Naavi.org

(This is in continuation of the earlier post)

I have received a copy of a communication supposed to have been sent by the Secretary General of the INS (Indian Newspaper  Society) to the publications as an advisory which is reproduced below:

I refer to an article today in Financial Express titled “Personal Data Protection Bll: Will it disrupt our data eco system?

This article discusses the importance of the early passage of PDPB 2019 and at the same time highlights the possibility of the act impairing the digital economy of the country by referring to the difficulty arising out of the wide scope of the definition of personal data.

There are no two opinions that the Act when it comes will cause disruption in the industry and the Government departments who have no clue on Privacy Management now will be the worst hit.  The private sector will be in a far better position since the professionals in the private sector are aware of Privacy protection because of their exposure to GDPR and other laws.  This could be one of the reasons why Government departments may have to be given a slightly longer time frame for implementation than the private sector though it would raise a hue and cry of discrimination in the industry circles.

The concerns expressed in the article are

1. The wide scope of definition of personal data deviates the core proclaimed purpose of the legislation which is protecting the privacy of individuals.
2. Curtailing the expansion of digital technology driven activities in the false pretext of privacy could lead to a decline in the growth trajectory. There is no legitimate need to regulate the creation and use of every data set or processing of data.
3. Restricting data storage is thus of no use.
4. Giving notice to everyone is  not possible and does not ensure better rights to data subjects.
5. The economic impact of this legislation should be deeply examined and reconciled before moving ahead with it.

The article is well written and the views are well articulated. However, we need to present our views on the concerns expressed above.

It is clear from the last concern above that the author has advocated possible deferment of the passing of the law. It is strange that two years back all advocates were shouting that Indian Government does not want to enact a Privacy protection law because the Government does not want to bind itself to a discipline in the usage of personal data of its citizens etc. They all forced Supreme Court to come with a hurriedly conceived judgement on Privacy and the Aadhaar related decision in which the Supreme Court declared that Privacy was a fundamental right of a citizen of India protected under Article 21 of the Constitution. The Court also extracted an assurance from the Government that they will soon introduce a robust law for the purpose of privacy protection.

The Government went ahead, constituted the Srikrishna committee and came up with the first draft of PDPA 2018 as presented by the committee to the Parliament. When it was sent for public comments, elections intervened and a new version had to be introduced as PDPB 2019.

But now the same people who wanted the legislation earlier has realized that the law would bring in greater hurdles to the business than the Government itself and are now using all their skills not to let the Government go ahead with the passage of the Bill. There are frequent articles in news papers providing suggestions which in the end only mean that another version of the Privacy Protection Bill has to be worked out by the Government. This game has been going on for several years now and several draft bills have been earlier presented to the Parliament in the earlier regimes only to be kept pending in JPCs until the Parliaments end their term. We hope this Government will be different and finally come up with the passage of the Act or face a serious contempt charge from the Supreme Court.

We need to therefore consider how we can move ahead with the current version of the bill with minor modifications. Fortunately the Bill has enough flexibility to ensure that regulations from DPA can address most of the concerns and it is not necessary for all concerns to be addressed only in the Act.

The author (FE article) has spoken about the consent mechanism and considered it impractical to obtain the consent from every data principal. However, by the very definition of “Privacy” being an ability to exercise “Choice”, there will be no “Privacy Protection” without giving a choice to the data principal to determine how the data may be processed. PDPB takes into account several practical instances in which consent may not be necessary both for the Government and the private sector. Hence the concern is addressed.

The author of the article has also objected to the data storage limitation principal. However since the permission is linked to the purpose of processing and the data storage can be extended if the purpose demands or the legitimate interest of the data fiduciary requires extension, the concern has been adequately addressed.

The concern that the Act tries to regulate every bit of data that is created and this would hamper the industry has to be seen in the context of what is “Data” and what is “Personal Data”.

Personal data is part of the data and hence if we want to regulate Personal data as the Supreme Court wants, there is no way you cannot regulate the non personal data in some form. Personal data and Non personal data are like two sides of the same coin

Hence PDPA while regulating Personal data has to also say what it does  leave out as Non Personal data since Personal data is carved out of total data.

Regulating personal data therefore hinges on what data we carve out of the total as “Personal Data” so that the regulations can be applied there in.

