In interpreting any personal data legislation, there is a need to clearly understand the term “Personal Data”. The definition of “Personal Data” has to also relate to the definition of “Person” and “Business Contact data”.
In DPDPA 2023 Personal Data is defined as any data about an individual who is identifiable by or in relation to such data. Note that the term used here is “Individual” not person. Hence personal data is individual data.
On the other hand, “Person” is defined as including an individual, HUF, Company, firm, association of persons, State and every artificial juristic person. This definition is relevant to “Person” for being considered as a “Data fiduciary”.
Many professionals get confused and think data about a company is also “Personal Data”. I hope the above provides clarity in this respect.
DPDPA does not define “Business Contact Data”. However Section 8(9) mandates that a Data Fiduciary shall publish the business contact information of the DPO/Compliance officer.
In Singapore PDPA 2012, “business contact information” is defined as an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes;
In the GDPR scenario, work email is considered part of “Personal Information” .
Will Indian DPDPA 2023 refer to Singapore definition or GDPR definition may be clarified later in the notification.
At present we can conclude that since “Business Contact Information” is an information which is mandatorily made public under Section 8(9) of DPDPA 2023, it is not subject to the rights associated with Personal Information. Hence the definition is in tune with Singapore information.
The GDPR definition is not practical since DPO is a point of contact for any data subject contact and hence his contact information such as the e-mail address and perhaps a telephone number has to be made public. Probably the GDPR can be interpreted to require publishing of the email ID of the DPO as email@example.com and not by name of the DPO. In the Singapore law there is a clear understanding that if the information is for business purpose and not solely for personal purpose it is considered as Business Contact address. This is more logical and fits into the Indian definition.
There is another aspect of Personal Data that needs clarification worldwide. It is related to “Transaction Data”. Just as we say two hands are required to clap or give a high five, two (or more) persons are required for a conversation or a transaction.
Any data generated in such an interaction has to be considered as jointly belonging to all the participants of the event.
Hence data related to a joint activity should not be considered as personal data of either of them but a transaction data between both of them. Both will therefore have equal right on the data.
In case of personal conversation like the telephone conversation, there should be a right for each of them to record. If A sends an email to B, B can use the e-mail data at his discretion and cannot consider it as personal data of the sender.
Similarly in an E Commerce transaction or a business transaction the data related to what Mr A bought and for how much etc., is not to be considered as Personal Data but as “Transaction Data”.
Justice Srikrisha in his report of 2018 mentioned the need to consider “Community Data” as a category of data for which law has to be created outside PDPB 2018 which he suggested as the law for personal data. Subsequently Kris Gopalakrishna Committee also endorsed the view that data created by a group is Non Personal Data .
Now it is time to reiterate this concept that Data generated jointly by more than one individual or between an individual and an organization (which includes the Business E-Mail in the name of the company) is not “Personal Data” but is “Joint Personal Data” or “Non Personal Data”.