The Right to Privacy as guaranteed by the Constitution and which is sought to be indirectly protected through DPDPA 2023 is a “Right of Choice” of an individual on how his personal information can be collected and used by another entity. That entity that processes the personal information is the “Data Fiduciary” (An individual or an organization) which is expected to be penalized if the obligations stated in the Act for processing of personal data are not complied with.
Any contravention of DPDPA 2023 results in the regulator (Data Protection Board or DPB) conducting an inquiry and imposing penalties on the Data Fiduciary. It does not provide for criminal consequences nor personal remedy to the victim of contravention.
“Impersonation” is on the other hand attributed to an act of an individual who uses an identity which belongs to another person. There is a relationship between Privacy protection of an individual and impersonation of the individual which needs to be identified and addressed by both persons looking at “Privacy Protection” and “Impersonation”.
In Privacy Protection, an individual often uses an assumed name for fun or for anonymity. Some times it is used by a data fiduciary without specific consent of the data principal as a security measure. As long as the alternate identification is not causing harm to another person, it may not matter. But when the name is “Confusingly similar” to another person and is used in a context where the consumer of the information could misunderstand the identity as belonging to another person, then we have situations where “Impersonation” as a “Crime” arises.
The border line between “Pseudonymization” and “Impersonation” is thin and is dependent on the context and intention. For example, If I send an e-mail with the name Sunil Gavaskar and talk about Cricket and that too about a match in the 1980’s, it is quite possible that the recipient of the message may confuse it as a message from the cricketer Sunil Gavaskar. All celebrity names have this problem.
A similar situation arises in the names of the domain names where use of a confusingly similar name of another entity as domain name is termed “Cyber Squatting”.
A question arises on what is the relationship of “Right to Privacy of Mr X” with the use of the name X by Mr Y as a pseudonym, either for an e-mail or for a website.
Is it violation of the privacy of Mr X by Mr Y?. Is Mr Y a “Data Fiduciary”? Is he using the pseudonym “X” for “Personal use” and therefore out of the scope of DPDPA 2023?
Similarly when a false name is used for domain names and e-mails are configured as @falseName, there is a potential impersonation effect.
In these cases, Mr Y has not received the personal information of Mr X and hence there is “No Notice” or “No Consent”. DPDPA 2023 nor any Privacy Law has not directly addressed this problem.
In this scenario, it becomes necessary to look at other laws such as ITA 2000 and see how they work along with DPDPA 2023 in ensuring that “Privacy” is protected in letter and spirit whether the personal information is “Collected” or “Generated”.
This problem is accentuated in the era of AI and Deepfake where information may be generated in such a manner that it may be wrongly attributed to another person and cause harm.
In view of the above, there is an unstated link between DPDPA 2023 compliance and compliance to Section 66C and 66D of ITA 2000 or Section 66 of ITA 2000.
Compliance of DPDPA 2023 is therefore incomplete without compliance of ITA 2000 to some extent.
This has been captured in the DGPSI (Data Governance and Protection Standard of India) framework of compliance which is the only framework in India that addresses DPDPA 2023 compliance.
Open to debate….Comments welcome.