Naavi.org

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

---

The  Privacy Protection law applied to “Data” revolves around

a) Collection of Personal information based on a proper consent of the data subject

b) Processing of collected personal information  according to the wishes of the data subject

c) Use of the processed personal information according to the consent of the data subject.

While “Consent” is the principal basis for personal data collection, processing and use, necessity of Governance and Business require recognition of certain circumstances where the “Consent” has to be deemed to exist. Such situations can be described as “Legitimate Interest”.

“Legitimate interest” covers not only the business requirements of the data controller but also the requirements of the Government and the interests of the Public, other data subjects, emergency situations etc.

Hence “Consent” and “Legitimate Interest” are the two main pillars under which the entire Data Protection Principles can be built.

The normal perception is that PDPB 2019 was “Consent dependent” where as GDPR was not. The reason was that under GDPR, Consent was only one of the several basis on which lawfulness of processing was defined

Article 6  of GDPR recognized the following as legal basis. :

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

In the above, point (b) is directly related to a deemed consent. Point (C) is the right of the data controller, (d) relates to emergencies, (e) relates to (Public interest) and (f) relates to other “legitimate interests” which are commercial in nature.

The business interest included under point (f) should be considered as including the “Advertisement” requirements since “Advertising” is the fundamental right of a business entity since it cannot exist without communicating to its target market, what services or products it sells at what price and how does it distinguish its products from the competition, what are the unique selling propositions etc.

We may notice that under Article 19(1) of the Indian constitution, fundamental rights of citizens include carrying on a business of choice. Curtailing the freedom of conducting a legal business in an efficient manner and earning a reasonable profit is therefore a right of every business entity. If this requires “Advertising”, we should not consider “Advertising” to be a taboo. If “Advertising” is allowed as a fair business practice, then market segmentation and targeted messaging for different markets as well as the profiling of consumers for the purpose of marketing are all legitimate interests of a Data Controller.

Let us therefore shed our misconception that “Advertising” is bad and “Profiling for advertising” is bad and look at what part of advertising and profiling is bad and how they can be avoided or addressed.

So far, no attempt has been made in the data protection laws for regulation of “Advertising” or introducing an “Ethical Code for use of a profile”. Most laws indicate that “Profiling” whether it leads to correct or incorrect perceptions about the data subject is outside the basic purview of “Purpose of Processing”. There is no appreciation that “Advertising” itself can be a “Purpose” for which profiling is created. We need to set right this inadequacy in our laws.

In most cases of personal data processing, profiling is an automatic occurrence. Just as the moment we see another individual, our mind creates a profile of the person  based on his demeanour. The science of “Body Language” is nothing but making an inference out of the visible profile of a person. It is not possible to prevent this human trait. Similarly, when an organization observes certain activity of an individual, an automatic “profile” gets created.

In GDPR we call this as “Automated Processing” and we require the legal basis. For some thing which automatically happens can there be a legal basis? is the moot point. Suppose a customer of Amazon says don’t profile me by my buying habits, will it be feasible for Amazon to delete all buying information as if there is a “Right to Forget” that exists? Firstly the transaction information that contains the personal data of the data subject is a “Joint Data” and Amazon has as much right as the data subject to keep the data and use it as long as “No harm is caused to the data subject”.

Hence just as before I shake hands with you for the first time, I make a statement, donot judge me by my looks, gender, accent, height or colour, such “Denial of consent” has no validity.

Similarly, “Profiling” is a process which is automatic and it is the essence  of understanding the consumer for the purpose of advertising or service. A blanket ban on “Profiling” or “Automatic Processing” is therefore not reasonable.

However, “Automated Decision Making” is different from “Automatic Processing” since automated decision making may involve a potential harm to the data subject.

Once a profile is created, the information may be used either by the Data Controller himself for the improvement of his business or the information may be shared with a third party advertiser. This “Sale” of personal profile is another taboo in data protection law and we often consider it as unacceptable.

A time has come for data protection professionals and the law makers to take a fair view of the needs of “Advertising” and allow certain level of personal data processing which is reasonable and not harmful to the data subject.

