PDPA 2021: Regulating the human perceptions

(This is in continuation of our previous article)

While discussing the PDPA 2021 and inclusion of  Section 3(23)(xi) we observe the following:

 

Current PDPB 2019

Section 3(20)

Proposed PDPB 2021

Section 3(23)

(20) “harm” includes—

(i) bodily or mental injury;
(ii) loss, distortion or theft of identity;
(iii) financial loss or loss of property;
(iv) loss of reputation or humiliation;
(v) loss of employment;
(vi) any discriminatory treatment;
(vii) any subjection to blackmail or extortion;
(viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal;
(ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or data principal;

(23) “harm” includes—

(i) bodily or mental injury;
(ii) loss, distortion or theft of identity;
(iii) financial loss or loss of property,
(iv) loss of reputation or humiliation;
(v) loss of employment;
(vi) any discriminatory treatment;
(vii) any subjection to blackmail or extortion;
(viii) any denial or withdrawal of a service, benefit or goods resulting from an evaluative decision about the data principal;
(ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; (***)
(x) any observation or surveillance that is not reasonably expected by the data principal;
(xi) psychological manipulation which impairs the autonomy of the individual; or
(xii) such other harm as may be prescribed;

The whole concept of “Data Protection Laws” is built on the premise that an individual has a “Choice” on sharing of his personal data which can be captured and given effect to by a third party until such time the person does not “Withdraw” or “Modify” his consent.

This is in itself like skating on thin ice and to top it with a responsibility to recognize the “Psychological Manipulation which impairs the autonomy of the individual” is a cruel imposition on the DPO and the organization.

What is “Autonomy” of an individual and how it gets “Impaired” are going to pose significant challenge to the industry.

We can recall the Cambridge Analytica case where there was an allegation that the personal information was used to develop an algorithm that could predict the political leaning of a subject and that  was considered as an infringement of the privacy rights. The Cambridge Analytica reflected the global hatred for FaceBook and created a precedent that has clouded the judgement of many regulators.

It is for this reason that “Profiling” and “Automated Decision Making” has become a critical issue of data protection regulations.

While “Profiling” stops at making an educated guess to predict the behaviour of a person based on some transactional information available to a data fiduciary, the consideration of “Psychological manipulation” as a “harm” takes the regulation to a higher level since “Harm assessment” is part of Data Protection Impact Assessment and Data Trust Score Assessment.

While expert organizations like FDPPI will device some acceptable standard under PDPSI to handle such issue, academically, there is a need to debate whether the inclusion of Section 3(23)(xi) in PDPA 2021 was required and whether it could be a provision which is not amenable to regulation.

In this context, we need to understand how the “Advertising” industry works. The Advertising as well as Marketing works under the principal of AIDAS  works under the premise that the buying behaviour of a target market has to be changed from “No awareness and No desire to buy” into an action to place an order.

In this process, we follow the steps of AIDAS or creating an Awareness/Attention and Interest which should be converted into a Desire for a product before pushing the individual into the Action of buying and then follow the Satisfaction of the buyer.

What PDPA 2021 is to declare this age old principle of marketing as “Unlawful”.

If therefore an Advertising agency has to work on PDPA 2021 compliance, there is an issue  that the advertising tries to psychologically manipulate a large section of the population though the agency does not know which data principal is being targeted when it releases an advertisement in a mass media.

But it will not be long before the idea catches up where e-mail marketing, SMS marketing or advertisements in specialized media or advertising through subscription model TV broadcasting will all be red flagged as “Creating Harm”.

So far only advertisements on smoking, drinking etc were considered harmful. The Bitcoin industry is fighting against the advertisement ban envisaged for Crypto Currencies. Now PDPA 2021 is likely to place the entire advertising industry and along with it the marketing functions under a question mark.

It would be interesting to know if the industry understands this issue and reacts.

If the Government wants to make a change, it is better to delete this 3(23)(xi) and let the earlier definition of harm be considered sufficient.

Now we shall get back to the question I had placed in the previous article to highlight how legislating what goes on in the mind of a person is not wise.

The question was

What is your response to an information stimuli represented by the following binary stream.

01001101 01101111 01100100 01101001

There can be three responses which we can discuss.

  1. This is a number : 1,299,145,833 or One billion 299 million 145 thousand and eight hundred thirty three.

2. Another person says it is the name of a well respected global leader, Modi

3. Another person says it is the name of a most hated Indian leader, Modi

Whether this binary stream is a number or a set of English characters ‘Modi’ depends on the choice of the binary converter which the observer uses.

This means that 01001101 01101111 01100100 01101001 is either a number or a name  based on the technology you use to convert it into a human understandable data. Hence it is neither non personal data nor personal data per-se. It is the observer who  choses to convert it into either a number or a name and hence he determines whether it is personal data or non personal data.

Once it is converted into the four letters Modi, whether it is considered as an “Objectional” word or a “Biased” expression will be decided by Twitter based on who is tagging the content.  If the binary is used in a sentence ” ….. is good”, then if you use an ASCII to to text converter it should be treated as an attempt for “Psychological Manipulation”. If you use the ASCII to number converter, it may not mean “Psychological manipulation”.

If we are assessing the harm caused by the information therefore, we need to take into account the context, the observer and the device used for observation before considering if there is any attempt for “Psychological Manipulation”.

Under these complexities of human behaviour it is a moot question if the introduction of Section 3(23)(xi) was actually required.

let us have the comments  from others…

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.