Hence the definition of “Personal Data” is the most critical  part of the regulation and if we can agree on the definition, most of the disagreements that different segments of the industry have on the Act will perhaps reduce or even evaporate totally.

Currently, PDPA defines Personal data as

 “personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;

Under GDPR,

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

The two definitions have a small difference intended or otherwise. The GDPR definition refers to the “identifiers” and gives examples such as “Name”, location data, online identifier etc. The author of the FE article makes a reference to the European Court of Justice and even adds the “Answer sheet in an examination” as an identifier.

The PDPA does not name the identifiers but it is natural for people to extend the GDPR identifiers as also identifiers for PDPA to differentiate between Personal data and non personal data.

We need to deeply think here when does a data which is in the hands of a data fiduciary become “Personal Data”. No data is born “Personal” it acquires the status during the life cycle which starts from raw data  and journeys through the state of  non personal data, to personal data to sensitive personal data until it is destroyed or converted into other states such as de-identified data or anonymized data.

So, if there is a data

01110110 01101001 01101010 01100001 01111001 01100001 01110011 01101000 01100001 01101110 01101011 01100001 01110010

it is simply data and neither personal or non personal.

If a viewer sees this through an ASCII converter, his computer would display a conversion of this data into

vijayashankar

Now in this context is the first set of binaries “Personal data”? It perhaps became so because some body decided to convert it. Is it not similar to identifying a de-identified data?

The law is not clear about this.

Now having converted the binary stream into a text read as “vijayashankar”, does this amount to personal data? Does this identify a living natural person? What makes one think that vijayashankar is a name of a person? why can’t it be the name of a place?

In the absence of further clarification, will “vijayashankar” be called personal data?.. The law is not clear.

If we adopt the logic expressed in the FE article and what is also prevailing world wide, the name is an identifier, IP address is an identifier, email address is an identifier etc. But who says some thing is a name or email address?. If I name my company as Naavi@Naavi.org and register it, then is it the name of the company or the email address of naavi and who is naavi, is he an object, or person etc, are the things which make the information unable to be identified as a personal information.

Hence we must accept a definition where no information is personal or otherwise per-se. It becomes personal in relation to the conversion of the binary data into a human experienceable form and in the eyes of the beholder, it represents a person.

This is the concept which Naavi’s theory of data adopts as the “Definition Hypothesis” of data.

Does PDPA accept this principle? or fall into the check list approach of the other world to give a list of 18 parameters (as in HIPAA) or any other number of parameters that we can imply in GDPR?

As of now the definition in PDPA remains unclear. Hence “vijayashankar” or “naavi” or “naavi@naavi.org” as independent data elements are not automatically “Personal Data”. But if the “beholder” knows that there is one natural person who responds when you call out “vijayashankar” or “naavi” or send an email to naavi@naavi.org, because of such knowledge, the data becomes personal data in his custody.

The same data in the custody of somebody else who has no clue to what is “vijayashankar”, it is a non personal data.

The definition of personal data should therefore incorporate the “User of the Data” who may be a Data Fiduciary in this context and his knowledge to identify any set of characters as personal data or otherwise.

I am not sure how  if this should be done by amendment of the definition of the personal data or we should leave it to the DPA to clarify.

As a suggestion, I would recommend consideration of a revised definition of “Personal Data” to ensure that this definitional uncertainty is removed.

‘personal data’ in the context of its use by a data fiduciary and the knowledge of the data fiduciary, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

In such a definition no single stream of binary data is called “Personal” unless it is associated with one or more other binary streams which together indicate that the data set is an identifiable personal information. Hence vijayashankar, email:naavi@naavi.org would together be called personal data while individually, vijayashankar or naavi@naavi.org cannot be called personal data.

Comments of experts are invited.

Naavi

During the COVID lock down, many subscribers of news papers have stopped the news paper subscription and there is no doubt that the subscription revenue must have gone down. Though in the past, newspapers relied more on the advertising revenue than the subscription to the extent that the front page of national news papers were often the paid ads themselves, the news papers may be worried about the possibility of a permanent discontinuing of the news paper reading habit by the public, post lifting of the lock down.