We can achieve our objective of protecting the privacy rights of individuals without unduly hurting the business interests by focussing our regulations on the “harm” that may be caused by the misuse of personal information rather than banning certain aspects of its “Use”.

If therefore “Advertising” is declared as a collateral or incidental purpose of personal data processing and a consent is sought from the data subject at the time of collection, it should be considered as a fair request.

For the time being, considering the revolutionary nature of this suggestion, I would like to consider that use of personal information for “Advertising” should be considered as a special use and an “Explicit Consent” may be obtained instead of an ordinary consent or deemed consent.

We can achieve this by declaring that an “Advertising Profile” of a data subject as a “Sensitive Personal Information”.

Now if we go back to our definition of sensitive personal information and processing, we recall that we stated as follows: (refer article 8)

Processing 

“Processing” is defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.

This was purely a technical definition and was not related to the purpose of processing and did not include “Profiling”.

We may now add the following for definition of Profiling:

Profiling

“profiling” means any form of processing of personal data that directly or indirectly analyses or predicts the behaviour, attributes or interests of a data principal.

Explanation:

Profiling includes purpose oriented collection and arrangement of personal data elements such as Advertising profile, Health Profile, Financial Profile etc.

Sensitive Personal Data 

Personal Data which which may reasonably cause significant harm to the individual  in the hands of unauthorized person is classified as “Sensitive personal data” and includes 

a) Credentials for accessing restricted data

b) Health data

c) Financial data

d) Sex related data

e) Biometric data

f) Genetic data

We shall now modify the definition of “Sensitive personal Information” by including item

(g) Advertising Profile.

Correspondingly, we shall define “Advertising profile” as follows:

Advertising Profile

Advertising Profile means a collection of personal data elements of a data subject/Data Principal that represents the profile of the individual in terms of his commercial activities such as buying of goods and services and includes the intelligent insights that may be developed about the individual that may be used for advertising purpose.

Kindly note that when we use the word “Profile” instead of “Data” to define “Sensitive Personal Information” we are clearly defining that it is not one single parameter that we are defining in this definition but a “Profile” which is a collection of several parameters.

Under this consideration, we can perhaps make corresponding changes in the list of “Sensitive personal information” to replace Health Data, Financial Data or Genetic data etc with corresponding profiles.

We therefore re-define the “Sensitive Personal Information” as follows.

Sensitive Personal Data

Personal Data which may reasonably cause a significant harm to the individual  in the hands of unauthorized person is classified as “Sensitive personal data” and includes 

a) Credentials for accessing restricted data

b) Health Profile

c) Financial Profile

d) Sex Profile

e) Biometric Profile

f) Genetic Profile

(g) Advertising Profile.

As regards the restrictions to be placed on use of information for Advertising, we shall cover it under the compliance requirements since it is related to prevention of harm to the data subject.

By focussing the regulation from “Collection and Processing” to “Misuse and Harm”, the industry would be relieved from the restrictive regime of business involving personal data collection and legitimate use and focus more on the harm caused by the misuse.

This shift of focus may be used by unscrupulous business entities who may take advantage of the weaknesses in the enforcement mechanism. Hence these suggestions need strict vigilance and enforcement.

Currently we use the Data Protection Impact Assessment and the Privacy By Design Policy as instruments to capture the intentions of a Data Controller or Data Fiduciary and follow up with the Concurrent audit and mandatory annual audit as well as the 4% turnover based penalty.

In order to increase the deterrence, any intentional contravention of a “DPIA” or “Privacy By Design Policy” (which in PDPB 2019 required registration) should be considered as “Breach of Trust” and made punishable as a criminal offence subject to a safe harbor clause based on “Due Diligence”. (These will be discussed in detail in subsequent chapters)

It may be necessary that the Due Diligence should include DPIA to be used in any profiling process and should be mandatorily subjected to a DPIA which will be filed with the regulatory authority.

I request the readers to send their comments on the above.

Naavi

---

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..

 

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

---

In discussing Privacy Regulations, it is important for us to appreciate that problems related to Privacy arise from two important concerns namely the “Surveillance” by the authority and “Advertising” by companies.

