The PDPB2019/DPA 2021 addresses several pro-active compliance requirements aimed at managing personal data by data fiduciaries and data processors with the intention of protecting the “Privacy” of an individual. Contraventions result in civil penalties upto a maximum of 4% of the total worldwide turnover of the data fiduciary.
There is however one section (Section 83) of DPA 2021 which prescribes a criminal punishment with an imprisonment upto 3 years and a fine of upto Rs 2 lakhs or both. This offence is cognizable and non bailable but no court can take cognizance except with a complaint in writing by the Authority.
Under Section 85, when the offence is attributable to a company, the section extends the offence to the persons responsible for the conduct of the business of the company unless they can prove lack of knowledge and exercising of due diligence to prevent the commission of the offence. Such liability may extend to even the Directors of the organization.
In case of Government data fiduciaries, there would be an in house enquiry before any person is held liable.
Most of the “Offences” related to “Data” are presently covered by the Information Technology Act 2000. In fact, once “Privacy Protection” through protection of personal data becomes a law, the current provisions of ITA 2000 will automatically apply to offences related to data protection . As such the offences section in DPA 2021 is redundant and only restricts the powers of ITA 2000/8 rather than enhancing the provisions therein.
For example, if “Reidentification of de-identified personal data” is an offence under DPA 2021, it is also covered under Section 43/66 of ITA 2000 as ” Diminishing the value of information residing inside a computer resource or affects it injuriously by any means” [Section 43(i)].
However, in view of the DPA 2021 having been defined as a special law overriding the current laws (Section 97), the re-identification as defined under Section 83 goes out of the scope of ITA 2000/8. But any other kind of “Injurious effect on personal data” remains within the provisions of ITA 2000.
Having established that DPA 2021 would be the sole law that addresses the issue of “Re-identification”, let us now see the wordings used in Section 83 and understand if it is clear and adequate to address the intention.
83: Re-identification and processing of de-identified personal data.
(1) Any person who, knowingly or intentionally—
(a) re-identifies the personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or
(b) re-identifies and processes such personal data as mentioned in clause (a),
without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or with both.
(2) Nothing contained in sub-section (1) shall render any such person liable to any punishment under this section, if he proves that—
(a) the personal data belongs to the person charged with the offence under sub-section (1); or
(b) the data principal whose personal data is in question has explicitly consented to such re-identification or processing as per the provisions of this Act.
As per this section, the “De-identification” is under the control of the Data Fiduciary or a Data Processor who originates the de-identification of the identified personal data. Any other person who is in possession of such de-identified data shall not re-identify the data except with the permission of the original de-identifying agency.
However such permission may not be required if the re-identifier has an explicit consent of the data principal. If the data principal has already given consent to the de-identifying data fiduciary for use of identifiable information for any purpose, this automatically becomes capable of being transferred to the re-identifying data fiduciary.
But it appears that there could be a possibility that the re-identifying data fiduciary can also obtain “Explicit Consent” of a data principal and proceed with the re-identification. It is true that at the time the “Explicit Consent” is given by a data principal to an intending data fiduciary who would like to re-identify a data set which may “Discover” the personal identifiable data of the data principal, neither of them knows that such a personal data would be “Discovered”.
But it is possible to get such a “Discovery Consent” as per the provisions of this section. This provision is extremely important to all Data Analytics companies and Big Data Companies which may while offering any service to the data principals get an explicit consent to re-identify any information available with or to be collected by the Big Data Company from other data fiduciaries or data processors as de-identified data or publicly available data and use it to create data intelligence required for the provision of services to the individuals.
This provision opens up some exciting opportunities for Digital Marketing Companies who may consider retail services directed to data principals. Probably this benefit will go un noticed by a section of the market and evolve once the DPA confirms some related regulations.
Naavi
“The concept of “Discovery Consent” or “Exploration Consent” is being presented for the first time here. This would be part of the Theory of Data extended for interpretation. More discussions on this would be presented in due course. Your Comments are Welcome”…Naavi
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data