In the meantime as a cost cutting measure most news papers have drastically reduced the number of pages in the publication and saving on the print costs.

While the few of us who are still supporting the publications by continuing the subscriptions, understand the economic pressure, the rumour that is floating around about INS (Indian Newspaper Society) intending to take action against WhatsApp admins for forwarding the e-copies of publications to their members under the Copyright Act raises concern.

If the rumour is true, it shows the meanness of INS and deserves to be condemned.

If any WhatsApp admins have been sharing the news papers to their members, it is out of respect for these publications and to ensure that the members keep in touch with the publications so that the relationship between the publication and the subscriber/reader is not completely cut off. This should increase the possibility of the person re-engaging himself with the publication after the lock down is lifted.

If however, the INS takes any action against WhatsApp admins, there could be a boycott of news paper subscriptions and the print publications will be forced to close down.

Today the TV media and the internet media disseminates news faster and better and if INS does not understand the vulnerability of the print publications and ignore the minor aberrations of Copyright that they may be seeing in these news paper shares, it will on its own dig up the grave for print publications.

If the rumour is not true, INS has to come out with a statement showing its magnanimity in accepting the current special conditions in which some WhatsApp admins might have tried to share the news within their private member community (not in public domain) for the benefit of the members   of its family and at the same time helping the brand afloat.

If INS wants to protect the member’s  rights under Copyright Act, the consumers may demand that with the reduction of print pages, the publications have to reduce their price immediately failing which they should be  open to challenge under unfair trade practices.

In the meantime I advise the WhatsApp admins….

• Stop distributing the whole copies of publications. Your service will not be appreciated and could be violating Copyright law.
• Instead you can discuss specific articles with or without link to a context specific articles on the news paper.
• In the past there have been some international publications which have taken objection even to hyperlinking (Deep linking) to articles within the news papers and it is better you avoid confrontation with such money hungry sharks.
• Most of these news papers are any way not committed to the principles of journalism and are paid by some political party or the other or some business group.
• Ideally, pick up news from the social media and blogs, filter them for reliability and distribute it to your member
• Avoid confrontation with the news papers. They have copyright lawyers supporting them.
• Afterall you are not paid for promoting the brand of the news paper and there is no reason why you should take the risk.

My renewal of subscription is due and I will be considering discontinuing one English and One Kannada news paper to which I subscribe now unless I see a satisfactory response from INS.

Looking forward to a suitable press release from INS in this regard. I am copying this through email to the INS.

Naavi

P.S: In the past there used to be an early morning program in which TV channels used to read out main news from print publications. It is time WhatsApp groups distribute responsibilities to members to read out one news paper item so that collectively the information can be shared.

The COVID 19 lock down has delayed the meetings of the JPC on PDPB 2019 giving room to speculation whether the Government of India is developing cold feet on the passage of the bill which would make it more accountable for some of its activities such as the use of the Arogya Setu app.

We are aware that the MeitY has been in discussion with many business organizations, most of whom are MNCs now exploiting the weak Indian data system who donot want the law which could bring them into a greater legislative bind. From what has been seen in the case of submissions of NASSCOM and AFISMA/SIFMA, there is a lobby that is working on dilution of the Bill. Already the Government has given up on the Data Sovereignty concept by agreeing to allow free transfer of non sensitive personal data across the borders and conditional transfer of event he sensitive personal information despite the adverse impact of this move on law enforcement. Now if we take the recommendations of NASSCOM and ASIFMA seriously, the Government may have to re-draft the Bill again which means another round of public consultation and further delay.

It would be a tragedy if the JPC is used as an excuse to delay or permanently avoid the passage of the bill in its present form.

It may be noted in the AFISMA submission that there is a direct challenge to the sovereignty principle by suggesting that if the MNCs are already in compliance with GDPR, there should be no need for compliance of PDPA as if to suggest that the foreign laws still reign supreme in the Indian jurisdiction.

In the recent Kerala Government controversy against the US company Sprinklr, the so called GDPR compliant Sprinklr did not  bat an eye lid before accepting the sensitive personal data of Indian citizens and processing it in USA knowing fully well that this was not ethical if GDPR was a best practice standard. They did not bother to advise the Kerala Government whose babus may not be aware of “Privacy Protection” and were under the pressure of the Corona crisis that the information can be easily de-identified and pseudonymized before it was transferred to Sprinklr. They did not even bother to bring to the specific notice of the Kerala Government the fact that the Jurisdiction clause of the standard terms of service provided by Sprinklr required the Kerala Government to seek remedy in a New York Court.