Surveillance concerns arise because of the distrust in the Government of the jurisdiction and is inseparable from the politics. It is not easy to raise above politics and look at the needs of “Governance” and “Law Enforcement” beyond the fact that today there is a a particular regime in place. In constructing a new dispensation of the law, it is important that we raise above politics and look at issues only and not which party in power when we discuss how much of leverage should be there for the law enforcement agencies in terms of exemptions and derogations.

“National Security”, “Public Public Safety” and “Law Enforcement” are “Duties” of a Government enforced through the Constitution. No Government can abdicate its duty to maintain Sovereignty Integrity of the Country and hence cannot create a Privacy Law in which its powers to enforce law  is limited by design. It is therefore ultra vires the constitution to expect that there will be restrictions placed on the requirements of National Security as well as Public Safety and Law Enforcement.

Every Citizen also has a duty to ensure that “Sovereignty and Integrity” of the nation as well as public safety is maintained and hence should cooperate with the enforcement of the law for this purpose. Not providing such cooperation could therefore be considered as a punishable offence.

Indian Constitution recognizes and the Privacy Judgement of the Supreme Court (Puttaswamy Judgement) endorses that the “Right to Privacy” of an Indian Citizen is subject to the following “Reasonable Restrictions” under article 19(2)  which states as under.

Article 19(2) in The Constitution Of India 1949

Nothing in sub clause (a) of clause ( 1 ) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence

The above sub  section refers to Article 19(1) which states as follows:

Article 19(1) in The Constitution Of India 1949

(1) All citizens shall have the right

(a) to freedom of speech and expression;
(b) to assemble peaceably and without arms;
(c) to form associations or unions;
(d) to move freely throughout the territory of India;
(e) to reside and settle in any part of the territory of India; and
(f) omitted
(g) to practise any profession, or to carry on any occupation, trade or business

“Right to Privacy” is derived from Article 21 of the constitution which states as follows.

Article 21 in The Constitution Of India 1949

21. Protection of life and personal liberty

No person shall be deprived of his life or personal liberty except according to procedure established by law.

Though Article 21 itself does not by itself mention the reasonable exceptions, it is considered as applicable to all fundamental rights and the Supreme Court has further ratified this stand.

In the PDPB 2019, the Government was more conservative than what the Constitution provided by providing exemptions under Section 35 restricted only to

“the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; or for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,”

It is interesting to note that the Constitutional provisions support exemption in respect of “Decency and Morality” or in relation to “Contempt of Court”, “Defamation” and “Incitement of an offence ( in general and not necessarily considered cognizable)” but Section 35 omitted the exemptions under the considerations of  Decency and Morality” or in relation to “Contempt of Court” and  “Defamation”.

It  also reduced the scope of “Preventing incitement to an offence” to only “Cognizable offence” and further only in respect of the sovereignty and integrity of India, security of state, friendly relations with foreign states or public order, again omitting the “Decency and Morality” as well as “Contempt of Court” and “Defamation”.

Section 35 of PDPB 2019 was therefore  more conservative than what was required under the constitution  and also well within the limits of the Indian Constitution .

However, there was a strong opposition to this section and probably such opposition could be ascribed to the judiciary which was perhaps unhappy that “Contempt of Court” was removed from the exemption.  I do not think that removal of  “Decency and Morality” or “Defamation” from the exemption was much  of a concern. However, public were not able to understand the motivation in opposing the provisions of Section 35.

It is a separate debate whether the Government could have avoided the controversy by simply not making any change in the “Reasonable Exception”. But in that case the clauses such as “Decency” and “Morality” as well as “Any offence even if it is not cognizable and only related to sovereignty and integrity of India,  security of state, friendly relations with foreign states or public order” and “Defamation” could have been considerations under which exemptions could be claimed by the Government. This would have provided more sweeping powers to the Government which could be misused later by another regime.

We therefore not only should support the version of the PDPB 2019 as regards the exemptions, but also re-iterate in the proposed New Data Protection Act of India by a specific section in the “Preliminary Chapter” on Applicability.

