This article explores the crucial intersection of data protection and complex litigation, highlighting the essential role of careful data management in preserving individual privacy. As our world becomes more connected and digital, we face an overwhelming surge in data. We dissect the foundations of India's Digital Personal Data Protection Act ('DPDPA') and compare it to global standards like the GDPR. The discussion underscores the pressing need for tailored regulations to manage the unique challenges of extensive data exchanges across diverse legal landscapes, aiming to protect personal information and maintain trust.
I. Introduction
Concerns regarding data protection and management are not new. The protection of data has long been considered an inalienable part of individual privacy rights. With increasing global interconnectedness and the emerging complexities of multi-dimensional organisations, we generate vast amounts of data. Regardless of a business’s location, area of operation, or size, protecting data and privacy is a top priority. However, linking data with an individual and their privacy also limits the extent of the protection guaranteed.
Litigation has always been a multi-dimensional and dynamic exercise. The challenges arising from multiple possible jurisdictions are as old as the law itself. However, the increasing social, physical, and digital connectivity across society has added a new layer to these challenges. Be it a single case spanning multiple jurisdictions or a single client having cases across several jurisdictions, the data generated in these circumstances and its protection has become a herculean task. If not addressed properly and on time, it will soon become a nightmare.
As is often said, data is the new currency. This article is a humble contribution towards understanding the importance of data protection and ways of data management in litigation. The analysis of the existing legal framework for data governance sheds light on the increasing need for protecting non-personal data and re-evaluating the grounds for categorising sensitive and non-sensitive data.
II. Privacy and Data Protection: A Close Association
Privacy and data protection are often closely associated. So far, data protection has been treated as a sub-entity of privacy. The OECD Fair Information Principles[i], adopted in 1980, regulate the transborder flow of personal data to protect privacy. In the same vein, the European Union (‘EU’) Data Protection Directives, 1995 mandated the protection of data and its processing to safeguard individual privacy[ii]. These directives were later replaced by the General Data Protection Regulation (‘GDPR’), which came into full operation in May 2018. The majority of data protection legislation across the globe, including the DPDPA of India, is based on the principles laid by these three policy documents and, hence, pursues data protection and regulation from the perspective of individual privacy rights.
However, privacy is a broad concept, and data protection refers only to the aspect of informational privacy. Data protection is not identical to privacy. Given the rising value of data in modern times, the protection of both personal and non-personal data is required. Especially for business organisations and service providers dealing with tons of client information, it is important to demarcate the line between personal and non-personal data to identify the degree of protection extended to both categories.
III. DPDPA and the Principles of Data Protection
After almost a decade of debate and deliberations, India enacted its first cross-sectoral law on digital data protection, DPDPA. Following the judgement in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors[iii], which recognised privacy as a fundamental right in India, there was a realisation of the need for a comprehensive data protection framework. The unique demographic advantage, by virtue of its sheer population strength and the vast amount of data generated, required protection. DPDPA recognises the rights of the individual to protect their personal data while acknowledging the need to process such personal data for lawful purposes. Key definitions that identify significant elements of the DPDPA's data protection framework include:
Data: S. 2(h) of the DPDPA defines data as a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.
Data Principal: As per s. 2(j) of the DPDPA, Data Principal means the individual to whom the personal data relates, including parents or lawful guardians for children and persons with disabilities.
Data Fiduciary: S. 2(i) of the DPDPA states that Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
Data Processor: According to s. 2(k) of the DPDPA, data processor means any person who processes personal data on behalf of a Data Fiduciary.
Consent Manager: S. 2(g) of the DPDPA states Consent Manager is a person registered with the Data Protection Board of India (‘Board’) who acts as a single point of contact to enable a Data Principal to give, and manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
DPDPA, like most data protection legislation, intends to facilitate the free flow of lawfully processed data while balancing an individual’s privacy rights. The key principles of data protection under DPDPA are:
Principle of Fair and Lawful Processing: Organizations must process personal data in a lawful manner that is open and clear to the individuals whose data is being handled. There must be a legitimate reason for using someone’s personal information, and those individuals should be informed about how their data will be utilised.
