India’s journey to regulate data privacy has been bumpy to say the least. Back in 2017, the Supreme Court of India held that right to privacy is a fundamental right and directed the Indian Government to implement a new law relating to data privacy[1]. From 2018 to 2022, the Government made a total of four attempts to introduce a cross-sectoral data privacy law in India. These versions of the proposed law were scrapped as big tech companies raised concerns ranging from exorbitant costs associated with personal data processing requirements to strict restrictions on cross-border data transfers.
In what is believed to be the Government’s conclusive attempt to regulate data privacy, the Indian Parliament passed the Digital Personal Data Protection Act, 2023 (DPDP Act) in August 2023. Notably, while the DPDP Act has received presidential assent, provisions of the DPDP Act have not yet come into force. News reports suggest that the Government is in the process of crystallizing rules to the DPDP Act, following which provisions may come into force in a phased manner.
The term ‘digital personal data’ is the entryway to the application of the DPDP Act. In this first article in the DPDP Act Series, we will dive into the ambit of ‘digital personal data’ under the DPDP Act.
What is Digital Personal Data?
The breadth of protection that the DPDP Act will offer, depends on the definition of the term ‘digital personal data’. DPDP Act will only apply if processing of data concerns ‘digital personal data’.
The DPDP Act defines ‘digital personal data’ as personal data in digital form. The two key elements here are ‘digital form’ and ‘personal data’.
As a consequence:
· Non-digital personal data outside the ambit of the DPDP Act: For instance, you visit your local grocery store, and in order to deliver groceries, the shopkeeper makes a note of your name, phone number and residential address on a piece of paper. If the shopkeeper limits her processing activities to paper records, such processing will not attract compliance with the DPDP Act. However, if the shopkeeper subsequently digitalizes the personal data collected, she must ensure compliance with the DPDP Act. Interestingly, the exclusion of paper records from the reach of the DPDP Act is contrary to the EU GDPR which applies to all records, whether digital or paper.
· Non-personal data outside the purview of the DPDP Act: This is in stark contrast to the previous version of the law that proposed to empower the Government to require private players to hand over specific non-personal data such as derived information, proprietary knowledge etc. The Government had to drop this inclusion of non-personal data from the scope of the proposed law in view of the backlash from the industry and other stakeholders.
Let’s now address the other element – ‘personal data’.
The DPDP Act defines ‘personal data’ as any data about an individual who is identifiable by or in relation to such data.
· To begin with, the DPDP Act aims to protect only the digital personal data of individuals. In other words, protection under the DPDP Act will not apply to data about legal persons such as corporations, foundations and institutions.
· The DPDP Act aims to employ identification as the standard for determining whether data is personal or not, very similar to the EU GDPR and UK’s Data Protection Act, 2018 (UK DPA Act): To put it simply, for any data to be considered personal, such data must be capable of tracing an individual. For instance, if a person’s name is not unique, it is unlikely that the name alone can trace the person. However, the name, in combination with additional information such as phone number and email address will allow the person to be singled out in a group, making the data set ‘personal data’.
· A person’s name, email address, phone number are regarded as direct identifiers and will certainly be included within the scope of ‘personal data’: However, the definition will also cover situations where an individual may be identifiable from data that contains indirect identifiers such as car registration number, passport number, uncommon characteristics of an individual (e.g. rare health condition, number of children). That being the case, corporations cannot assume that simply because they do not process the name of an individual, they cannot identify that individual and as a result, the DPDP Act does not apply to them.
Will DPDP Act apply to pseudonymized data?
Pseudonymization refers to the process of replacing direct identifiers with pseudonyms. For example, a given set of personal data may be pseudonymized by replacing one or more identifiers (such as names) with a pseudonym (such as a reference number). While individuals may not be identifiable from the pseudonymized data itself, they can be identified by referring to other information held separately.
While the DPDP Act does not, per se, address pseudonymized data, previous version of the law specifically recommended use of pseudonymization as a method to safeguard personal data.
Given that pseudonymization merely reduces the links between individuals and their personal data but does not remove them entirely, it would be appropriate to continue to treat pseudonymized data as personal data under the DPDP Act. Notably, EU GDPR and the UK DPA Act also treat pseudonymized data as personal data.
Will DPDP Act apply to anonymised data?
Anonymisation is a technique whereby personal data is rendered anonymous in such a way that an individual is no longer identifiable. For data to be truly anonymised, the anonymisation must be irreversible.
Given that identification is the standard for determining whether data is personal or not, if a data set is truly anonymized to the point that identification of individuals is impossible from such data, the DPDP Act may not apply to such anonymized data. However, if there is reasonable risk of identification, through the use of data matching or other methods, the data will be regarded as personal data.
Conclusion
The DPDP Act inarguably provides a broad definition of the term ‘digital personal data’. Any data which may be linked to an individual and processed in digital form will attract compliance with the DPDP Act. Such data will include direct identifiers such name, email address, aadhaar number well as indirect identifiers like age, ethnicity, race etc.
While the DPDP Act has not yet come into force, corporations and enterprises must begin mapping the data collected by them and preparing an inventory of data that has elements of personal data. This will help them to comply with the DPDP Act as and when the same is put into effect.
Authors
Nusrat Hassan
Managing Partner, India
Ambuj Sonal
Partner
Meghna Punjabi
Senior Associate
Disclaimer: The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[1] In 2017, the Supreme Court of India (SC), in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. held that right to privacy is a fundamental right under the Constitution of India. The SC held that the right to privacy is integral to freedoms guaranteed across fundamental rights, and was an intrinsic aspect of dignity, autonomy and liberty.