Remember that PDPB 2019 did not define Privacy or Information Privacy directly and left it to the interpretation under the Supreme Court judgement. We considered this as inappropriate and suggested that it is the responsibility of the Government to come up with a definition and not leave it to the interpretation of the complying organizations.  Expecting a complying organization to define what they are expected to “Protect” when the nine member Supreme Court bench or the Government abdicates their responsibility to provide clarity is considered unfair.

We therefore recommended the definition of Privacy to be included in the Act  as follows:

Privacy

“Privacy is a fundamental right under the Constitution of India as an independent right under the Right to life and liberty that guarantees an individual that shall not be infringed except under due process of law as defined in this Act and  includes the following.

(a) “Physical Privacy” means the choice of an individual to determine to what extent the individual may chose to share his physical space with others.

(b) “Mental Privacy” means the choice of an individual to determine to what extent the individual may chose to share his mind space with others

(c) “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others

(d) “Information Privacy” means the choice of an individual to determine to what extent the individual may share data about the individual with others.

Explanation:

1.“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity  of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.

Now we propose that we can add a second explanation to this section as follows.

2. The Right to Privacy referred to in this section is subject to the reasonable restrictions in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; and  for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,

---

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

The Government of India has released a press note as follows:

Inviting comments on the Consultation Paper on ‘Need for a new legal framework governing Telecommunication in India’

Legal framework for telecommunication in India is governed by Laws which were enacted long before India’s independence. Technology has evolved significantly in the recent decades.

Stakeholders have been demanding evolution of legal framework to keep it in tune with changing technology. Therefore, Ministry of Communications has prepared a consultation paper on need for a new legal framework in telecom sector.

The consultation paper may be accessed at https://dot.gov.in/whatsnew/consultation-paper-need-new-legal-framework-governing-telecommunication-india.

Comments may be sent on the email ID : naveen.kumar71@gov.

---

Some of my immediate observations on the consultation paper are captured below for the comments of the readers.

1. The objectives of the proposed new legal framework governing telecommunication in India to bring better administrative clarity is welcome.
2. Today, telecommunication has merged with the Digital world and the Telecommunication network has become a network for carrying digital data. It is therefore similar to a Wide Area Network of electronic data. It has hardware which includes the “Tower Network” and “Content” which is “Data” that flows between users. The carrier is the “Spectrum” which is a unique “Virtual” asset. The regulations should cover all these segments of business.
3. Out of the above three segments, regulation of Towers in the form of licensing, prevention of harm through the radiation, the right of way etc are one kind of regulations that need to be put in place.
4. Second type of regulation is related to the “Spectrum” management which is a right to use a certain frequency band. The “Electro Magnetic Radiation” emanating from the towers is a similar phenomenon of something travelling through air and having a consequence but difficult to conceptually describe in a law. “Spectrum Management and “Radiation Management” are special areas of regulation unique to this industry.
5. Third type of regulation is related to the content. Since the content generated, transmitted and stored by the telecom industry is mostly “Digital” the regulation can be merged with the regulation of digital content. In order to regulate the small part of analog communication, the digital law itself may be used by a “Deeming effect” by declaring that Analogue communication for the purpose of regulation in this industry is deemed to be “digital” in form and regulations meant for digital content may be extended to analog content as well.
6. Fourth type of regulation is related to the end user equipment for receiving and transmitting telecom signals which may include the “Set Top Boxes”, the Routers” etc. These are also similar to the digital data transmission and processing devices such as “Computers” and “Mobiles” and hence care should be exercised not to create overlapping regulations.
7. Since the MeitY has made some announcements that they may consider a “Unified” law for Telecommunications and Information Technology, the DOT may consider to restrict the “Telecom Law” to the special requirements of the Telecom industry which relate to “Spectrum Management” and place the issues related to tower management, content management, Set top management etc to the “Unified Digital Law” that may be drafted for integration of the Data Protection law and Information Technology Act.
8. The entire telecom network may be declared as “Protected System” under the current Section 70 of the ITA 2000 and declared as “Critical IT Infrastructure” . Special powers may be notified to regulate the Critical IT Infrastructure which may include the “Right of Way”.
9. Framework for mergers, acquisitions and Insolvency provisions etc are also similar to the issues that arise in IT (eg  insolvency of Net4India and merger of CIBIL with TransUnion) and can be handled by the Unified law.
10. The Universal Service Obligation can also be merged with the IT regulations under the Unified law.
11. Penalties, as well as Public Safety and National Security also can be merged with IT regulations under the Unified law.
12. Hence if the Telecom regulations address “Spectrum” issue, most of the legal requirements would be adequately addressed. Since “Spectrum” also has relations to the “WiFi” which is a concern of the IT industry, it may not be impossible to merge the spectrum regulation also with the Unified law though it requires some innovative thinking.

