The recently enacted Digital Personal Data Protection Act, 2023 (“DPA”) introduces a notable exemption in its applicability, exempting personal data of an individual that is made publicly available by the same individual. DPA itself provides a scenario as an illustration of this principle: an individual, X, while blogging her views, has publicly made available her personal data on social media. Consequently, the personal data of X published by her on social media would not fall within protective ambit of the DPA. This exclusion, we argue, significantly dilutes the primary objective of the DPA of safeguarding the right of individuals to protect their personal data.
This issue of privacy in publicly shared information was not overlooked during the legislative process. The issue was considered by the Sri Krishna Committee (“Committee”) initially constituted to draft the data protection bill. The Committee recognised the pros and cons of too strict of an interpretation of the voluntary actions of the data principals and of a lax approach to data privacy. Restricting data processing of publicly available information could hinder free speech, especially concerning public figures or journalistic activities. Yet, unchecked data analytics and profiling can infringe on privacy and stifle free speech despite the reduced expectation of privacy. The Committee accordingly concluded that the processing of this nature should be subjected to all other obligations (such as necessity, proportionality and purpose) of data processing, with the exception of consent.
The above principle was encapsulated in the initial bill, the Personal Data Protection Bill of 2018 (“PDPB 2018”) which contemplated ‘reasonable purpose’ ground for processing of ‘publicly available personal data’. Section 17(1) mandated that the data could only be processed taking into consideration:
“(a) the interest of the data fiduciary in processing for that purpose;
(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal;
(c) any public interest in processing for that purpose;
(d) the effect of the processing activity on the rights of the data principal; and
(e) the reasonable expectations of the data principal having regard to the context of the processing.”
The PDPB 2018 further stipulated that if the authority specifies a reasonable purpose, it shall lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals along with determining whether the obligation of notifying the data principal will not apply. These provisions demonstrate the clear intent to safeguard the private data available in the public domain from illegitimate processing, thus balancing the interests of the data fiduciary and the rights of the data principal as contemplated by the Committee.
Partner
JSA
In the evolution of this legislation, subsequent drafts, including the Personal Data Protection Bill of 2019 and the Digital Personal Data Protection Bill of 2022, also addressed the issue of publicly available personal data, albeit with varying degrees of protection. However, in a significant shift, the DPA has eliminated protections previously contemplated for such data and adopts a conventional view of privacy approach whereby information voluntarily shared with third parties or publicly accessible receives no privacy protection, given the notion that making data public diminishes privacy expectations attached with such data. We believe this notion is ill-suited in the social media and web-scraping era.
For instance, there are more than 314 million Facebook users in India. A significant majority of these users have published their names, photographs and other personal details on Facebook, potentially losing autonomy over this data. Even under the current framework of DPA, it could be argued that if a user, while publishing their personal information on a social media site, restricts access to their profile to a select people personally known to such user, such profile data should not be considered as publicly available. However, the mere failure of users to update their settings across various social media platforms should not be the sole criterion for depriving them of legal protections over their personal information. Further, even if an individual deletes their data from a social media account, the services that have scraped the data already could continue to use and share such information.
Associate
JSA
In contrast to the DPA’s approach, the EU’s GDPR, a model for the DPA, does not provide such broad exemptions for publicly available information. Under the GDPR, even if one obtains personal information from other sources, there is an obligation to inform the individual concerned including on aspects such as the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. Singapore, under its Personal Data Protection Act 2012 provides narrower exemptions such as exemptions from obtaining consent from the individual concerned. Nonetheless, the generally accepted international standard is that Personal information that is publicly accessible is still subject to data protection and privacy laws as evident from the joint statement issued by the data protection authorities of 12 jurisdictions. This perspective also aligns with the Supreme Court of India’s observations in the case of District Registrar v. Canara Bank wherein the Court upheld that voluntarily shared information could retain its expectation of confidentiality and privacy.
Given the potential for abuse of personal information available on the internet by web scrapers, it is imperative that as DPA evolves, it undergoes amendments to align with the contemporaneous international standards and adequately recognises the necessity of balancing the interests of the data fiduciary with the rights of the data principals, mirroring perhaps the balanced approach initially proposed in the Personal Data Protection Bill of 2018.
