As part of the narrative being built up, an article has appeared in livelaw.in under the credit of Mr Udhav Gupta and R Sathvik with the title “Regulatory Blind Spot in India’s Digital Personal Data Protection Framework”.
Let us examine some of the comments made there in and address the question whether there is a flaw in DPDPA.
Secondary Data Fiduciary
The point of contention in the article is that DPDPA has deliberately excluded coverage of non-digitized data to reduce administrative and financial burden on the country. The article goes on to state that this gives raise to a “Secondary Digitized data derivative fiduciary” which is an entity which obtains non-digitized data from another entity and digitizes the data.
This is an interesting nomenclature of an entity as “Derivative Fiduciary”. The authors argue that “Since the data was never “collected digitally” from the individual, the Fiduciary operates under the assumption that they owe no duty to the Data Principal, rendering the individual’s rights to correction or erasure unenforceable.
However Section 3(a)(ii) of DPDPA states that the Act is applicable for
“processing of digital personal data within the territory of India where the personal data is collected in non-digital form and digitised subsequently”
Hence the question of the secondary fiduciary thinking that he does not have an enforceable duty under the Act is completely illusionary.
When personal information collected in nondigital form is used in non digital form only through out the life cycle of its usage, it is out of scope of DPDPA. In every other instance where in any part of the lifecycle of processing it is digitized, DPDPA will apply.
Yet another interesting aspect which the authors have missed is the definition of an “Data” under ITA 2000.
According to section 2(o) of ITA 2000,
“Data” means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network. ,.and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
If therefore the first Data fiduciary (like the hospital or a bank referred to in the article) intends to process the manually collected data in digital form during the lifecycle of the data, the data becomes “Digital Data” ab-initio.
In case the first data fiduciary has collected personal data manually for a certain purpose and completed that purpose, he needs to consider the permission for collection as exhausted and delete the data.
If the first data fiduciary wants to use the data collected manually for a subsequent process either by himself or by a sub contractor, the permission should be available while collecting the data in the manual form since it is “Digital Data” ab initio. If he had no such decision in the beginning and it is an after thought to sell the data to another entity, it is a violation of the DPDPA and eligible for penalty. If there is any way of anonymizing the data by obfuscating the identity like the form being collected with two parts one containing personal data and the other the non personal additions and the portion containing the personal data be removed before sharing the other portion with any other researcher or data storage entity for future use, it can be justified as sharing of anonymised or de-identified data for research or other legitimate purpose.
Hence there is no “Severance of Data Provenance” as feared by the authors. There is also no “Outsourcing loophole” as claimed in the article and possible monetization of the data by the secondary data fiduciary without the permission of the original data principal.
The secondary data fiduciary having identifiable data in digital form after scanning the physical data is therefore simply a “Joint Data Fiduciary”. If he does not have the identifiable data, he could be a “Data Processor”.
Going further the authors claim that Puttaswamy Judgement propounded a “Doctrine of Proportionality” under which the Government failed to recognize that part of the data in the universe is collected in manual form and such part is significantly high to say that an Act which covers only digital data fails any “Proportionality doctrine”. Here the concept of “Proportionality” is being applied wrongly to law making.
Puttaswamy judgment only declared that Privacy is a fundamental right. It said that the M P Sharma judgement which prevailed as the Supreme Court judgement till then needed to be considered as incorrect. Otherwise the orbiter dicta associated with the judgement only argued that the need to consider Privacy as a fundamental right is high in the current era of digitization. It did not say that the Government has to make a comprehensive law to protect the Privacy of an individual. In fact the judgement did not even define the word “Privacy” and hence the question of the Government defining “Privacy” in digital and non digital form did not arise at all. The judgement only re-iterated the position under the constitution and both the Government as well as the Private Sector (By virtue of the Kaushal Kishor Vs UP Government) are obligated to protect privacy with or without a new law.
Our rural population today uses digital communication and even when a manually collected list of phone numbers are used by a data fiduciary to call people on a digital phone, the manual data gets converted into digital data. Hence the amount of data which is generated and maintained in non digital form through out the lifecycle is insignificant in India. The argument of “Proportionality” between digital personal data and non digital personal data is therefore non existent.
Considering the risks that personal information in digital form presents, DPDPA recognized a “Right to protect personal Data” and went on to draft the DPDPA as a law to make data fiduciaries take pro active steps to protect the personal data. Further, there was Section 43A of ITA 2000 which already had an obligation applicable to “Body Corporates” and “Sensitive Personal Information” which was no expanded to cover the Government and even individuals who use personal data for non domestic (business) purpose and to all personal data without restricting it to sensitive personal data only.
Hence there is no “Proportionality Challenge” under Puttaswamy Judgment which has been deliberately bypassed.
In conclusion the authors argue that there is a need to redefine the concept of Data Principal to include “Original Source” and aligning the definition to an “Affected Party” under CrPc (BNSS) like laws.
This is considered un necessary since no “blind spot” exists. Personal data is the property of a data principal and it is his right to transfer it to the data fiduciary with or without the further right to transfer or monetize etc. It would be the responsibility of such data fiduciary to be responsible for the compliance through out the life cycle of the data. He does not have any right of transfer of personal data to a secondary data fiduciary who is enabled use of the data without the permission of the data principal. The concept of “Original source ” is embedded in the way we understand who is a “Data Principal”. As regards the “Affected party” definition, it is relevant in the ITA 2000 and not in DPDPA. DPDPA does not provide any remedy to the data principal in financial terms. It only protects certain “Rights of the Data Principal” and requires the Data Fiduciary to initiate steps for such protection failing which the penalties would be applicable. Simultaneously the Data Principal can approach the Adjudicator of ITA 2000 as an “Affected Party” and claim whatever compensation is possible. Simultaneously the prosecution can move udner ITA 2000 or BNS and take criminal action on whoever “Affected” the data principal adversely.
In summary the arguments presented in the Livelaw.in article are not correct .
Naavi
