I’m sure after reading this blog, you would think, I’m raising unwarranted, unwanted, out of the context, issues & definitions. But I’m writing this blog for the reason, I came across to few platforms, where, the definition of the Data Principal has been expanded to include the ‘person’ as well, as I’ll explain in the below paragraphs with examples, how, on the face value or façade, has confused certain aspects of this definition itself. Again, my blogs don’t mere recite the case precedence, or, acts or rules, but try to take the road not taken. Else, everything is in the reference textbooks or online.
Thus, if a ‘person’ can be defined including an ‘individual’; and already ‘child’ as a minor as well as person ‘disabled’ are explicitly defined, then precisely, what was the purpose of defining ‘Data Principal’ in a separate definition, but not alone the ‘Individual’? It seems, on the façade, that the ‘personal data’ needs to be protected of ‘Data Principal’ only, and not of the ‘person(s)’ or, ‘individuals! And if this is true, then this is not in parallel to the GDPR, PIPL etc. Or am I missing something here? Did we forget the need to expand Natural Person after DABUS? Or as I contended in the EU AI’s Act, under the presumption of ‘other bodies’, AI can also be included!Take these examples first!
The ‘person’ defined in the DPDP Act doesn’t mention DATA Principal. But Data Principal is defined separately which includes individual viz. child and person with the disability. Wouldn’t it be more lucid had only the ‘person’ been defined including the definition of the child and disabled also, which have already been defined separately? The DPDP Act mentions about protection of the personal DATA of the ‘person’ (i.e. citizens). It seems, Data Fiduciary needs to be complaint more with the Data Principal, than, the Citizens (individuals), in general! Read the Act, and you would get a feel.
Now further, it goes on to define the definition of ‘personal data’, in which it states that, identifiable data about an ‘individual’. But does not separately define the ‘Individual’ itself. Am I missing something? Besides, in the definition of the ‘person’: the firms, body incorporates, organization as such, individual, have been defined, but, not ‘separately’ an ‘Individual,’ which in any case include the Data Principal! So why separately Data Principal, and, NOT an Individual! Further, the ‘personal data’ means any data about an Individual too. Correct?
And who exactly these ‘Significant Data Fiduciary’ would be guarding then? Only the Data Principal (from the face value it looks like only the Data Principal needs to be protected, which is contrary to the ones like GDPR or PIPL, or, even the new Australian Law that explicitly mentions only about how under 16 should be protected by the social media companies), or, along with the ‘person’ included in it, which includes an Individual? But what is an individual then, if in case, a ‘person’ is what defines a -> ‘person’? Why needed a separate definition of the Data Principal? Would it make sense to reduce to the functionality of the Data Fiduciary on the face value? And then, wouldn’t it be more logical to define ‘Individual’ as well? Take these examples below why I’m mentioning all these things:
Read Chapter II of the DPDP which defined the obligation of the Data Fiduciary and what it says:
‘A person may process the personal data of a Data Principal ‘only’ in accordance with the provisions of this Act……’
Does that mean, the Data Fiduciary, as a ‘person(s)’ is only restricted to the Data Principal, and NOT to any other ‘person(s)’? Read it by yourself! Does it say otherwise? Or am I’m missing something? Further, the Act defines the Rights & Duties of the Data Principal in Chapter III. Where are the Rights & Duties of -> Person(s), or Individuals? This whole procedure of appointment of Consent Manager is only for the………Data Principal then? Maybe my analysis is contentious, or, is there a discrepancy in the analysis only?
In the illustration sections’ of the above definitions, again, it gives an example of buying an insurance policy. But would Data Principal buy the insurance policy alone? Nope! And as I’ve always stated that these Clickwrap, Browsewrap notices, agreements, can be proven invalid, void; and this illustration too gives a good example of that. Another example has been given of the individuals taking loans and defaulting in making of the payment, and then the bank processing the personal data, under the Exemptions. So, can this in any way be applicable to the Data Principal? Nope! Why would any loan be given, or they defaulting on it! Yet, these examples are being stated just below where the relationships of Data Fiduciary and Data Principal have been defined. Or am I missing something?
But again, why include, the definition of the Data Principal alone, as if the ‘person’ using other ‘person’ personal data, is included explicitly! Please show me where it is written that: a person may process personal data of the person(s)……!
Furthermore, if one can read, the Data Principal can delete the Data of the Data Principal once withdrawal of their consent. Then what about the ‘person’ or ‘individual’ consent?
Maybe just my dilemma! 😊
© Pranav Chaturvedi
No comments:
Post a Comment