I refer to an article today in Financial Express titled “Personal Data Protection Bll: Will it disrupt our data eco system?
This article discusses the importance of the early passage of PDPB 2019 and at the same time highlights the possibility of the act impairing the digital economy of the country by referring to the difficulty arising out of the wide scope of the definition of personal data.
There are no two opinions that the Act when it comes will cause disruption in the industry and the Government departments who have no clue on Privacy Management now will be the worst hit. The private sector will be in a far better position since the professionals in the private sector are aware of Privacy protection because of their exposure to GDPR and other laws. This could be one of the reasons why Government departments may have to be given a slightly longer time frame for implementation than the private sector though it would raise a hue and cry of discrimination in the industry circles.
The concerns expressed in the article are
- The wide scope of definition of personal data deviates the core proclaimed purpose of the legislation which is protecting the privacy of individuals.
- Curtailing the expansion of digital technology driven activities in the false pretext of privacy could lead to a decline in the growth trajectory. There is no legitimate need to regulate the creation and use of every data set or processing of data.
- Restricting data storage is thus of no use.
- Giving notice to everyone is not possible and does not ensure better rights to data subjects.
- The economic impact of this legislation should be deeply examined and reconciled before moving ahead with it.
The article is well written and the views are well articulated. However, we need to present our views on the concerns expressed above.
It is clear from the last concern above that the author has advocated possible deferment of the passing of the law. It is strange that two years back all advocates were shouting that Indian Government does not want to enact a Privacy protection law because the Government does not want to bind itself to a discipline in the usage of personal data of its citizens etc. They all forced Supreme Court to come with a hurriedly conceived judgement on Privacy and the Aadhaar related decision in which the Supreme Court declared that Privacy was a fundamental right of a citizen of India protected under Article 21 of the Constitution. The Court also extracted an assurance from the Government that they will soon introduce a robust law for the purpose of privacy protection.
The Government went ahead, constituted the Srikrishna committee and came up with the first draft of PDPA 2018 as presented by the committee to the Parliament. When it was sent for public comments, elections intervened and a new version had to be introduced as PDPB 2019.
But now the same people who wanted the legislation earlier has realized that the law would bring in greater hurdles to the business than the Government itself and are now using all their skills not to let the Government go ahead with the passage of the Bill. There are frequent articles in news papers providing suggestions which in the end only mean that another version of the Privacy Protection Bill has to be worked out by the Government. This game has been going on for several years now and several draft bills have been earlier presented to the Parliament in the earlier regimes only to be kept pending in JPCs until the Parliaments end their term. We hope this Government will be different and finally come up with the passage of the Act or face a serious contempt charge from the Supreme Court.
We need to therefore consider how we can move ahead with the current version of the bill with minor modifications. Fortunately the Bill has enough flexibility to ensure that regulations from DPA can address most of the concerns and it is not necessary for all concerns to be addressed only in the Act.
The author (FE article) has spoken about the consent mechanism and considered it impractical to obtain the consent from every data principal. However, by the very definition of “Privacy” being an ability to exercise “Choice”, there will be no “Privacy Protection” without giving a choice to the data principal to determine how the data may be processed. PDPB takes into account several practical instances in which consent may not be necessary both for the Government and the private sector. Hence the concern is addressed.
The author of the article has also objected to the data storage limitation principal. However since the permission is linked to the purpose of processing and the data storage can be extended if the purpose demands or the legitimate interest of the data fiduciary requires extension, the concern has been adequately addressed.
The concern that the Act tries to regulate every bit of data that is created and this would hamper the industry has to be seen in the context of what is “Data” and what is “Personal Data”.
Personal data is part of the data and hence if we want to regulate Personal data as the Supreme Court wants, there is no way you cannot regulate the non personal data in some form. Personal data and Non personal data are like two sides of the same coin
Hence PDPA while regulating Personal data has to also say what it does leave out as Non Personal data since Personal data is carved out of total data.
Regulating personal data therefore hinges on what data we carve out of the total as “Personal Data” so that the regulations can be applied there in.