(Welcome Comments)

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

We have so far discussed the definitions of “Privacy” and “Data” in the previous two articles.  In this article let us discuss the definition of different entities and their roles.

In GDPR, important roles for the data handlers are  Data Controller  Data Processor, c) Recipient and Joint Data Controller,

On the other hand, PDPB 2018/2019 defined the roles as “Data Fiduciary”, “Data Processor” and “Consent Manager”.

In the NDPAI, it is suggested that the Data Fiduciary should be considered as “Data Manager”.  The reason why we are suggesting this change is that the “Role of Data Fiduciary” as a “Trustee ship” for the entity which is determining the purpose and means of personal data processing is a good measure. But this “Trusteeship” responsibility is not very practical and it is difficult to expect the commercially minded “Data Controllers” to faithfully discharge the responsibility as a “Trustee”. The Conflict of interest is too strong for the concept to work efficiently.

At the same time, “Data Controller” reduces the importance of the Data Subject/Data Principal as if he is enslaved by the Data Controller. It is therefore necessary to identify a more balanced role to the entity which is today referred to as the Data Controller or Data Fiduciary.

I therefore suggest that the role of the entity which determines the purpose and scope of personal data processing as the “Data Manager”. This retains the superior position of the Data Principal who appoints the “Data Manager” for a specific task.

Also the GDPR defines “Means of Processing” and “Purpose of Processing” as the criteria for identifying the “Controller” status.  This needs a re-look. “Collection” and “Purpose” could be two better parameters to fix the responsibility of an entity as a “Controller”. “Collection” is a key criteria because it is only a “Collector of Personal Data” who is having a relationship with the data subject and can obtain a proper consent where required. It is not feasible for a “Controller” appointing another entity as a “Processor” to collect the personal data.

Secondly, once the “Controller” specifies the “Purpose” and hands over the personal data to a processor, the “Means of Processing” can be left to the processor to determine. In many practical instances, we find that Cloud Service providers offer many services for processing personal data under proprietary technology. They would like to offer their service with a commitment on the required output but would be reluctant to pass on the technology secrets on which they may have intellectual property rights.  Presently, all such processors need to be treated as “Joint Data Controllers” only and not “Data Processors”.

A “Data Processing Contract” specifies the purpose for which the data has to be processed and also specifies the “Security” requirements. Security would automatically include the provision that the data cannot be used for any “Unauthorized purpose”.  Hence with a control on “Purpose” and “Security” under a contractual obligation, the processor can be provided the freedom to preserve his intellectual property rights.

Under these considerations the definition of a “Data Manager” which replaces the term “Data Fiduciary” would be

Data Manager

Data Manager in the context of personal data is any person who collects personal data and determines the purpose of processing.

Data Processor

Data Processor in the context of personal data is any person who processes the personal data received from a Data Manager strictly in accordance with the specified purpose for which the personal data was collected from the data subjects.

The associated definition would be that of a “Person”. The term person may be used both as an “Individual” who could be a data subject and a Data Manager or Data Processor”.

The definition of a “Person” could be

Person

A “Person” in the context of personal data means

a) the individual whose personal data is collected by a Data Manager for an agreed purpose. 

b) the entity of any description which processes the personal data as a data manager or a data processor and includes an individual, corporate entity, partnership firm, society, association of persons, a Government department or any other juridical entity recognized under law.

