Personal data refers to all information that identifies or can be used to identify an individual. One need not understand quantum mechanics to grasp the value of protecting personal data, which is inherently tied to safeguarding an individual’s privacy. A quick glance at our surroundings or a minute spent observing the patterns of digital devices and internet platforms reveals how much personal data is exposed daily and how it is exploited. This exploitation need not always be criminal; economic and psychological exploitation through behavioural manipulation by commercial forces is equally concerning. The ‘ability to choose’ is what distinguishes humans. Denying that choice is akin to denying the right to live as a human. This principle applies to personal data and its uses. This article provides a comprehensive account of existing data protection laws and their role in protecting individuals’ right to choose how and by whom their data can be used.
Introduction
Whenever we open a website or a mobile application, we are asked to grant permissions, some allowed and others denied. Regardless, we often find this to be annoying and intrusive. Why would a media-playing app require access to my contacts? Why does my bank want to know my mother’s maiden name? Not knowing what else to do, most of us often provide all the information asked for and move on with our day. Then, one day, a person receives a notification from an app reminding them that their mother’s mobile prepaid is about to expire, further asking if they would like to recharge it for her. At that moment, a little shock is registered in our head, a sense of being under constant surveillance without even realising it. This permeates a feeling of violation, and we wonder, are these data-collecting parties allowed to do so? If yes, to what extent and for what purpose? In a lawfully civilised society, nothing is unrestricted. As Rousseau said, “Man is born free, and everywhere he is in chains.”[i]
This article examines the principles of processing personal data, the procedures for their collection, and protection under the General Data Protection Regulation (‘GDPR’) and the Organisation of Economic Cooperation and Development (‘OECD’) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data[ii].
Principles of Data Protection Under GDPR
Privacy has long been a cherished part of the right to life; a life with dignity cannot exist without the comfort of privacy. This recognition was echoed by The European Convention on Human Rights of 1950. However, the very idea of privacy was complicated, and the principles of its protection were challenged by the rise of the internet and the creation of an ever-expanding cyber sphere. Acknowledging this challenge, in 1995, the European Union (‘EU’) passed the European Data Protection Directives, establishing the minimum standard for data privacy and security. This was a precursor to the GDPR, which came into effect in 2018.[iii] GDPR was a step towards creating a comprehensive framework for protecting personal data, their collection, processing, and free movement. The very next year, in 2019, the Cambridge Analytica Case once again highlighted the vulnerability of personal data in the digital age. It prompted calls for stricter regulations and ethical standards in data handling. It underscored the importance of transparency and accountability in safeguarding user privacy. It influenced reforms in data protection laws and practices worldwide to better protect individuals’ rights in an increasingly data-driven society.[iv]
GDPR lays out the principles of data protection under ch. 2, particularly in a. 5, which lists the principles relating to the processing of personal data.[v] Based on these principles, personal data processing must adhere to lawfulness, fairness, and transparency. Data controllers should unambiguously communicate their data handling practices to individuals using plain language and easily accessible information. This includes disclosing the data processor’s identity, processing purposes, and individuals’ rights regarding their data. It is crucial to inform people about potential risks, safeguards, and how to exercise their rights concerning data processing. The purposes for data collection should be expressly stated and legitimate, clearly defined, and determined at the time of collection. Data should be relevant, adequate, and limited to what is necessary for these stated purposes, and no further use of data besides the stated purpose should occur. Storage periods should be minimised, with controllers establishing time limits for deletion or review. Processing should only occur if the purpose cannot be achieved through other means. Data controllers must take steps to rectify or delete inaccurate data promptly. Security and confidentiality are paramount, requiring measures to prevent unauthorised access or use of personal data and processing equipment. By adhering to these principles, organisations can ensure responsible and ethical handling of personal data, respecting individuals’ privacy rights while fulfilling necessary data processing functions.[vi]
A. 6 of GDPR further elaborates on the lawfulness of personal data processing. It outlines six lawful bases for processing personal data.[vii] These include obtaining explicit and unambiguous consent from the data subject, execution of any contractual obligations, compliance with legal obligations, protecting vital interests or, simply put, saving a life, performing tasks in the public interest or as part of official duties, and pursuing legitimate interests that do not overrule individual rights. Each basis has specific conditions and applications. However, it prohibits public authorities from using legitimate interests as a basis for performing their official tasks. Data controllers must identify and document the appropriate lawful basis before processing personal data, ensuring their actions align with GDPR compliance and respect individuals’ privacy rights. Consent is an inalienable part of privacy and dignity rights; hence, GDPR further describes what constitutes valid consent under GDPR. GDPR consent requirements demand that individuals’ agreement to data processing be voluntary, specific, informed, and unambiguous. Consent requests must be distinct from other matters and use simple language. Importantly, the data subject must be able to withdraw consent at any time, and the data controller must respect this decision without switching to alternative processing grounds. For children under 13 years of age, parental approval is necessary. Data controllers must maintain records proving they have obtained proper and valid consent. These rules aim to empower individuals with genuine choice and control over their data while ensuring transparency and accountability in data collection practices. Compliance involves an ongoing commitment to respecting these consent principles.[viii] Data protection is important, and only an ignorant person would say otherwise. No business today can afford to be that ignorant.