Hence the definition of “Personal Data” is the most critical part of the regulation and if we can agree on the definition, most of the disagreements that different segments of the industry have on the Act will perhaps reduce or even evaporate totally.
Currently, PDPA defines Personal data as
“personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;
Under GDPR,
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The two definitions have a small difference intended or otherwise. The GDPR definition refers to the “identifiers” and gives examples such as “Name”, location data, online identifier etc. The author of the FE article makes a reference to the European Court of Justice and even adds the “Answer sheet in an examination” as an identifier.
The PDPA does not name the identifiers but it is natural for people to extend the GDPR identifiers as also identifiers for PDPA to differentiate between Personal data and non personal data.
We need to deeply think here when does a data which is in the hands of a data fiduciary become “Personal Data”. No data is born “Personal” it acquires the status during the life cycle which starts from raw data and journeys through the state of non personal data, to personal data to sensitive personal data until it is destroyed or converted into other states such as de-identified data or anonymized data.
So, if there is a data
01110110 01101001 01101010 01100001 01111001 01100001 01110011 01101000 01100001 01101110 01101011 01100001 01110010
it is simply data and neither personal or non personal.
If a viewer sees this through an ASCII converter, his computer would display a conversion of this data into
vijayashankar
Now in this context is the first set of binaries “Personal data”? It perhaps became so because some body decided to convert it. Is it not similar to identifying a de-identified data?
The law is not clear about this.
Now having converted the binary stream into a text read as “vijayashankar”, does this amount to personal data? Does this identify a living natural person? What makes one think that vijayashankar is a name of a person? why can’t it be the name of a place?
In the absence of further clarification, will “vijayashankar” be called personal data?.. The law is not clear.
If we adopt the logic expressed in the FE article and what is also prevailing world wide, the name is an identifier, IP address is an identifier, email address is an identifier etc. But who says some thing is a name or email address?. If I name my company as Naavi@Naavi.org and register it, then is it the name of the company or the email address of naavi and who is naavi, is he an object, or person etc, are the things which make the information unable to be identified as a personal information.
Hence we must accept a definition where no information is personal or otherwise per-se. It becomes personal in relation to the conversion of the binary data into a human experienceable form and in the eyes of the beholder, it represents a person.
This is the concept which Naavi’s theory of data adopts as the “Definition Hypothesis” of data.
Does PDPA accept this principle? or fall into the check list approach of the other world to give a list of 18 parameters (as in HIPAA) or any other number of parameters that we can imply in GDPR?
As of now the definition in PDPA remains unclear. Hence “vijayashankar” or “naavi” or “naavi@naavi.org” as independent data elements are not automatically “Personal Data”. But if the “beholder” knows that there is one natural person who responds when you call out “vijayashankar” or “naavi” or send an email to naavi@naavi.org, because of such knowledge, the data becomes personal data in his custody.
The same data in the custody of somebody else who has no clue to what is “vijayashankar”, it is a non personal data.
The definition of personal data should therefore incorporate the “User of the Data” who may be a Data Fiduciary in this context and his knowledge to identify any set of characters as personal data or otherwise.
I am not sure how if this should be done by amendment of the definition of the personal data or we should leave it to the DPA to clarify.
As a suggestion, I would recommend consideration of a revised definition of “Personal Data” to ensure that this definitional uncertainty is removed.
‘personal data’ in the context of its use by a data fiduciary and the knowledge of the data fiduciary, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
In such a definition no single stream of binary data is called “Personal” unless it is associated with one or more other binary streams which together indicate that the data set is an identifiable personal information. Hence vijayashankar, email:naavi@naavi.org would together be called personal data while individually, vijayashankar or naavi@naavi.org cannot be called personal data.
Comments of experts are invited.
Naavi
Can you check you mean Hence vijayashankar, email:naavi@naavi.org would together be called personal data while individually, vijayashankar or naavi@naavi.org cannot be called personal data. I mean cannot is missing or you mean both are personal data.
Thanks for pointing out the typo…I have corrected…