(This is in continuation of our previous article)
While discussing the PDPA 2021 and inclusion of Section 3(23)(xi) we observe the following:
|
Current PDPB 2019 Section 3(20) |
Proposed PDPB 2021 Section 3(23) |
|
(20) “harm” includes— (i) bodily or mental injury; |
(23) “harm” includes— (i) bodily or mental injury; |
The whole concept of “Data Protection Laws” is built on the premise that an individual has a “Choice” on sharing of his personal data which can be captured and given effect to by a third party until such time the person does not “Withdraw” or “Modify” his consent.
This is in itself like skating on thin ice and to top it with a responsibility to recognize the “Psychological Manipulation which impairs the autonomy of the individual” is a cruel imposition on the DPO and the organization.
What is “Autonomy” of an individual and how it gets “Impaired” are going to pose significant challenge to the industry.
We can recall the Cambridge Analytica case where there was an allegation that the personal information was used to develop an algorithm that could predict the political leaning of a subject and that was considered as an infringement of the privacy rights. The Cambridge Analytica reflected the global hatred for FaceBook and created a precedent that has clouded the judgement of many regulators.
It is for this reason that “Profiling” and “Automated Decision Making” has become a critical issue of data protection regulations.
While “Profiling” stops at making an educated guess to predict the behaviour of a person based on some transactional information available to a data fiduciary, the consideration of “Psychological manipulation” as a “harm” takes the regulation to a higher level since “Harm assessment” is part of Data Protection Impact Assessment and Data Trust Score Assessment.
While expert organizations like FDPPI will device some acceptable standard under PDPSI to handle such issue, academically, there is a need to debate whether the inclusion of Section 3(23)(xi) in PDPA 2021 was required and whether it could be a provision which is not amenable to regulation.
In this context, we need to understand how the “Advertising” industry works. The Advertising as well as Marketing works under the principal of AIDAS works under the premise that the buying behaviour of a target market has to be changed from “No awareness and No desire to buy” into an action to place an order.
In this process, we follow the steps of AIDAS or creating an Awareness/Attention and Interest which should be converted into a Desire for a product before pushing the individual into the Action of buying and then follow the Satisfaction of the buyer.
What PDPA 2021 is to declare this age old principle of marketing as “Unlawful”.
If therefore an Advertising agency has to work on PDPA 2021 compliance, there is an issue that the advertising tries to psychologically manipulate a large section of the population though the agency does not know which data principal is being targeted when it releases an advertisement in a mass media.
But it will not be long before the idea catches up where e-mail marketing, SMS marketing or advertisements in specialized media or advertising through subscription model TV broadcasting will all be red flagged as “Creating Harm”.
So far only advertisements on smoking, drinking etc were considered harmful. The Bitcoin industry is fighting against the advertisement ban envisaged for Crypto Currencies. Now PDPA 2021 is likely to place the entire advertising industry and along with it the marketing functions under a question mark.
It would be interesting to know if the industry understands this issue and reacts.
If the Government wants to make a change, it is better to delete this 3(23)(xi) and let the earlier definition of harm be considered sufficient.
Now we shall get back to the question I had placed in the previous article to highlight how legislating what goes on in the mind of a person is not wise.
The question was
What is your response to an information stimuli represented by the following binary stream.
01001101 01101111 01100100 01101001
There can be three responses which we can discuss.
- This is a number : 1,299,145,833 or One billion 299 million 145 thousand and eight hundred thirty three.
2. Another person says it is the name of a well respected global leader, Modi
3. Another person says it is the name of a most hated Indian leader, Modi
Whether this binary stream is a number or a set of English characters ‘Modi’ depends on the choice of the binary converter which the observer uses.
This means that 01001101 01101111 01100100 01101001 is either a number or a name based on the technology you use to convert it into a human understandable data. Hence it is neither non personal data nor personal data per-se. It is the observer who choses to convert it into either a number or a name and hence he determines whether it is personal data or non personal data.
Once it is converted into the four letters Modi, whether it is considered as an “Objectional” word or a “Biased” expression will be decided by Twitter based on who is tagging the content. If the binary is used in a sentence ” ….. is good”, then if you use an ASCII to to text converter it should be treated as an attempt for “Psychological Manipulation”. If you use the ASCII to number converter, it may not mean “Psychological manipulation”.
If we are assessing the harm caused by the information therefore, we need to take into account the context, the observer and the device used for observation before considering if there is any attempt for “Psychological Manipulation”.
Under these complexities of human behaviour it is a moot question if the introduction of Section 3(23)(xi) was actually required.
let us have the comments from others…
Naavi
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data