Sprinklr was therefore irresponsible as a “Data Fiduciary” and only tried to take commercial advantage of the situation either deliberately or because they were ignorant of the principles of Data Protection under GDPR or even their liabilities under Section 79 and 43A of the Information Technology Act 2000/8

It is such organizations in the Financial sector that the ASIFMA is trying to represent and argue for dilution of PDPA.

The JPC should therefore ignore such submissions and start finalizing the Act. If they still want to have meetings with experts, they should go for a Virtual Conference for which Zoom as modified may itself be sufficient or any other video conferencing tool which they consider as more secure.

I request the JPC to therefore to proceed with their discussions so that before the lifting of the lock down in the next 14 days, the final draft of the Bill is ready.

Naavi

The Personal Data Protection Bill 2019 presented in the Parliament on 11th December 2019 is yet to be passed. It is presently with the Joint Parliamentary committee but seems to have not progressed much due to the Covid19 situation.

There is one section of stake holders who are happy with the delay and there is another section of stake holders who are unhappy.

The Government has been following a very cautious approach in finalizing the legislation and is listening to all vested interest groups and allowing the deferrment under one pretext or the other. The PDPB 2018 had already gone through a public consultation and the PDPB 2019 is again going through another public consultation.

It is ironic that the industry which embraced GDPR without a murmur suddenly has started raising objections to the Indian law as if India has no right to pass a law that could affect the freedom of the business entities to loot the personal data of Indians.

Several centuries ago the conquerors of the Arab world and the sea pirates from the west have plundered the Indian wealth to the extent possible and now the new business managers from the west are trying to exploit the data wealth in the country. Hence they are raising objections after objections to the passing of the Act.

This tendency is verymuch evident in the note submitted by the Asian Security Industry & Financial markets Association (ASIFMA) and Securities Industry & Financial Markets Association, a copy of which is available here.

Despite the long note submitted, it appears that these organizations donot want to see India passing this legislation and even if passed, it has to be completely in favour of the business organizations to help them continue the exploitation of personal data of Indian Citizens. The NASSCOM has already submitted its comments which is also more in the same mould in favour of the MNCs.

After perusing the unreasonable submission made by AFISMA, Naavi.org has considered it necessary to make a point by point comment on the suggestions, which is enclosed here.

 We hope the Joint Parliamentary committee will take into account the comments made herein.

Naavi

There was an interesting interview of Mr Mukhesh Ambani with Mr Arnab Goswami in which Mr Mukesh Ambani has spoken about “Data Ownership” and “Data Monetization”. He has strongly advocated that “Data” belongs to an individual or Corporate and no company should be able to make use of the data to make profits without sharing it with the data owner.

He used an analogy of property kept in a Bank locker and that the Bank does not have the right to take it out and use it to make profits even if the original property is returned to the property owner.

Just a few days back, we had a webinar from Justice B N Srikrishna where he highlighted his view on data ownership. He used the analogy of the terms “My House” and “My Wife” and said that we cannot apply the same principles of property ownership in these cases since in the case of “My Wife”, there is a personal “Relationship” involved which is different from the relationship with a property like the house. He therefore said that the concept of “Property” cannot be applied directly to “Data”.

I agree with Justice Srikrishna and endorse his view that “Data” whether “Personal” or “Corproate” cannot be considered similar to other properties like the movable or immovable properties. It does not even bear exact similarities to intangible properties like goodwill or intellectual properties like the trademark, patent or copyright.

The nature of data as a property  could be closer to the property such as an “Enforceable Right” (Actionable Claims). But still Data is a type of commodity or right which does not fit squarely into any of the known types of properties and hence requires to be treated as an exclusive kind of its own. 

Data is an exclusive kind because it is not static in an organization and has a life cycle. It starts it’s life cycle as raw data which is a set of zeros and ones in no specific form. Once some of these zeros and ones are grouped in a particular manner, some software-hardware combination may interpret as an ASCII character or a number or even as sound and image.

