P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
The Privacy Protection law applied to “Data” revolves around
a) Collection of Personal information based on a proper consent of the data subject
b) Processing of collected personal information according to the wishes of the data subject
c) Use of the processed personal information according to the consent of the data subject.
While “Consent” is the principal basis for personal data collection, processing and use, necessity of Governance and Business require recognition of certain circumstances where the “Consent” has to be deemed to exist. Such situations can be described as “Legitimate Interest”.
“Legitimate interest” covers not only the business requirements of the data controller but also the requirements of the Government and the interests of the Public, other data subjects, emergency situations etc.
Hence “Consent” and “Legitimate Interest” are the two main pillars under which the entire Data Protection Principles can be built.
The normal perception is that PDPB 2019 was “Consent dependent” where as GDPR was not. The reason was that under GDPR, Consent was only one of the several basis on which lawfulness of processing was defined
Article 6 of GDPR recognized the following as legal basis. :
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
In the above, point (b) is directly related to a deemed consent. Point (C) is the right of the data controller, (d) relates to emergencies, (e) relates to (Public interest) and (f) relates to other “legitimate interests” which are commercial in nature.
The business interest included under point (f) should be considered as including the “Advertisement” requirements since “Advertising” is the fundamental right of a business entity since it cannot exist without communicating to its target market, what services or products it sells at what price and how does it distinguish its products from the competition, what are the unique selling propositions etc.
We may notice that under Article 19(1) of the Indian constitution, fundamental rights of citizens include carrying on a business of choice. Curtailing the freedom of conducting a legal business in an efficient manner and earning a reasonable profit is therefore a right of every business entity. If this requires “Advertising”, we should not consider “Advertising” to be a taboo. If “Advertising” is allowed as a fair business practice, then market segmentation and targeted messaging for different markets as well as the profiling of consumers for the purpose of marketing are all legitimate interests of a Data Controller.
Let us therefore shed our misconception that “Advertising” is bad and “Profiling for advertising” is bad and look at what part of advertising and profiling is bad and how they can be avoided or addressed.
So far, no attempt has been made in the data protection laws for regulation of “Advertising” or introducing an “Ethical Code for use of a profile”. Most laws indicate that “Profiling” whether it leads to correct or incorrect perceptions about the data subject is outside the basic purview of “Purpose of Processing”. There is no appreciation that “Advertising” itself can be a “Purpose” for which profiling is created. We need to set right this inadequacy in our laws.
In most cases of personal data processing, profiling is an automatic occurrence. Just as the moment we see another individual, our mind creates a profile of the person based on his demeanour. The science of “Body Language” is nothing but making an inference out of the visible profile of a person. It is not possible to prevent this human trait. Similarly, when an organization observes certain activity of an individual, an automatic “profile” gets created.
In GDPR we call this as “Automated Processing” and we require the legal basis. For some thing which automatically happens can there be a legal basis? is the moot point. Suppose a customer of Amazon says don’t profile me by my buying habits, will it be feasible for Amazon to delete all buying information as if there is a “Right to Forget” that exists? Firstly the transaction information that contains the personal data of the data subject is a “Joint Data” and Amazon has as much right as the data subject to keep the data and use it as long as “No harm is caused to the data subject”.
Hence just as before I shake hands with you for the first time, I make a statement, donot judge me by my looks, gender, accent, height or colour, such “Denial of consent” has no validity.
Similarly, “Profiling” is a process which is automatic and it is the essence of understanding the consumer for the purpose of advertising or service. A blanket ban on “Profiling” or “Automatic Processing” is therefore not reasonable.
However, “Automated Decision Making” is different from “Automatic Processing” since automated decision making may involve a potential harm to the data subject.
Once a profile is created, the information may be used either by the Data Controller himself for the improvement of his business or the information may be shared with a third party advertiser. This “Sale” of personal profile is another taboo in data protection law and we often consider it as unacceptable.
A time has come for data protection professionals and the law makers to take a fair view of the needs of “Advertising” and allow certain level of personal data processing which is reasonable and not harmful to the data subject.
