With the advent of technology and the world of the Internet on rise, cyberspace is growing at a faster pace than ever before. Undoubtedly, this has made human lives as well as human interaction faster, easier and even smarter. But as is said – “nothing comes without a price” – When it comes to the digital age, the privacy of the people is the cost we pay for the comfort of increased and better connectivity.
In India, when Aadhaar was issued, there was an uproar that this 12-digit individual identification number which is issued by the Unique Identification Authority of India (UIDAI) violates the privacy of the citizens as it has the effect of placing the personal information of an individual in the public domain. However, the need of Aadhaar was adjudicated by the Hon’ble Supreme Court (SC) on the basis of providing benefit to the weaker or the marginalised section of our society.
The SC, in its landmark judgement in the case of Justice K. S. Puttaswamy (Retd.) v. Union of India (2017 10 SCC 1) (the Puttaswamy Case), declared Right to Privacy as an essential part of the Fundamental Right to Life enshrined under Article 21 of the Constitution of India, subject to certain restrictions. Even though not an absolute right, the Right to Privacy was a stepping stone in safeguarding the personal information of the citizens.
WHAT IS ANONYMOUS DATA?
‘Anonymous’, in a very literal sense, means unidentified or incognito. The data that is disclosed in the public domain under the name of ‘Anonymous Data’ aims to hide the real identity of the individual to whom that data belongs and such process of hiding the identity of the concerned individual is known as ‘Data Anonymisation’. This process severs the link of getting direct information of individuals by encrypting it and is used to conceal the identity of the concerned individual(s) while accessing data like Social Security Number, phone number, bank account details etc.
This process has been implemented by several Data Fiduciaries and/or Data Processors as it processes and further transfers the data to the third parties without disclosing the actual identity of such person and/or corporation.
In day-to-day life, almost every piece of information is readily available over the cyberspace. Be it an individual’s name, date of birth, or other such personal details, everything can be retrieved with ease, which gradually puts the privacy of an individual at risk. Corporations and legal entities are also not exempted from this potential risk and hence, even they need to carry out the process of Data Anonymisation in order to secure their confidential information. In particular, corporations from the Pharmaceutical, E-Commerce, Legal, Banking, etc. lay a lot of emphasis on Data Anonymisation due to the increased burden of confidentiality that they owe to their customers.
It is also pertinent to note that this process of Data Anonymisation is not any illegal concealment of information as such anonymity is required to protect the interests of the individuals. It typically means that even if the information will be available on the public domain, it will remain anonymous.
REGULATIONS GOVERNING ANONYMOUS DATA
Considering the importance of protecting an individual’s privacy in the current age of digitisation, several measures have been taken globally, in particular with the objective of providing a legal status to Data Anonymisation.
1. General Data Protection Regulation
The most pivotal regulation for the purpose of understanding the scope of Data Anonymisation is the General Data Protection Regulation (GDPR) enacted by the European Union (EU). GDPR is a uniform law enacted to provide a set of rules and regulations that would be standard for all the members of the EU.
However, Recital 26 of the GDPR explicitly states that the Regulation shall not be applicable to the processing of anonymous information which includes statistical and/or Research and Development (R&D) purposes. The primary crux of anonymous information being excluded from the ambit of GDPR is that the principles of data protection are to be applied in case of ‘any information concerning an identified or identifiable natural person’.
Furthermore, GDPR states that any personal information which undergoes ‘pseudonymisation’, and could be attributed to a natural person if additional information is incorporated, shall come under the ambit of any information concerning ‘identifiable natural person’. Therefore, the GDPR states that the principles of data protection shall not be applicable to Anonymous Data which does not relate to an identified or identifiable natural person.
2. Personal Data Protection Bill, 2019
The uproar on the issue of violation of privacy in the aftermath of enactment of Aadhaar as well as the judgement in the Puttaswamy Case fuelled the nation very strongly to bring in a comprehensive legislation that protects the data and the information of the citizens which, especially by virtue of Aadhaar, had become open and accessible to anyone and everyone. In the backdrop of the same, the Personal Data Protection Bill (PDPB) was introduced in 2019.
However, specifically with regards to Anonymous Data, the provisions of the PDPB shall not be applicable and the same is explicitly mentioned in Section 2 (B) of the PDPB. The only exception to this particular provision is Section 91 of the PDPB wherein the Central Government (CG), in consultation with the Data Protection Authority (DPA), can direct any Data Fiduciary or Data Processor to provide Anonymised Personal Data or other Non-Personal Data (NPD) in order to enable better public services or evidence-based policies by the Government.
PDPB also provides the definition of ‘Anonymisation’ and ‘Anonymised Data’ in Sections 3(2) and 3(3), respectively. Section 3(2) defines ‘Anonymisation’ as an irreversible process of converting Personal Data to a form in which the Data Principal cannot be identified, and also meets the standards of irreversibility as specified by the DPA, and the data that undergoes such ‘anonymisation’ would amount to ‘Anonymous Data’, as specified under Section 3(3).
Therefore, the PDPB specifically defines what should be considered as Anonymisation and Anonymous Data and explicitly states that the provisions of the PDPB shall not be applicable to the same. Hence, the processing of Anonymous Data remains largely unregulated in India.
IS ANONYMOUS DATA REALLY ANONYMOUS?
Despite Anonymisation of data being a relatively well-discussed and well-recognised concept, it is very difficult to say with certainty that the data that undergoes such processing actually remains anonymous. The Data Fiduciary or Data Processor may not readily provide access to the data because of the anonymisation carried out, but majority of the times, the disclosure inadvertently takes place from the user’s end.
In our day-to-day lives, while accessing various websites and applications, most of the times Pop-Up Window or Disclaimers are displayed to which we usually agree. However, it is important to understand that the Cookies collected or the disclaimers that we give our acceptance to end up making a lot of our information visible. Such data gradually gets collected with companies over time, increasing the likelihood of it ending up in the public domain.
In such case, the burden of proof cannot be put upon Data Fiduciaries or Data Processors nor can their accountability be questioned since the breach or the leakage does not occur on their part. The current regulatory framework is, thus, rendered largely ineffective since, effectively, there is no accused party. Rather, the accused becomes the ‘anonymous’ party, making it even more difficult and tedious a task to track down the real culprit.
Protecting the data or the information belonging and/or relating to an individual is the need of the hour both ethically as well as pragmatically. As individuals, we not only prefer but also deserve to not have our choices be scrutinized or our lives constantly intruded into. This is the entire crux of why Privacy has now been read into the ambit of the Fundamental Right to Life under Article 21.
Choosing to share one’s information openly or discreetly, as well as controlling how and to what extent such information is made available in the public domain, should be entirely an individual’s choice. Data Anonymisation is, thus, a major step towards achieving and serving the very basic purpose of why privacy is considered as a Fundamental Right.
While India’s PDPB is indeed a firm and efficient step in this direction, there’s still a long journey ahead before the regulatory framework governing Data Anonymisation, in particular, is legally as well as technologically sound and reliable enough to inspire confidence in people. Moving forward, only time will tell whether the PDPB, after its enactment, truly serves its due purpose and regulates the storage and processing of data satisfactorily in this technological age.
– Team AMLEGALS, assisted by Ms. Ritisha Choudhary (Intern)
For any query or feedback, please feel free to connect with firstname.lastname@example.org or email@example.com.