The role of a “Consent manager” is recognized in PDPB 2019 and not in GDPR. It is an excellent proposition and in the context of the Indian environment where the data principals are less educated, and also have to grapple with language issues in understanding the consent requests and would benefit by the assistance that a “Consent  Manager” can provide.  “Consent manager” always is the “Collector of the personal data” and hence under the above definition of a “Data Manager” the “Consent Manager” is also a Data Manager. However, the “Consent Manager” is a specialized Data Manager since the only purpose for which he collects personal data is to act on behalf of the data subject for providing consent to other Data Managers and to exercise the rights of the Data Principal.

His role therefore is more as a “Privacy Protection Advisor” of the Data Principal. This role can be created by a “Power of Attorney” document without the need for this provision in the law. However, in order to ensure responsibility and accountability, to this important function, it is better for the law to declare this role under the term “Privacy Protection Advisor” instead of “Consent manager”. This will  avoid the clash of the term with a similar term used under the “Account Aggregator” concept of the RBI besides addressing the function of exercising of Rights on behalf of the data principal.

Considering the needs of the Indian society, it is suggested that the Act should encourage both corporate entities and individuals to take on the license as “Privacy Protection Advisors” (PPA) under a suitable accreditation system regulated by the data protection authority.  In this system, the PPA s could be called Category I, Category II or Category III advisors where the lowest category of advisors would be the professionals with necessary knowledge and commitment where as Category II could be firms of Category III advisors and Category I would be independent Corporate entities with a specified capital base and larger responsibilities to technically safeguard the data principals.

The Category III advisors would be like the Chartered Accountants or  or advocates who act individually within their respective professional responsibilities and Category II advisors would be like the CA firm or Lawyer firm where individual professionals who are Category III advisors can work together as a loose association.

This will enable development of professionals who can not only act as Privacy Protection Advisors for individuals but also as “Data Auditors” and would require to fulfill some accreditation criteria of the regulator.

Under this premise, the Consent Manager could be defined as follows.

Consent Manager

Consent Manager  is any person or association of persons or a company or any other juridical entity under any law and capable of being able to sue or be sued upon, which is  authorized by the Data Protection Authority  and may offer services as advisors to assist the individual data principals for providing informed consent to the data managers and to provide assistance for exercising their rights guaranteed under the Act. 

Joint Data Manager

Joint Data Manager in the context of personal data means any combination of two or more data managers who have agreed to share the responsibilities jointly and severally under this Act.

The GDPR defines a role as a “Recipient” who is neither a Data Controller or Data Processor. However, in the GDPR, since “Storing” of personal data is also considered as “Processing”, every recipient of identified personal data will automatically be a “Data Processor” or a “Data Controller”.

In the definition of a “Data Processor” which we used yesterday (article 8) we did not specifically include “Data Storing” as a “Processing activity”.

We defined “Processing” as follows.

“Processing” will be defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.

In this definition, we captured only such processes that alter the data as “Processing”.

In GDPR and PDPB 2019, “Storing” is also considered as “Processing”. However, considering that there are many service providers who only store data some times the containers of data in safe custody without any access to the data, it may be better to carve out “Storage of Data” as a separate activity not amounting to “processing”.

We therefore suggest that under the “Roles”, we can define a “Data Storage Agent” as a separate entity with a definition as follows.

Data Storage Agent

A Data Storage Agent in the context of personal or non personal data management means any person who is entrusted with the custody of data  for the purpose of safe custody only whether in a data container or otherwise and does not have right to access and will however be responsible for secure storage.

…Discussions will continue…. Comments and suggestions are welcome.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..

 

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

We have discussed the definition of “Privacy” in some detail in the last few articles. In particular, the suggestion that “Sharing” of identifiable data for processing within an algorithm in such a manner that the identified data is not exposed to a human being has evoked a long debate and I have tried to provide clarifications as required.

