P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
In the earlier articles in this series, we have discussed the requirements of the New Data Protection Act regarding the basic objectives, regulatory structure and the Chapterization all of which gives a framework of the desired legislation.
In this article we shall discuss some definitional aspects.
We are presently discussing the possibility of one Mega Act which will replace both ITA 2000 and PDPB 2019 though the Government may ultimately chose to keep the two laws separate. We shall go ahead with the concept of the “Unified Act” for the time being and if necessary it can be bifurcated later on the basis of the different chapters we may create.
The first important definition to be addressed is the “Definition of Privacy” which needs to be protected.
The second but most critical definition of the Act is the definition of “Data” since it is central to all our discussions. The definition has to be further expanded to “Sensitive personal data”, “Critical personal data”, “Neuro data”, “Non Personal-Corporate Data”, “Non Personal Sovereign Data”, “Non Personal Community data”, “Shared Personal Data” etc.
Definition of Privacy
The first definition of Privacy is the one which is required for protection of what Supreme Court has declared as the “Fundamental Right” under Article 21 of the Constitution.
We presently have some understanding of what kind of privacy is protected by data protection laws such as GDPR which is “Information Privacy”. The current definition of “Information Privacy” as used popularly is “Privacy 1.0” where as a need has come to look at two further levels of definition which can be defined as “Privacy 2.0” and “Privacy 3.0”. We may or may not use this software type definition 1.0, 2.0 and 3.0 but we may have to find other names that can be used in the Act. But let us first try to understand the differentiation that can be brought between these three types of Privacy.
Privacy 1.0 means the fundamental right guaranteed under the Indian Constitution under Article 21 as part of the “Right to Life”. We had earlier discussed this subject in our article “The Privacy Judgement… Conclusion.. Need for Definition of Privacy“. We know that the Puttaswamy judgement did not include the definition of “Privacy” in its final order though it was discussed by the judges in their individual descriptive “Orbiter dicta”.
Privacy can be discussed as “Physical Privacy”, “Mental Privacy”, “Neuro Privacy” and “Information/Data Privacy”.
The requirement of the NDPAI can be served by defining “Privacy” as “Information Privacy” only and proceeding to discuss how “Autonomy and Freedom of Choice” can be imparted to an individual in directing others about how his personal information may be collected, processed and disposed.
We must appreciate that “Right of Privacy” is the “Right of Choice” of an individual to determine how he prefers to share his personal data with others. The difficulty is however capturing the “Right of Choice” and also managing the changes in the “Choice” of a person over time and managing the difference in the “Choices” of one individual and the other.
Let us therefore determine the first definition of Privacy as follows:
“Privacy is a fundamental right under the Constitution of India as an independent right under the Right to life and liberty that guarantees an individual that shall not be infringed except under due process of law as defined in this Act and includes the following.
(a) “Physical Privacy” means the choice of an individual to determine to what extent the individual may chose to share his physical space with others.
(b) “Mental Privacy” means the choice of an individual to determine to what extent the individual may chose to share his mind space with others
(c) “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others
(d) “Information Privacy” means the expression in electronic form of the choice of an individual to determine to what extent the individual may share data about the individual with others.
“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.
P.S: In the above definition, infringement of privacy is recognized only when the personal data becomes accessible by another human being. If the personal data is accessible only by a device and not by any human being, the data is not considered as “Shared”. When “Data” is processed by an algorithm without being accessed by any human being, if any human cannot access identified personal data by any reasonable efforts (similar to anonymisation), it is not considered as “infringement”.
This definition which recognizes visibility to humans only as infringement is the concept of Privacy 2.0. The inclusion of neuro privacy is the concept of Privacy 3.0. Both these are included in the above definition. Privacy 1.0 is the current definition used in GDPR where visibility of personal data by a device is also considered as potential data disclosure. Of
We shall discuss the definition of “Data” in the following article. In the meantime, I invite comments on the above.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.