Principle of Purpose Limitation: Personal data should only be gathered for definite, openly stated purposes that are proper and legal. The data cannot then be processed in a way that contradicts the originally specified purposes for which it was collected.
Principle of Data Minimisation: Only personal information that is directly relevant and absolutely necessary for the stated purposes should be acquired and processed by organizations. Excessive or unnecessary data collection is prohibited.
Principle of Storage Limitation: Organizations cannot retain personal data for longer than is required for the purposes for which it was originally gathered. They must establish policies to regularly review and securely dispose of or anonymize unneeded personal information.
Principle of Integrity and Confidentiality: Proper technical and administrative safeguards must be implemented to protect personal data against unauthorised access, unlawful use, accidental loss, damage, or destruction. Access should only be granted to authorized personnel.
Principle of Data Quality and Accuracy: Reasonable efforts must be made to ensure personal data is accurate, complete, and updated promptly. Any inaccurate personal details should be promptly corrected or deleted.
Principle of Accountability: The organizations controlling the processing of personal data are accountable for proving compliance with data protection regulations and principles through proper policies, procedures, and documentation. In case of a data breach, they are duty-bound to inform the Data Principal of the same.
These principles align with the principles of data protection under GDPR; however, they are limited to digitally generated personal data. Therefore, the issue of non-digital or non-personal data protection remains unaddressed. Indian judicial system is still in its nascent stage of digital evolution. The huge amount of data generated by this system is largely not digital, and the line between personal and non-personal data is nowhere as blurred as it is in the case of data generated in the course of litigation.
IV. Complex Multiple Forum Litigation and Generation of Data
Multiple-forum litigation, which spans various jurisdictions, poses significant data protection and management challenges. These legal proceedings involve the exchange and cross-jurisdiction transfer of vast amounts of sensitive information, heightening the risk of data breaches and unauthorised access. The sheer volume of data generated, both digital and non-digital, and their role in legal proceedings further compound the challenge. When relevant to the proceeding, personal and non-personal data need to be shared among various stakeholders and judicial and administrative offices. Failure to adequately protect and manage data can lead to attorney-client privilege breaches, trade secrets disclosure, regulatory sanctions, and reputational damage. Organizations can navigate complex litigation by prioritizing data protection and management strategies while maintaining data integrity, compliance, and stakeholder trust.
V. Classification of Personal and Non-Personal Data
Due to the element of privacy embedded in most data protection legislation, including DPDPA, data is often classified into two broad groups: personal and non-personal data. Personal data refers to any information that can directly or indirectly identify a living person, such as names, contact details, financial records, medical information, and online identifiers. This type of data is subject to stringent regulations safeguarding individual privacy and ensuring lawful data processing. In contrast, non-personal data, also known as anonymous or anonymized data, cannot be linked to a specific individual. Examples include aggregated statistics, business operational data, and information available in the public domain. While not subject to the same rigorous data protection laws as personal data, appropriate security measures and data management practices are still necessary to protect its confidentiality and integrity.
Accurately classifying data as personal or non-personal is crucial for organizations to determine the appropriate level of protection and handling procedures required. Therefore, measures like data mapping, implementing data governance frameworks, and establishing clear policies for data collection, storage, processing, and disposal should be exercised. It is important to note that not all personal data are subject to the same degree of protection. A subset of personal data is further subcategorized as personally identifiable information (‘PII’). Personal data encompasses any information related to an identifiable individual, including direct identifiers like names and contact details and indirect identifiers that could identify someone when combined. However, PII is a subset of personal data that can directly identify, contact, or locate a specific person, such as social security numbers and biometric data. While all PII qualifies as personal data, not all personal data necessarily constitutes PII. PII is further sub-classified into sensitive and non-sensitive categories based on the level of risk associated with its exposure or misuse. Sensitive PII, such as social security numbers, financial account details, and biometric data, requires the highest levels of protection due to the potential for significant harm like identity theft or financial loss. Non-sensitive PII, like names and contact information, carries a relatively lower risk but still necessitates appropriate safeguards to prevent privacy violations or unwanted consequences. Organizations must carefully assess and classify PII as sensitive or non-sensitive, implementing commensurate security measures and data handling protocols to mitigate risks and maintain compliance.