Whether the data is a word file or a note pad file or an mp4 file, it is still a series of binary representations and the first few sets of binary (Header information) identify which software is compatible and is designated to read the body of the data. Accordingly the header data invokes a specific software and we see the data as text sound or image.

Further, data is always in binary form and it is the person who is viewing it who renders a meaning to it. Hence the meaning of data is one that is ascribed by the viewer. If we remove the viewer, and the tools of viewing,  all data looks the same… a sequence of zeros and ones.. To call some thing as personal and some thing as non personal, something as sensitive is all an imagination in the eyes of different viewers using different viewing tools. (This concept has already been embedded into our legal system through Section 65B of Indian Evidence Act)

The detailed explanation of the above concepts in the Theory of Data is discussed elsewhere on this site.

Given this nature of data to be dependent on the software and hardware and the beholder for a meaning,  it is not appropriate to ascribe an absolute value to the data and identify who owns this value.

Further, through aggregation or dis-aggregation, data becomes personal data, or sensitive personal data etc. Personal data can also becomes de-identified data, pseudonymized data or anonymized data.

To ascribe a property nature to this data is therefore complicated and has to factor in the changing nature of the data through the lifecycle it goes through. Just as in the case of a human law applicable to a child is different from one applicable to an adult, a married adult, a senior citizen etc., data laws are different for different types of data. These laws determine the rights associated with the data at different life cycles and also determine the value.

Personal data P, may have a value X to a data fiduciary Y at a particular point of time. It may then be anonymized into P*. The value of P*may be zero to the same data fiduciary who was valuing it at  X till now. At the same time to another research entity Z, P* may have some value of its own. So when P is converted into P*, it reduces in value for Y but increases in value for Z. If Y is selling P as P* to Z, it is like US selling crude oil at a negative price…difficult for economists to understand the valuation…

If we try to recognize this kind of property as some thing like a movable or immovable property or an actionable right, we would not be able to capture all the glory of the personal data. It is like watching  of a pattern in the Kaleidoscope  by a person who is color blind to multiple colors or perhaps is totally blind.

Hence we should stop looking at Data as a normal property but understand that it is some thing different.

Also the instrument that is used to transfer the right on this property is neither a mortgage deed nor a hypothecation deed , nor a contract as we know in law. It is different.

What is this “Different” breed?… Let us simply call it as an entity described as “Data” as defined in ITA 2000 and “Personal Data” as defined in PDPA, There is a person recognized as the “Data Principal” who is having certain rights against a certain set of data. He can hand it over to another person called the “Data Fiduciary” and give him some rights. The “Data Fiduciary” can further transfer it to another person called the “Data Processor” and give him some limited rights.

The parties Data Principal, Data Fiduciary and the Data Processor therefore handle the entity called “Personal Data” as per the provisions of PDPA. All rights on this “Personal Data” are determined by the law called PDPA. Just as the Transfer of Property act defines what is an “Immovable Property”, PDPA defines what is the property called as “Personal Data Property”. ITA 2000 defines what is a Data Property.

PDPA also defines the kind of rights that the Data Principal possesses and the rights that he can transfer. It also defines the rights of the Data Fiduciary and what he can transfer to a Data Processor. It also defines what are the rights of the Data Processor.

Hence the “Personal Data Property” is an exclusive kind of property and has to be viewed as such without equating it to any other known forms of property except to say it is like this in one feature and like another in another feature. All laws related to “Personal Data Property” arise out of PDPA and every other law is irrelevant.

When we talk of transferring the property, we should only talk of transferring the “Personal Data Right” in the “Personal Data Property”.

These discussions may be theoretical but are important for the purpose of developing jurisprudence in the data protection domain. I therefore place it before the public for debate as part of Naavi’s Theory of Data.

Naavi

Related Articles:

October 8 2019: New Data Theory of Naavi built on three hypotheses

October 8, 2019: Theory of Data and Definition Hypothesis

October 10, 2019: Reversible Life Cycle hypothesis of the theory of Data

October 11, 2019: Additive value hypothesis of ownership of data

November 20 2019: Will Personal Data Protection Act be compatible to the Theory of Data?

March 31, 2018: Theory of Dynamic Personal Data