Fair Information Practice Principles
The Fair Information Practice Principles (‘FIPPs’) are largely based on OECD Guidelines framed following the EU data protection and privacy laws that restricted the transborder flow of data to and through countries that offered limited or inadequate protection to the personal data of European residents. These guidelines were enacted in 1980 when the internet was newly revolutionising the world, the Cold War was at its height, and the world’s economies were both transitioning and transforming. Personal and non-personal data was anticipated to become the new gold. There was fear among the major economic powers that privacy and data protection laws could be used as arbitrary tools to create trade barriers. To alleviate such apprehensions, OECD member nations agreed to adopt 1980 guidelines promoting international cooperation. The OECD Guidelines serve twofold purposes: safeguarding privacy rights and personal freedoms and promoting unrestricted information exchange among OECD member nations. The guidelines are non-binding and are in the form of recommendations. However, most data protection and privacy laws, including those of nations outside of the OECD, have incorporated its core principles.
Essentially, FIPPs have eight principles at their core: Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing. These principles have also been incorporated into GDPR, as seen from the overlap between these and the principles enshrined under a. 5 of the GDPR. The principle concerning individual participation has not been listed under a. 5 of GDPR but is recognised under ch. 3, where the data subject’s rights have been identified.[ix] FIPPs have become the golden standard for enacting privacy guidelines, together with the GDPR.
Special Categories of Data under A. 9 of GDPR
Not all personal data are the same; some are more sensitive than others, and thus, the degree of protection extended to personal data varies depending on the nature of the data. A. 9 of the GDPR recognises certain categories of data as more sensitive and thus special. Personal data that are very sensitive and concerned with fundamental rights and freedoms merit specific protection as their abuse could create significant risks to fundamental rights, especially the most cherished right to liberty.[x] GDPR prohibits processing sensitive personal data that could lead to discrimination or invasion of privacy. It specifically bans handling information that reveals an individual’s racial or ethnic background, political leanings, religious or philosophical views, and union membership. Additionally, it forbids the processing of genetic data, biometric information used for identification purposes, health-related data, and details about a person’s sex life or sexual orientation. The aim is to protect individuals against potential misuse of their most private and sensitive information. However, this does not include personal data revealing or concerning criminal charges, proceedings, and convictions. Special category data includes sensitive personal data and
those that reveal or concern the above data types through common inference. A. 9 of GDPR also lists conditions under which special categories of data are allowed to be processed. These include obtaining express consent from the individual, handling data for employment or social security purposes as authorised by law, protecting vital interests, processing by non-profit organisations, using information already made public by the data subject, addressing legal claims or judicial matters, serving substantial public interests with a legal basis, managing health or social care as legally permitted, addressing public health concerns within legal frameworks, and conducting archiving, research, or statistical work with proper legal authorisation. These conditions aim to balance individuals’ right to data protection with the duty to data processing in specific scenarios backed by legal sanctions.
When discussing special categories of data, mentioning Personally Identifiable Information (‘PII’) is a must. PII refers to data that can help identify an individual or reveal their identity. They are further classified as sensitive and non-sensitive, having two categories of identifiers – direct and indirect. Sensitive PIIs directly identify an individual and, if compromised, can be exploited to cause harm to the concerned individual. Examples of sensitive PIIs include biometric data, genetic data, social security numbers, and financial information. Non-sensitive PIIs, on the other hand, refer to data that can identify an individual whose isolated breach cannot cause harm to the concerned individual, such as a mother’s maiden name, email address, or phone number. However, the criteria for classifying data as non-sensitive or sensitive is often debatable. In a world enabled by the Internet of Things (‘IoT’), where digital devices like phones and smartwatches have become extensions of a person’s physical existence, can email addresses and mobile numbers truly be classified as non-sensitive data? In a world where social media has such influence that it can shape the outcome of democratic elections in countries like the USA and India, the prevailing classification of sensitive and non-sensitive data seems outdated.
What Say You, DPDPA?
The Digital Personal Data Protection Act, 2023[xi] (‘DPDPA’) provides for the lawful processing of digital personal data, balancing the right of individuals to protect their data and the need to process such personal data in India. In 2018, the Supreme Court of India (‘SC’) delivered a judgment[xii] on the issues pertaining to the constitutionality of the Adhaar Card and associated data privacy concerns. The case was a landmark in Indian data protection and informational privacy jurisprudence. Although the court upheld the validity of linking Aadhar with PAN[xiii] and the use of Aadhar data for welfare schemes and benefit transfers, it refused to allow the mandatory linking of Aadhaar data with an individual’s bank account or the demand by private companies to disclose Aadhaar data for providing their services. Advocating the right to informational privacy, Justice D. Y. Chandrachud opined that the collection of personal data must be tested on the grounds of legitimate interest, necessity, and proportionality and that the state has a positive obligation to protect its citizens’ informational privacy. The echoes of this judgement can be found in the DPDPA, which, with some differences, incorporates most of the core data protection principles under both GDPR and the FIPPs.
