P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.
|4. Chapterization||5. Privacy Definition||6. Clarifications-Binary|
|7. Clarifications-Privacy||8. Definitions-Data||9. Definitions-Roles|
|10. Exemptions-Privacy||11. Advertising||12. Dropping of Central Regulatory authority|
While discussing the “Chapterization” of the proposed NDPAI, we had suggested a separate Chapter for “Data Valuation Framework” to discuss all issues regarding data valuation.
The IRCTC issue has now pre-empted the discussion of some aspects that should go into this Chapter.
Naavi has already published detailed recommendations on “Data Valuation Standard of India” (DVSI) where we have discussed suggestions on why Data needs to be brought into the Balance Sheet of a Company as an “Special Asset” and how it can be valued etc. The objective of DVSI was to provide visibility to the value of the asset which the DPO/CISO would be required to protect so that the Board could deploy appropriate resources in terms of men and material.
It is found that “Monetization” as a concept has not been specifically discussed either under GDPR or under PDPB 2019. In fact, privacy activists hate the word “Monetization” though all Data Professionals live out of the revenue generated by “Advertising” and “Advertising” itself is one avatar of “Monetization”.
In our recommendations on the Shape of Things to Come we have already discussed the need for defining “Advertising Profile” and the means of using it. This concept has to go with the larger definition of “Monetization” and “Data Valuation” which may be specifically addressed in a separate Chapter.
If the term “Monetization” is defined in law, then the Courts will have some guideline on how to interpret the objections that may be raised later when the data protection law is in place. Not providing a definition will leave a wide scope for interpretation which may be detrimental to the economy and business.
We therefore consider that IRCTC tender issue has provided us an opportunity to debate this point whether “Monetization” has to be defined in data protection law and if so how.
Our suggestion is to define Monetization as follows:
Monetization of Data
Monetization of Data means a structured plan to generate revenue out of Data in the custody of a Data Manager whether personal or non personal, and includes use of the data for advertising or promotion of the products and services of the Data Manager and/or licensing the use of data to another data manager.
Explanation: Monetization of data can be of anonymised or identified or de-identified or Pseudonymized personal data. However Anonymized personal data is non personal data and its use does not require consent of the erstwhile data principal.
Monetisation would be a type of use of data and may be subject to “Consent” if the data is identifiable or de-identified or pseudonymized. However when data is anonymised as per the acceptable standard it is considered non personal data and there is no identifiable data principal associated with such data and hence consent is not essential to be documented. In the event an “Anonymised” personal data is “De-anonymisable”, then it would be treated as “Negligence” or “Failure of Due Diligence” of the anonymization done by the Data Manager and treated accordingly for fixing liability.
The IRCTC plan as per its tender document consists of using the monetization for its own benefit. As long as any sharing of processed data is in anonymised form, IRCTC may be within the law. In other cases of use of data for itself, a proper explicit consent may be necessary for monetization.
In the IRCTC issue as reflected in the tender document therefore, the ability of IRCTC to use monetization may be within the data protection law. However it needs to ensure that appropriate controls are in place before the data is entrusted to an outside agency for further processing.
My personal advise to IRCTC is to make use of the “Pseudonymization Gateway” software recommended by the undersigned for “Certification of Data Importers in India for GDPR compliance” and keep the control on the data with themselves and not share identifiable data with any private sector company. Even for processing of anonymized data by any external company, adequate controls, restrictions and indemnities should be incorporated to prevent use of data by the agency outside the contract with IRCTC.
At present the tender document may not have all necessary controls in this respect and at the time of evaluating and approving the contracts, IRCTC should take steps to incorporate suitable controls to prevent “Further Monetization” of secondary data by the agents to whom the processing contract is awarded.
Such “Recommended Controls” to regulate “Unauthorized Monetization” needs to be incorporated in the “Monetization Policy” of an organization that should be part of the “Privacy By Design Policy” to be filed with and certified by the Data Protection Authority.
Some more thoughts on this may be incorporated in the further discussions on “Shape of Things to Come”.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.