We can achieve our objective of protecting the privacy rights of individuals without unduly hurting the business interests by focussing our regulations on the “harm” that may be caused by the misuse of personal information rather than banning certain aspects of its “Use”.
If therefore “Advertising” is declared as a collateral or incidental purpose of personal data processing and a consent is sought from the data subject at the time of collection, it should be considered as a fair request.
For the time being, considering the revolutionary nature of this suggestion, I would like to consider that use of personal information for “Advertising” should be considered as a special use and an “Explicit Consent” may be obtained instead of an ordinary consent or deemed consent.
We can achieve this by declaring that an “Advertising Profile” of a data subject as a “Sensitive Personal Information”.
Now if we go back to our definition of sensitive personal information and processing, we recall that we stated as follows: (refer article 8)
“Processing” is defined as any alteration of a binary sequence of data elements and includes data aggregation, data modification, data deletion, data disclosure, data publishing etc.
This was purely a technical definition and was not related to the purpose of processing and did not include “Profiling”.
We may now add the following for definition of Profiling:
“profiling” means any form of processing of personal data that directly or indirectly analyses or predicts the behaviour, attributes or interests of a data principal.
Profiling includes purpose oriented collection and arrangement of personal data elements such as Advertising profile, Health Profile, Financial Profile etc.
Sensitive Personal Data
Personal Data which which may reasonably cause significant harm to the individual in the hands of unauthorized person is classified as “Sensitive personal data” and includes
a) Credentials for accessing restricted data
b) Health data
c) Financial data
d) Sex related data
e) Biometric data
f) Genetic data
We shall now modify the definition of “Sensitive personal Information” by including item
(g) Advertising Profile.
Correspondingly, we shall define “Advertising profile” as follows:
Advertising Profile means a collection of personal data elements of a data subject/Data Principal that represents the profile of the individual in terms of his commercial activities such as buying of goods and services and includes the intelligent insights that may be developed about the individual that may be used for advertising purpose.
Kindly note that when we use the word “Profile” instead of “Data” to define “Sensitive Personal Information” we are clearly defining that it is not one single parameter that we are defining in this definition but a “Profile” which is a collection of several parameters.
Under this consideration, we can perhaps make corresponding changes in the list of “Sensitive personal information” to replace Health Data, Financial Data or Genetic data etc with corresponding profiles.
We therefore re-define the “Sensitive Personal Information” as follows.
Sensitive Personal Data
Personal Data which may reasonably cause a significant harm to the individual in the hands of unauthorized person is classified as “Sensitive personal data” and includes
a) Credentials for accessing restricted data
b) Health Profile
c) Financial Profile
d) Sex Profile
e) Biometric Profile
f) Genetic Profile
(g) Advertising Profile.
As regards the restrictions to be placed on use of information for Advertising, we shall cover it under the compliance requirements since it is related to prevention of harm to the data subject.
By focussing the regulation from “Collection and Processing” to “Misuse and Harm”, the industry would be relieved from the restrictive regime of business involving personal data collection and legitimate use and focus more on the harm caused by the misuse.
This shift of focus may be used by unscrupulous business entities who may take advantage of the weaknesses in the enforcement mechanism. Hence these suggestions need strict vigilance and enforcement.
Currently we use the Data Protection Impact Assessment and the Privacy By Design Policy as instruments to capture the intentions of a Data Controller or Data Fiduciary and follow up with the Concurrent audit and mandatory annual audit as well as the 4% turnover based penalty.
In order to increase the deterrence, any intentional contravention of a “DPIA” or “Privacy By Design Policy” (which in PDPB 2019 required registration) should be considered as “Breach of Trust” and made punishable as a criminal offence subject to a safe harbor clause based on “Due Diligence”. (These will be discussed in detail in subsequent chapters)
It may be necessary that the Due Diligence should include DPIA to be used in any profiling process and should be mandatorily subjected to a DPIA which will be filed with the regulatory authority.
I request the readers to send their comments on the above.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.