Yesterday, there was a conference titled “Communique19” at SITM (Symbiosis Institute of Telecom Management) , Pune. (SITM is incidentally renaming itself more appropriately as Symbiosis Institute of Digital and Telecom management or SIDTM). The conference amongst other things discussed the Personal Data Protection Bill and the above photograph shows the panel members.
The panel as seen above consisted of (From Left to Right) Mr Satish Dwibashi of Wibmo.com, Mr Neeral Arora, Advocate and Forensic Expert, Dr Sriram of DSCI, Mr Venkata Satish Guttula of Rediff, as well as me and Mr Sridhar Sidhu of Wells Fargo.
While discussing the issues, I highlighted the differences between GDPR and PDPB/PDPA. I have explained the differences many times in this website and hence I am not going to repeat it and will take up another point for discussion.
During the discussion which also raised the issue of the “Data Governance Framework”, I highlighted the formation of the new Kris Gopalakrishna committee and the background in which the committee was formed.
I may recall my earlier article/s in which I had made a mention of “Community Privacy” as a concept which had been referred to by Justice Srikrishna in his report. I take this opportunity to explain what could be one instance of the “Community Privacy” which is reflected in the above photograph.
I, like other participants in the panel signed off a permission to SITM that any photographs taken during the session could be used by SITM in social media etc. This is pretty much what happens in every conference, though ICO, UK started the practice of giving a notice that such photographs may be considered as not violating the privacy of the individual.
The above photograph however has been uploaded by me here because I was one of the participants in the panel. However, in the process, I might have violated the wishes of any of the other participants who might have liked to keep the photograph out of view of the visitors of Naavi.org. Though the panelists might have given the permission to SITM and SITM has placed it in public domain and I have also sought permission from these gentlemen, it is not clear if they have consented for this publication.
This is a classic example of how data of one person becomes the “Shared Data” of another person due to the context in which the personal data is generated and the decision of the other person to share it according to his wishes could be a point of contention.
This is what Justice Srikrishna indicated as “Community Privacy Issue” for which PDPB/A (nor any other law like GDPR) has provided an explanation. He suggested that the Government may consider a new regulation for this purpose.
If Kris Gopalakrishna Committee (KGC) takes a cue from the preamble in the circular indicating the formation of the Committee and interprets the terms of reference that such “Community Data” is “Non Personal Data”, it may include community data as part of its discussion and declare it as part of the “Big Data” or provide another intermediary status to such “Community Data”.
Is this therefore a case of “Community Privacy” that needs to be regulated? .
If so how do we regulate it?…
Can the photograph per-se without the names be considered as “Not identifiable” and hence “Anonymous”? Or
does the degree of “Anonymization” in this instance is nothing more than “De-identification”? and does not constitute “Anonymization” as defined under PDPB?
..these are some interesting thoughts that emerge out of this instance.
In the past, I had raised the issue of “Recording of Telephone Conversations” and expressed the opinion that the conversation belongs to both the “caller” and the “called” and recording is considered as the right of both persons. In the context of our discussions now, I see a clear explanation to my earlier view because this telephonic conversation belongs to the class of data now known as “Community Data” and hence all the members of the community (in this case the caller and the called) has joint and several rights to use the data as per their choice.
This “Joint and Several” right to dispose of the data will be the key to defining the regulation of community data. Once such data is considered the personal data of each of the individuals, the rest of the regulation may follow the lines of PDPB/A as the contextual risk assessment demands. While each member may have a right to refuse permission to consider the data as Community data by specific disclaimer, it may be considered that by default the data belongs to all persons in the community.
As regards the original photographer, his status would be like a “Data Fiduciary” who posts it in a social media or deals with the information in any other manner in the general interest of the data principals.
As regards the “Anonymization”, it may be considered that the photo without the names is actually “Anonymized” but only to a basic level of obfuscation. The identity of the persons is known only to those who knows either from their memory or by use of some identification tool.
Had we perhaps masked the faces, the anonymization could have gone to the next level and if all the others had been cut off from the picture, perhaps the anonymization would have been complete though it would have eroded the value of the data completely.
The person who assigns identity to the respective persons is required to take up the responsibility of “Re-identification” of the anonymized data (Which will be a criminal offence when PDPB/A becomes operational), unless he can provide a suitable defence of either “Prior Permission” or “Prior publication”.
If the identity is assigned by an AI algorithm and it commits a mistake, then there will be other issues such as whether it was a “Negligent Mistake” or “Recklessness/mischief” and accordingly the responsibility will have to be placed.
Consent is otherwise inherent in the participants allowing themselves to be photographed.
While these comments and opinion applies without much of a controversy in case of a photograph of this nature on the stage where a panel discussion was held, during such conferences, many “Candid” photographs are also clicked by the photographers which may capture moments which the subject may or may not like to be made public.
How should such photographs be handled? will it require “Explicit Consent”? are points of a separate debate. The responsibility of the photographer and the first publisher of such photographs is high in such cases.
This discussion on “Community Privacy” as well as the resolution through considering them as a “Joint and Several Right” is raised I believe for the first time in India. Readers are welcome to contribute their thoughts. I hope the KGC takes note of these views and incorporates it in its deliberations.
I am also trying to convince a few experts in Bangalore to constitute a shadow committee to discuss and deliberate this issue of “Community Privacy” and publish a document. Let us see how this project proceeds.