Data processing

What is Data Processing ?

Data processing is generally understood as converting raw data into useful information. It involves any action or series of actions on data, such as collecting, organizing, structuring, recording, altering or storing it. Processing can be entirely manual or, more commonly today, automated by software and computers. For example, IBM defines data processing as “the conversion of raw data into usable information through structured steps such as data collection, preparation, analysis and storage”[1]. In the legal context, “processing” is an umbrella term covering almost any operation performed on data or databases.

Official Definition of Data Processing

Data Processing as defined in legislation

“Processing”  in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.^[1]

Legal Provisions related to Data Processing

Digital Personal Data Protection Act

Section 3 of the Digital Personal Data Protection Act, 2023 stipulates that the Act shall apply to the processing of digital personal data within the territory of India. The Act shall also apply to the processing of digital personal data outside the territory of India if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India. Thus, under the DPDP Act only operations on digital personal data fall under the Act’s scope. Section 3 clarifies that the Act applies to the processing of digital personal data within India and even to processing outside India if it relates to offering goods or services to people in India.

Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011

The term ‘processing’ has not been defined under the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011. The Information Technology Act, of 2000, while not defining ‘processing’, states that data could be processed in a computer system or computer network and may be stored internally in the memory of the computer.^[2]The IT Act says that “data” means any representation of information intended to be processed in a computer system or network, whether stored on printouts, magnetic or optical storage, or even in the internal memory of a computer. In other words, the IT Act envisioned that information (data) would be processed and stored digitally, but it did not separately define the term “processing.”

Data Processing as defined in official government report

• The report of the Expert Committee, which made the 2008  amendments to the IT Act, did not provide a definition for ‘data processing’. However, the 2008 Amendment to the IT Act was successful in bringing about significant changes related to data protection and privacy. It introduced Section 43A which provides for ‘compensation for failure to protect data’. It also introduced provisions to deal with cybercrime and focused on security and accountability frameworks for handling personal data.
• A Group of Experts under the chairmanship of Justice AP Shah, former Chief Justice of Delhi, was constituted in 2011 to study the privacy laws and make recommendations to protect data privacy in India. The report outlined nine principles that were central to and defined the Right to Privacy. The Privacy Principles were central to ensuring that the data controller is accountable for processing data and ensuring the privacy of data.
• The Justice BN Srikrishna Committee of Experts Report on Data Protection published its report on the “Data Protection Framework” to the Government in 2018. The report covered the ‘processing’ of personal data by private and public entities. The report also stressed ensuring that consent is the centrepiece of data sharing. The report also provided for the state to process data without the consent of the user on the grounds of public welfare, law and order and emergency situations. The Committee made specific mention of the need to have stringent norms governing the protection of children’s data. The Committee also proposed a draft Personal Data Protection Bill.
• The Personal Data Protection Bill, 2018 provides a definition for ‘processing’ as “Processing” in relation to personal data, which means an operation or set of operations performed on personal data and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
• The Parliament had introduced the Personal Data Protection Bill, 2019 to provide for the protection of the personal data of individuals and provide a framework for processing personal data. The 2019 Bill had marked differences with the 2018 Personal Data Protection Bill. The 2019 Bill provided for the government to exempt any agency from provisions of the Act for processing of personal data in the interest of the security of the state, public order, friendly relations with foreign states and emergency situations. The 2019 Bill provided that re-identification and processing of de-identified personal without consent is the only offence punishable with imprisonment. The 2019 Bill was referred to a Joint Parliamentary Committee [JPC] for detailed examination. The JPC made recommendations pertaining to the timeline for implementation of the Bill.
• The Data Protection Bill, 2021 was applicable to the processing of personal data which has been collected, shared or otherwise processed in India or to the processing of personal data by the State or State bodies, Indian corporate entities and citizens.
• The Digital Personal Data Protection Bill defined processing as  automated action or series of actions carried out on digital personal data such as collection, structuring, storage, modification, retrieval, transmission or otherwise making the data accessible.^[3]
• The Digital Personal Data Protection Act, 2023 defines processing similarly to the Data Protection Bill of 2021 under Section 2(x).

