Consent for Anonymization is a self contradiction and a potential violation of the fundamental right under Article 19(1)(g)

After the Kris Gopalakrishna Committee on Non Personal Data Governance (KGC) submitted its first report , public comments had been invited. Now the Government has published a revised report after receiving the comments and requested for a second round of public comments to submitted before 27th January 2021.

Comments can be submitted here

The revised report can be accessed here.

From the publication, it appears that this is a report revised by the Committee itself and not by the MeitY.

One of the major revisions appears to be in reiterating that in the Personal Data Protection Bill 2019, Sections 91(2) and 93(x) may be omitted.

Section 91(2) stated :

(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.

Section 93(x) stated:

(x) the manner in which the Central Government may issue a direction, including the specific purposes for which data is sought under sub-section (2) and the form of disclosure of such directions under sub-section (3) of section 91; or 30

This does not make any material difference to the Personal Data Protection Bill (PDPB) though it will satisfy the demands from some of the opponents of the Bill who had identified this as a point of contention.

The other major point that could impact the PDPB 2019 is the recommendation regarding Consent for Anonymized Data.

The revised report suggests that “Consent should be obtained from the data principal for anonymization of personal data”.

It may be observed that Naavi has suggested the inclusion of the consent for anonymization as part of the Notice/Consent format to be used under PDPSI (Personal Data Protection Standard of India) as a measure of compliance under the principle of “Abundant caution”.

However, personally, it is necessary to record that this proposition is not considered necessary and perhaps is self contradictory to the major objective of the Non Personal Data Governance (NPDG) regulation. It may also be not fully in conformity with the principle of “Right to Carry on Business of choice” in the constitution as per Article 19(1)”(g).

According to Article 19(1)(g), it is a fundamental right guaranteed by the constitution to “practise any profession, or to carry on any occupation, trade or business”.

Why is this Provision Self Contradictory?

The revised KGC report states

“It is clear from industry feedback to the Committee and from its own research that large collections of anonymized data can be de-anonymized, especially when using multiple non-personal data sets”

Accordingly, it is suggested by the revised recommendations that “Data Collectors” at the time of collecting personal data should provide a notice and offer the data principal the option to opt out of the data anonymization.

This suggestion is considered as “Self Contradictory” since it directly negates the very definition of “Anonymziation” as provided in the PDPB 2019.

According to Section 3(2) of the PDPB 2019, Anonymization is defined as follows.

(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority;

The Data Protection Authority is expected to provide the necessary technical guidelines as to determine what is the yellow line between “Identifiable Personal Data” and “Anonymized Personal Data”.

The new recommendations appear to express its lack of confidence in this definition and the ability of the DPA to find out an acceptable technology recommendation for determining what constitutes “Irreversible process”.

The argument that Anonymized data can be de-anonymized”  and its acceptance as a legal principle is a dangerous precedent. The same argument can be extended to “Encrypted Data can be Decrypted”.

If we presume that “Encrypted Data can be decrypted” then any data leak consisting of “Encrypted Data” has to be considered as a “Data Breach”. This goes against the accepted principles of Data Protection recognized even under laws such as HIPAA/HITECH Act and takes “Encryption” out of the equation constituting “Security of Information”.

If Anonymized data can be re anonymized then we have to accept that encrypted data can be decrypted. It is only a question of “Technology used for breaking Anonymization or Encryption”, “Efforts applied” and “Intention”.

Accepting the suggestion therefore is a serious blow to the Information Security principle that “Encryption Secures Information”.

The more practical way of addressing the concern is to clarify that “Anonymization” is an “Irreversible process”, meeting the standards of “Reasonable irreversibility” to be notified by the Data Protection Authority.

If some Data Analytics company or a Data Analyst uses efforts such which are large enough, any encrypted data can be de-crypted or any anonymized data can be identified. If such effort is being applied, it must be considered that the intention is “Malicious” and the identification should be considered as a contravention of Section 82 of PDPB2019 and punished accordingly. It may also be considered as “Diminishing the value of information residing inside a computer or affecting it injuriously by any means” under Section 43-66 of ITA 2000 and punished accordingly.

