The above definitions have been provided with some specific reasons that would be clearer as we go ahead and advocate the provisions of the Act.

However, definitions are very critical to the designing of the laws and hence I invite intense debate on the above definitions.

Naavi

(This is not an exhaustive list of definitions. More will follow)

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..