California Consumer Privacy Act 2018 has tried to address some aspects of Privacy law which we in India will be discussing both through the PDPA (Personal Data Protection Act which is in draft Bill form) and the forthcoming “Data Governance Act of India” (DGAI) (expected) .
The PDPA focusses only on “Personal Data” which is defined as follows:
“Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information;
In discussing the term “Anonymization”, the PDPA defines as follows:
“Anonymisation”in relation to personal data, means the irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, meeting the standards specified by the Authority.
In otherwords, a “Personally Identifiable Information” changes to an anonymized information if the identity parameters are removed as per the standards that may be prescribed by the DPA.
By the definition of “Anonymization”, the DPA has been entrusted with the resposnibility to define when an “identifiable” data becomes “Anonymized” data.
Under the CCPA it is interesting to observe the use of the term “Probabilistic identifier” to differentiate between Personal Data subject to the regulation and “Non Personal Data” outside the regulation.
In CCPA Personal Information is defined as follows:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
It is interesting to note that this definition of “Identifiers” list many individual identifiers and calls all of them as inclusive of “Personal Information”. As a result, each individual item shown here for example ” the geolocation data”, directly or indirectly, with a particular consumer or household can be considered as “Personal Information”.
At the same time, while defining a “Probabilistic Identifier”, the Act says
“Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
Further, the “Unique Identifier” is defined as follows:
“Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
This means that either the identifier should be directly tagged with an individual consumer or a “household” (household relates to the devices such as the IoT devices present in the household address”) or there should be some probabilistic certainty that the information belongs to a particular consumer or device.
The Act is however vague on how we determine the threshold probability. It is not clear if the authority will define a standard for this purpose as stated in PDPA or leave it to the business to address this as a business challenge.
While the Indian law sticks to defining “Anonymization” and taking “Anonymized Personal Data” out of the regulation, CCPA defines “Aggregate Consumer Information” and brings it also under the regulation. In this context including “Households” as “Consumer” which brings the IoT devices within the provisions of this law makes sense.
While India is now looking for a separate legislation which we have called “Data Governance Act of India” and formed an expert committee for the purpose, CCPA has tried to accommodate the business interests of processing “Non Personal Data” within the CCPA regulation itself.
CCPA defines “Aggregate Consumer Information” as follows
“Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been deidentified.
We can observe that this includes the “Community Privacy” which Justice Srikrishna mentioned in his report and what the Kris Gopalakrishna committee has been asked to regulate as “Non Personal Data”.
Additionally, by including a reference to “households” and “Devices”, CCPA has extended the regulation to the “Non Personal Data”.
CCPA also incorporates a provision for “Selling of personal information” and considers the personal data as property that can be sold.
It is therefore reasonable to consider that part of the new regulation that the Kris Gopalakrishna Committee may consider to recommend may consist of measures which are included in the CCPA.
However, whether this committee will restrict itself to the addition of some CCPA provisions to the PDPA or go further and speak of a larger legislation for “Data Governance” will depend on the vision of the Committee members.
Since this is a good opportunity to bring in regulation of both personal and non personal data into an umbrella legislation on the “Data Governance Framework” , it would be interesting if the committee does consider this larger objective.