Hence there is sufficient deterrence in the law to ensure that breaking the anonymization as per the standard prescribed cannot be “Presumed”. If this can be “Presumed”, then every regulatory feature prescribed in PDPB can be presumed as infeasible of being regulated and this would be self contradictory by itself.

Why the Provision is Unconstitutional

If Anonymziation as per the standards set by the Data Protection Authority is followed, then the “Identifiable Personal Data” becomes “Non Personal Data” and becomes the subject matter of governance under the new law namely the Non Personal Data Governance Act (NPDGA). The objective of this NPDGA would be to unlock the value in the data which is considered “Non Personal”.

A substantial part of the Non Personal Data includes “Anonymized Personal Data”. If there is no freedom for the Personal Data Collector to use “Anonymized personal data” as “Non Personal data” and unlock the value, then the business arising there of is being effectively killed. In such a case any personal data collected which is for a specific purpose and limited for usage to the time until the purpose is accomplished will have zero value after the purpose is completed since it has to be mandatorily extinguished.

If we consider “Profile” as also “Personal Data” then all the profiles also need to be extinguished after the purpose for which the profile data was collected. On the other hand, if the “Profile data” could be anonymized then it would be useful to the community without adversely affecting the privacy interest of the individual.

It is to ensure that personal data collected should be useful to the community that the principle of “Permitted Data Processing and Disclosure” allows exceptions to some of the restrictions on personal data processing for Public Interest, Emergent requirements of the data principals and others, as well as the law enforcement.

Along with these rights of the society in public interest, safety and law enforcement, the right of a business to carry on business with anonymized data in a manner that does not adversely affect the privacy of the erstwhile identifiable personal data must be considered as “Legitimate Interest” of the business and protected under Article 19(1)(g).

Hence the proposition is considered unsustainable from the point of view of fundamental rights.

Rights Cannot be recognized in “Re-birth”

In India we believe that individuals go through cycles of birth and death and all of us have a history of previous births. There have been many instances where hypnotists have claimed that through “Age Regression” they can extract the previous birth information of an individual.  Some studies appear to suggest that some past birth experiences are also proved correct. The Nadi Astrology system also supports the views of “Karma” from “Previous birth” having an impact on the present life of an individual.

Without going into the details of a discussion on this subject of Re-births, I would like to point out the similarity of the individual’s re-birth to the re-identification of an anonymized personal data.

Once personal data is anonymized (as per standards prescribed in law), then it must be considered as “Dead”. Just as we cannot recognize the legal rights of property or family relations of a previous birth because a hypnotist can extract what appears to be an “Evidence” of previous birth,  we cannot provide rights to the data principals whose private data has been anonymized and a criminal data scientist de-anonymizes it for  commercial benefit.

Hence the concept of “Data, Re-born” should not be provided sanctity under law as much as the rights of a person on his previous birth cannot be recognized under law. It would be like recognizing the right of a person to write a will that if he returns in his next life, the property should be restored to him in the new birth.

Suggestion

It is therefore suggested that the recommendation of the “Revised Kris Gopalakrishna Committee report” regarding the “Consent for Anonymization” is rejected.

However the definition of “Anonymization” under Section 3(2) of PDPB 2019 can be modified as under.

(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority, by reasonable, non malicious efforts.

It can also be suggested that a definition of “De-Anonymization” can be added to the PDPB as

3(..) De-anonymization means converting “anonymized personal data” which has been subjected to a standard irreversible anonymization process as per Section 3(2), to a state where it can be identified as personal data either partially or fully, whether accurately or not.

Inclusion of the above definition of “De-anonymization” would meet all the concerns that the revised Kris Gopalakrishna Committee report expresses.

 

 Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.