One residual query was in respect of what would happen if the anonymised processed data is shared as “Non Personal Data” and the recipient later de-anonymizes the anonymized data.  Obviously when data which was previously identifiable personal data but was anonymized by one processor and then released as “Non Personal Data”, the processor is expected to use an acceptable standard of anonymization which becomes the “Due Diligence” or “Reasonable Security Practice” on his part. When this is voluntarily shared by Processor A to a recipient B, Recipient B is not expected to de-anonymize the data. If Processor B does de-anonymize then Processor B would be guilty of a criminal offence (we shall discuss this later under penalties). At that time, Processor A would have to defend that it had followed “Due Diligence” and claim protection as an intermediary under Section 79.

I reiterate that the concept that the definition of “Sharing” for defining “Privacy”  should be restricted to disclosure to a human being and not an algorithm is a concept which is different from the GDPR jurisprudence.  It is however suggested because we feel that there is an opportunity for India to set new standards in designing a Data Protection Act which can be better than GDPR.

In order to recall all the discussions we had in this regard, we reproduce the definition of Privacy as suggested by us to be included in the NDPAI.

Privacy

Privacy is a fundamental right under the Constitution of India as an independent right under the Right to life and liberty that guarantees an individual that shall not be infringed except under due process of law as defined in this Act and  includes the following.

(a) “Physical Privacy” means the choice of an individual to determine to what extent the individual may chose to share his physical space with others.

(b) “Mental Privacy” means the choice of an individual to determine to what extent the individual may chose to share his mind space with others

(c) “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others

(d) “Information Privacy” means the choice of an individual to determine to what extent the individual may share data about the individual with others.

Explanation:

“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity  of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.

We also re-iterate that it is the responsibility of the Government to define “Privacy” before going to place a responsibility on the industry to protect the Right to Privacy.

---

Definition of Data

Having defined that “Privacy” is related to protection of Personal data we need to now define

i) Data, Computer, Processing

ii) Personal Data

iii) Non Personal Data

iv) Sensitive Personal Data

v) Neuro data

vi) Harm to individuals

vii) Harm to Entities

viii) Critical Personal Data

ix) Sensitive non personal data

x) Critical Non Personal Data

xi) Significant Harm

xii) Joint  Data

xiii) Corporate Data

xiv) Business Data

xv) Minor Data

xvi) Personal Data of non citizens

xvii) De-identified Personal Data

xviii) Pseudonymized Personal Data

xix) Anonymized Personal Data

xx) Encrypted Data

Let us first place before the audience the proposed definitions of these 16 different kinds of data and later debate whether all these categories of data are to be defined.

We have consciously decided that we are pursuing development of  a “Privacy Code” that is a combination of present day PDPB 2019 and ITA 2000/8 and the proposed Non Personal Data Governance Act (NPDGA).

Though in the definition of Privacy we have included instruments of personal information contained in  “Oral” and “Paper” form, most of our discussions will revolve around “Data” which is the electronic form of storage of information.

When PDPB 2019 was contemplated, we already had ITA 2000 which had defined Data, Personal data,  Sensitive Personal data and the legal recognition to Data. Hence PDPB 2019 adopted the same definition of data and only made some changes to the definition of sensitive personal information. Presently there is an opportunity to find an improved definition and hence we are proceeding to suggest definitions which may be slightly at variance with the current ITA 2000/8.

i) Data, Computer, Processing

“Data” means information which is expressed or is capable of being expressed in a binary language and includes data in raw form where the binary elements are distributed in a chaotic state and data which is organized into bytes and sequence of bytes.

Correspondingly, “Computer” will be defined as  any device that can generate, process, store or transmit  data or delete data by destroying the organized form of binary distribution back to a chaotic form  and includes all hardware devices and applications which provide the functionality of generation of an organized set of binary expressions, processing them or storing them or transmitting them or handle them in any other form.