VI. Application of DPDPA in Data Management
Under the DPDPA, privacy is mandated as the default setting, with built-in technologies such as encryption and access controls. The act grants Data Principals rights over their personal data, such as accessing, rectifying, or erasing their information. Data Fiduciaries must have processes to facilitate these requests promptly. In the event of a data breach, the DPDPA requires timely notification to the Board and affected Data Principals, necessitating robust incident response plans. Organizations must conduct data protection impact assessments for high-risk data processing activities to identify and mitigate potential privacy risks before implementation.
DPDPA places certain obligations on both the Data Principal and Data Fiduciary. The Data Fiduciary has to abide by the principles of data protection. At the same time, the Data Principal is equally duty-bound to provide honest and accurate data when disclosed for a specific purpose. Impersonation of a person or misrepresentation of personal data is prohibited.
Adhering to the DPDPA’s principles ensures that organizations prioritize personal data protection through comprehensive data management frameworks. This fosters trust among individuals, mitigates breach and non-compliance risks, and upholds stringent standards for collecting, using, and safeguarding sensitive personal information in the digital age.
VII. Comparison between DPDPA and Global Data Protection Legislation
Data protection regimes across the globe can be largely classified into two models: the right-based model and the marketplace model. In the case of the right-based model, like the GDPR of the EU and the Personal Information Protection and Electronic Documents Act[iv] (‘PIPEDA’) of Canada, data protection is treated as an inalienable aspect of privacy rights, which requires comprehensive legislation for its protection. Marketplace models are sector-specific, and different legislations are applied to different aspects of data protection. The Health Insurance Portability and Accountability Act, 1996 (‘HIPPA’) of the United States of America (‘USA’) is an example of a marketplace data protection model; its application is limited to data protection and management in the health industry. DPDPA is comprehensive legislation in terms of the protection of digital data. Although it excludes non-digital data, it is not a marketplace model which is narrower in its application. Since most right-based data protection models are largely based on GDPR, comparing GDPR and DPDPA offers practical insights.
Both the GDPR and DPDPA have broad territorial scopes, applying to organizations processing data within their regions or targeting their residents from outside. They differ in material scope: GDPR covers all personal data, while DPDPA focuses on digital personal data.
Classification of personal data in GDPR is more detailed, with a separate categorization of special categories of personal data. DPDPA encompasses all types of personal data that exist in digital form regardless of their sensitivity. The standard of compliance under DPDPA does not vary depending on the degree of sensitivity of personal data.
DPDPA defines the characteristics of valid consent as free, specific, informed, unconditional, and unambiguous with clear affirmative action, signifying an agreement to the processing of personal data for the specified purpose and being limited to such personal data as is necessary for such specified purpose. The nature of consent under GDPR is mostly the same, but it does not require the consent to be unconditional like DPDPA.
Given the emphasis of DPDPA on consent, it has created a new entity called a consent manager to oversee the consent given by the Data Principal. There is no consent manager under GDPR.
Under DPDPA, data can only be processed to serve lawful purposes by obtaining the Data Principal’s consent or for certain legitimate usage. Whereas GDPR provides a wider list of six grounds for data processing, like the performance of a contract, compliance with legal obligations, protection of vital interest, the performance of a task in the public interest, pursuit of legitimate interest by the Data Controller (GDPR equivalent of Data Fiduciary) and consent of the Data Subject (GDPR equivalent of Data Principal).