Unlike GDPR, which provides six lawful bases for processing personal data under a. 6, DPDPA only lists two grounds for lawful processing of data under s. 4: processing of data for which the individual has consented and processing data for certain legitimate uses. S. 6(1) of DPDPA further defines consent as free, specific, informed, unconditional, and unambiguous, with clear affirmative action, signifying agreement to the processing of personal data for the specified purpose and being limited to such personal data as is necessary for such specified purpose.
Consent under DPDPA aligns with the definition of consent under GDPR but poses an additional qualification of ‘unconditional’ consent, making it stricter. Furthermore, DPDPA does not classify data into special categories like GDPR or differentiate the degree of protection extended to personal data based on their sensitivity. However, the DPDPA, being an Act for the protection of digital personal data by default, has its scope narrowed compared to the GDPR, which includes all personal data.
Analytical Conclusion
The protection of personal data has become increasingly crucial in our digital age. Memories fade, and so do physical data, but what about digital data? Data storage has been revolutionised in modern times. Remember when Feynmann, in his famous lecture, “There is Plenty of Room at The Bottom,” proposed the idea of writing an entire Encyclopaedia at the tip of a needle?[xiv] It does not sound very remarkable now, does it? Why care for a needle when we store tonnes of data in clouds? Unlike our memories, cloud memories and the data they store do not fade. In 2014, Mario Costeja González felt victimised by this very ability of data in the digital age. Does a man not have a right to move past his humiliating history and heal? Expecting the world to forgive and forget something that is no longer harmful to anyone is not unreasonable and very much within the ambit of a person’s right to privacy. In what is otherwise known as the Google Spain Case[xv], the right to be forgotten was recognised as a fundamental right under EU law. In 2017, in the case of Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India[xvi], the right to be forgotten was acknowledged as a part of the right to life under a. 21, integral to privacy. The rights of data subjects under GDPR and DPDPA to edit or erase data and the accuracy and storage principles of data processing and protection are also a nod to the right to be forgotten. To live, one must learn to forget.
The GDPR and OECD Guidelines have set important standards for data protection, emphasising principles such as transparency, consent, and data minimisation. These frameworks aim to balance the need for data processing with individuals’ rights to privacy and control over their personal information. While the GDPR provides a comprehensive approach, including special protections for sensitive data categories, India’s DPDPA takes a somewhat different path. Though more limited in scope, focusing solely on digital personal data, the DPDPA incorporates core data protection principles and introduces some unique elements, such as the requirement for ‘unconditional’ consent. As technology continues to evolve and the lines between sensitive and non-sensitive data blur, it is clear that data protection laws and practices must also adapt. The challenge moving forward will be to maintain robust protections for individual privacy while allowing for necessary and beneficial data processing. This will require ongoing dialogue between lawmakers, technologists, and citizens to ensure that data protection frameworks remain relevant and effective in an ever-changing digital landscape.
Ultimately, the goal is to create a world where individuals can benefit from technological advancements without sacrificing their fundamental right to privacy and data protection. As we navigate this complex terrain, the principles laid out in frameworks like the GDPR, OECD Guidelines, and DPDPA will continue to serve as important guideposts for responsible data handling and privacy protection.
End Notes
[i] Rousseau, J. J. (1762). The Social Contract (M. Cranston, Trans.). London: Penguin Books. (Original work published 1762).
[ii] OECD, (1960, December 14). Convention on the Organisation for Economic Co-operation and Development.
[iii] Regulation (EU) 2018/1725 of the European Parliament.
[iv] [2019] EWHC 954 (Ch).
[v] Chapter 2 (Article 5-11) – Principles, GDPR.
[vi] Recital 39 - Principles of Data Processing, GDPR.
[vii] Supra Note 2.
[viii] Article 7 - Conditions for Consent, GDPR.
[ix] Chapter 3(Article 12-23) – Rights of the Data Subject, GDPR.
[x] Recital 51 - Genetic Data, Biometric Data and Data concerning Health, GDPR.
[xi] Digital Personal Data Protection Act, 2023.
[xii] Justice K.S. Puttaswamy and Anr. vs. Union of India (UOI) and Ors. (2019) 1 SCC 1.
[xiii] Permanent Account Number.
[xiv] Feynman, R. P. (1960). There is plenty of room at the bottom. Engineering and Science, 23(5), 22-36.
[xv] Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (Case C-131/12) [2014] ECLI:EU:C:2014:317.
[xvi] Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India, (2017) 10 SCC 1.
Authored by Shivangi Bhardwaj, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinion.
Comments