Further, “Processing” will be defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.

ii) Personal data

Personal data means any data that can with reasonable assurance be associated by the receiver with an identifiable living natural person and includes combination of different elements of personal data which in combination create a reasonably assured identity though the different elements might have been acquired from different sources and at different points of time.

iii) Non Personal Data

Any data which is not “Personal data” is “Non Personal Data” and includes Raw data in a chaotic distribution of binary, Corporate Data, Business transaction data, environmental data etc., which donot contain the association with an identity of any specific living natural person.

iv) Sensitive Personal Data

Personal Data which contains such personal data, which may reasonably cause a significant harm to the individual  in the hands of unauthorized person is classified as “Sensitive personal data” and includes 

a) Credentials for accessing restricted data

b) Health data

c) Financial data

d) Sex related data

e) Biometric data

f) Genetic data

An associated definition with Sensitive Personal Information would be the definition of “Harm” and “Significant harm”.

v) Neuro data

Neuro data means the electromagnetic signals that are collected from or fed into the human brain by a Brain Computer Interface in binary form.

vi) Harm to Individuals

“Harm” means any wrongful and adverse impact on the body, mind or property of an individual and includes 

a) Physical or Mental injury

b) Loss, distortion or theft of identity 

c) financial loss or loss of property

d) Loss of reputation or humiliation 

e) Loss of Employment or source of income 

f)  Threat to life and property including causing harassment or subjecting to extortion

g) Causing discriminatory treatment in the society.

h) Psychological or Neurological manipulation which alters the ability of an individual to take autonomous decisions

vii) Harm To Entities

“Harm” in the context of entities means any wrongful and adverse impact on the entity in terms of its property, reputation, business continuity, impairment or cost escalation.

viii) Critical Personal Data

Critical Personal Data means such personal data, deprivation, incapacitation or destruction of which would cause significant harm to an individual and includes biometric data or genetic data or unique official identifiers and personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.

ix) Sensitive Non Personal Data 

Sensitive Non Personal Data means such non personal data which the deprivation, modification, deletion or wrongful sharing of  which may reasonably cause a significant harm to any organization including

a) Loss of Business

b) Loss of Money or Property

c) Loss of Reputation

d) Disruption of Business Continuity

e) Unreasonable increase in cost of operation

x) Critical Non Personal Data

Critical Non Personal Data means such non personal data, deprivation, incapacitation or destruction of which would cause significant harm to an entity and includes non  personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.

xi) Significant Harm

Significant Harm means such harm caused to an individual or any other entity, which is irreversible or is reasonably difficult to correct once caused.

xii) Joint Data

Joint Data whether personal or non personal means such  data  that is generated during a transaction involving more than one individual or entity

xiii) Corporate Data

Corporate Data means data that can with reasonable assurance be associated with an identifiable non living individual including Government agencies or Partnership firms, proprietary concerns or association of individuals, Not for profit entities, and further includes combination of different elements of  data which in combination create a reasonably assured identity though the different elements might have been acquired from different sources and at different points of time.

xiv) Business Data

Business Data means any data related to a business or Governance transaction whether inclusive of elements of personal data or corporate data or not.

xv) Minor Data

Minor Data means any personal data associated with an individual who is of age less than 18 years.

xvi) Personal Data of Non Citizens

Personal Data of Non Citizens means any personal data of an individual who is not a Citizen of India as per the Citizenship Act of India.

xvi)i De-Identified Personal Data

De-Identified personal Data means such personal data from which all parameters of identity that may with reasonable assurance determine the association of the data with a living natural individual is removed and made inaccessible to the person to whom the data is disclosed. 

xviii) Pseudonymized Personal Data

Pseudonymized  personal Data means such personal data in which all parameters of identity that may with reasonable assurance determine the association of the data with a living natural individual are replaced with comparable but randomly altered data elements and made inaccessible to the person to whom the data is disclosed. 

xix) Anonymized Personal Data

Anonymized personal Data means such personal data from which all parameters of identity that may with reasonable assurance determine the association of the data with a living natural individual are removed and irrevocably destroyed so that the identity of the individual is rendered indeterminate to any person who is in possession of the residual data including the entity or person who caused the anonymization.

xx) Encrypted Data

Encrypted Data means such data that has been converted into a different data and  rendered unusable and unreadable by unauthorized persons .

The above definitions have been provided with some specific reasons that would be clearer as we go ahead and advocate the provisions of the Act.

However, definitions are very critical to the designing of the laws and hence I invite intense debate on the above definitions.

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

Naavi

(This is not an exhaustive list of definitions. More will follow)

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..