Under the GDPR, comprehensive privacy notices are required for all personal data collection, detailing the data controller, purposes, legal basis of processing, and data subjects’ rights. Conversely, the DPDPA mandates providing notices to Data Principals only when consent is the basis for processing. No notice is required if data is collected or processed for legitimate uses where consent is not needed. Additionally, the DPDPA requires notices to be in local languages, enhancing understanding and accessibility for Data Principals.
Both laws require notifications for personal data breaches. The GDPR mandates reporting breaches that risk data subjects’ rights to authorities, and subjects are notified if there’s a high risk. The DPDPA is stricter, requiring all breaches to be reported to the Board and affected individuals, regardless of risk.
Under the GDPR, transferring personal data outside the EU requires strict regulations, permitting transfers to countries with adequate protections or via mechanisms like Standard Contractual Clauses. The DPDPA lets the Central Government restrict transfers to specific notified countries, using a less prescriptive approach, emphasising governmental discretion for safe jurisdictions.
The GDPR has strict rules for processing children’s data, with a flexible age of consent. The DPDPA defines children as those under 18, requires parental consent, and bans harmful processing of data and targeted advertising.
Despite these differences, the spirit and legislative intent of both legislations are largely the same. Compliance with these regulations will ensure the smooth operations of services offered in any sector, including legal professions.
VIII. Way Forward
The nature of data generated during litigation is such that it cannot be covered under the protection of DPDPA alone. It is also not wise to invoke the fundamental rights of privacy often for the protection of the same, especially since data can be both personal and non-personal. So, how do we secure the data generated across multiple litigation forums and what compliance measures should be followed by a litigation firm to protect itself against the liabilities of possible data breaches? Here, the need for sector-specific data protection regulation, similar to HIPPA, is emphasized. HIPPA focuses on the privacy and security of healthcare information. Interaction between a legal professional and their client and between a healthcare professional and their patient is similar in many ways. Both deal with personal, sensitive, and confidential client and patient data, respectively. Data is valuable and dynamic, but it is also subject to exploitation. Therefore, sector-specific data protection laws are urgently needed. DPDPA alone cannot be the end of the data protection regime in India. It is only the beginning.
IX. Conclusion
The value of data can no longer be expressed in concrete terms. The importance of the protection of data cannot be emphasised enough. Safeguarding data is not only a matter of individual rights but also an important factor in the modern economic world. Interoperability and data protection within a nation’s jurisdiction affect its economy and, consequently, its society. Data protection and economic development go side by side. A robust data protection framework attracts global investment. Emerging frontier technologies like artificial intelligence, the Internet of Things (‘IoT’), machine learning, and big data analytics all require data for development and enhancement. These technologies are the leaders of the fifth industrial revolution. However, threats to data, whether personal or non-personal, digital or non-digital, are also multiplying. Data hacking, data manipulation, and other forms of exploitation are easily carried out. If not safeguarded, data can be weaponized. Market manipulation, behaviour manipulation, and manipulation of socio-political values are already occurring in several cases.
The law adapts to the needs of society and is meant to serve society. Hence, it continuously evolves as society changes. However, if the data generated in the course of litigation across the entire judicial system is not protected against exploitation, such exploitation gains implied legitimacy. Even an individual’s non-personal data, which may not seem significant, can have far-reaching socio-political and economic consequences. Litigation and judicial decisions are ways of expressing concerns in a democratic country. These concerns are eventually reflected in policy decisions and legislation. If the data related to these concerns is not protected, it will have a gradual but devastating impact on society, and the realization will come too late.
End Notes
[i] Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (23 September 1980), http://www.oecd.org/sti/interneteconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.
[ii] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281.
[iii] Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. (2017) 10 SCC 1
[iv] Personal Information Protection and Electronic Documents Act, S.C., 2000, c.5.
Authored by Shivangi Bhardwaj, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinion.