DPDPA 2023: The fundamentals – Part 2

The previous 1 part of the article can be accessed here Part 1. This is the second part

Personal data & protection

Abstract

The most important element in the Personal Data Act is the definition of personal data itself. This defines not only the scope and limitations of the Act but also whether it is on a sound footing or not. It is shown that the definition itself has serious flaws, and so does the nature of protection provided by the Act. It is necessary to redefine personal data and change the scope of protection so as to be consistent with the fundamental rights of the individual.

What is personal data?

Personal is of or that which belongs to a particular person, rather than anyone else. Privacy affords a core which is inviolable and the right to be left alone, which is inherent simply because the person exists. Both these afford a degree of autonomy and exclusion available to the person concerned.

For example, a person may live in a rented house or wear a borrowed shirt, but she can exclude the owner or anybody else from her personal or private space. Even if two people are in bed together, what is personal and private is unique & exclusionary to each individual. The same applies to a pocket diary or a photo album belonging to a person, which has other people’s contacts or photographs in it.

DPDPA 2023 defines “personal data means any data about an individual who is identifiable by or in relation to such data”[1]. So, identifiability of the person is the criterion, implying that if the person is not identifiable or if the data is de-identified, then the data is not personal, neither are the data nor the privacy, and other rights protected.

Identifiability & violation of privacy or personal space

As an example, consider the Peeping Tom who captures an unknown person’s private parts or activity in the bedroom, say, without capturing the face or features that can identify the person, or from the back side of the person. So the person, represented by the personal data in this case, is ab initio de-identified. However, is it not personal and a gross violation of the privacy of the individual? Likewise, from a person’s pocket diary or contact list, photo album, or their wallet and its contents, the unit as a whole is personal and private. Note that other people, not to whom the diary, album, or wallet belongs, are identifiable from each entry in the diary, album, or wallet. Some other person accessing any single entry is a breach of privacy and the personal space. Clearly, Identifiability of the owner or principal is not necessary and the wrong criterion for something to be personal or private, or the violation thereof.

Conversely, if identifiability is (wrongly) made the criterion, it legitimises the invasion of privacy and the personal space, and the theft of the personal data, by labelling it de-identified and keeping it outside the scope of protection of the Act.

Consequences of de/identifiability

Suppose there exists a confidential client list owned by a corporation. This has entries identifying others, ie, each client, not the owner, which is the corporation. Is not unauthorized access of even a single entry or its part a breach or theft, against which the entity has a remedy in law?

Observe that de-identifiability & anonymity are what a thief resorts to, e.g., melting the gold ornaments, or removing the markings, or stripping into parts the asset, furniture, or vehicle into parts. However, the rights of the person it belongs to remain, irrespective of identifiability and the transformed or knocked down asset. This point is not covered by DPDPA 2023.

De-identification is an undefined operation, generally speaking, and also in law. We know that the police/ detective identifies the suspect using public and personal data from clues, each of which individually may not establish the identity. So, ab initio de-identification may still lead to identification & a violation of privacy. This is significant in itself, also for the acquisition of a greater number of data sets, and for mergers and acquisitions. This is when there are individual pieces of information that, in themselves, do not identify the individual. Furthermore, if from an initial data set including the identifiers, why cannot the de-identification be reversed if the de-identification algorithm can be guessed, stored, or reconstructed in some other jurisdiction beyond the reach of the law or agreement?

Identifiability, rights & value

Suppose there is a survey with a simple yes/ no outcome, e.g., whether someone got infected post the vaccine or not, or on the sexual history of a person, it is just one binary digit of information. There is an element of personal ownership, creation, privacy, exclusivity, and commercial value in it, whether or not identifiers are captured or later de-identified. If data is the new oil and oil does not require identifiability for ownership, control, and commercial value, the same applies to the person, i.e., “data principal” here. If copyright, which is not a fundamental right, is granted automatically and it belongs to the individual, irrespective of the identifiability of the owner from the copyrighted material, likewise, ownership of personal data, privacy, and other rights concomitant with it belong to the individual.

Inadequacy of consent & protection, denial of access

Suppose a courier or service provider wants a specific piece of information from you, e.g., the delivery address or your graduation certificate. You access or search and give only the particular piece of information that person wants, while denying them access to your diary, home, or PC. Alternatively, the courier or service provider can themselves access your pocket or inside your home or PC and search for it, and finally land upon the piece of information required. Observe that here itself, there is a trespass and an unwarranted invasion of privacy and personal space.

In terms of consent and purpose limitation, the courier or service provider may not be misusing the delivery address or your graduation certificate, to which you have given consent. However, in the second case, you have practically given a search warrant to the courier or service provider to enable him to search your belongings. Moreover, on the pretext of identifiability, or keeping it in de-identified form, he now decamps with all the available information or artifacts inside your diary or your house, or your PC. There are numerous service providers, websites, or apps that want access in this fashion, or else they deny you the service and shut down immediately. DPDPA2023 does not prevent this. This legitimises a gross violation of privacy, what is personal, theft of personal data, and hands over a de facto search warrant to the external agent, legitimising complete surveillance.

Scope of protection & remedy as per fundamental rights in the Constitution

The Act, motivated by the fundamental right to privacy, does not contain even a single instance of the word “privacy” in it. Nor does it contain the word “offence” or remedy in law. In fact, the Data “Protection” Board will inquire whether non-compliance is significant or not, before carrying out the inquiry or proceedings. If another entity, viz the DPB, is sitting in judgement as to the significance, an undefined, usually statistical object, rather than the breach of privacy and the loss or harm to a particular individual, then the right you have is neither personal, nor exclusive, nor fundamental. It also violates the fundamental right to equality before the law and equal protection of the law by admitting an undefined, personally determined, variable, and arbitrary “in/ significance”[2]. Furthermore, the inquiry proceedings themselves will be barred, hence no penalty given, by an agreement purely between the DPB & the violator, where the presence or concurrence of the aggrieved is not even required. The penalty in any case is paid to the Consolidated Fund of India and not to the affected individual/s.

Comparison with IP protection

Other features of the Act, the inquiry process & the Data Protection Board are not mentioned here for want of space and are discussed here[3]. In any case, if this is considered an adequate standard of protection, then why not make a one-line amendment to the effect that all Intellectual Property will henceforth be protected in the same manner as in DPDPA 2023?

Conclusions & way forward

The above account shows that DPDPA2023 is not sound on the fundamentals. Instead, it legitimises the violation of privacy, the personal theft of personal data, and surveillance. This is not only in derogation of the Fundamental Rights of the individual and various articles (3,7,8,12,17,19,22,27-30) of the Universal Declaration of Human Rights, but achieves the exact opposite[4]. Consistency with the UDHR and India’s commitments to it is also incorporated in the detailed Puttaswamy judgement. Additionally, the Act denies what was available to the individual in another Act, the IT Act 2000, by explicitly omitting and negating Sec 43A previously available to the person to obtain compensation for negligent handling of the data. Since the Data “Protection” Board is, by definition, independent, it is not accountable to anyone and is, in effect, a supra-national entity implementing this Act. The penalty in any case goes to the consolidated fund of India, rather than to the individual/s who are at a loss or harmed, which further consolidates the master-slave relationship.
Redefining Personal Data & the Scope of the Act:

Personal Data must be redefined so as to incorporate “of or that which belongs to a particular person, rather than anyone else”, while dropping the requirement of identifiability. Data principal must be redefined as data owner, and various other rights concomitant with the person’s fundamental rights, right to privacy, life, and liberty, the Universal Declaration of Human Rights, must be recognized and granted.

Note:
1. Text in Blue points to additional data on the topic.
2. The views expressed here are those of the author and do not necessarily represent or reflect the views of PGurus.

Reference:

[1] THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 – Aug 11, 2023, The Gazette of India

[2] Constitution of India – Indian Govt

[3] New Data Law Is Too Full Of Holes To Protect Either Privacy Or National Interest – Aug 10, 2023, Swarajya

[4] Universal Declaration of Human Rights – UN.org

For all the latest updates, download PGurus App.

The post DPDPA 2023: The fundamentals – Part 2 appeared first on PGurus.