Data Processing as defined in International Instrument

The OECD Privacy Guidelines are the first internationally agreed-upon principles which have resulted in data protection frameworks across nations. The Guidelines were a response to the growing concerns about the impact on individual rights generating from the processing of personal data. They emphasize lawful and fair processing of personal data, data quality, security safeguards, and cross-border data flows. These principles influenced later national laws worldwide.[2]

The African Union Convention on Cyber Security and Personal Data Protection provides comprehensive framework for data processing and is aimed at strengthening the protection of data.^[4] The Convention stipulates that any form of data processing must respect the fundamental rights of the individuals, the prerogatives of the State, rights of local communities and purposes for which the business were established. Article 10 of the Convention provides for preliminary formalities which are to be satisfied prior to processing personal data. Furthermore, Section III of the Convention provides obligations relating to conditions governing personal data processing. The Convention places great emphasis on ensuring that processing is done with the consent of the individual. The Convention also provides for processing to b e governed by the principles of lawfulness and fairness.

The EU Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is an international treaty and was the first binding international treaty on data protection, which focuses on data protection across European and non-European Countries. The Convention is with regard to automated processing of personal data, as opposed to manual processing. The Convention necessitates parties to set up supervisory mechanism to ensure protection of individual personal data. The Convention also has provisions for transborder flow of personal data.^[5] The Convention updates the original Convention 108 and focuses on ocuses on the automated processing of personal data: it obliges parties to enact domestic laws ensuring respect for fundamental human rights in data processing,[3] and its Additional Protocol (2001) requires each party to establish an independent data protection authority to supervise processing and handle cross-border data flows.[4] In short, international frameworks uniformly impose strict conditions on lawful processing, especially of personal data, and promote accountability and safeguards for individuals’ privacy.

Types of Data Processing

Data Collection

Gathering information (personal or non-personal) for a specific purpose. For example, an online form collects a user’s name and email when they sign up for a service. Under data protection laws, collection must usually be for legitimate and specified purposes.

Data Use: Any action where collected data is reviewed or used for some purpose (e.g. using purchase history to recommend products). Under data protection, use must align with the purposes declared at collection.

Data Transfer: Data Transfer is the process of moving data from one location to another. The transfer of data could take place between devices, systems, organizations or countries and can be enabled through several mediums such as cables, the internet or wireless networks. The DPDP Act regulates cross-border data transfers, requiring data fiduciaries to follow specified procedures and obtain approvals before transferring personal data out of India.

Data Storage: Data Storage means the retention and preservation of data in a medium for subsequent retrieval. This could be on servers, in the cloud, on hard drives, etc. Secure storage (e.g. encryption, access controls) is a key obligation under the DPDP Act to prevent breaches. It is recorded and saved in a storage system for future use.

The terms outlined above collectively form integral parts of ‘processing’ data as per the Digital Personal Data Protection Act, of 2023.  

Data Profiling: Data Profiling refers to the processing of personal data which analyses behavioral aspects, attributes and interests of the individual. It can be used to generate profiles about the individual and predict the individual’s behavior. It can additionally be used to analyse aspects of the individual such as personal preferences, interests, movements and economic situation. Basically it is any processing of personal data that analyzes or predicts a person’s behavior, interests, preferences or other attributes. For example, using browsing history to build a profile of a user’s interests. The EU GDPR explicitly defines profiling as “any form of automated processing of personal data to evaluate, analyze or predict personal aspects” about an individual.[5] Profiling can be used to generate predictive models (e.g. credit scoring, targeted advertising). Under many data protection regimes, profiling is subject to special rules (for instance, individuals may have rights to object to automated profiling).

International Framework

DOMESTIC LAWS

European GDPR

The European Union’s General Data Protection Regulation (GDPR) is the strongest privacy law in the world. The GDPR was adopted in 2016 and has updated and modernized the principles of the 1995 Data Protection Drive. It applies to all processing of personal data within the EU and even to entities outside the EU offering goods or services to EU residents. The GDPR entered into application in 2018 and unifies data privacy law across the European Union (EU). Article 4 of the GDPR^[6] defines processing as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’. Article 6 of the GDPR outlines circumstances that allow for the lawful processing of personal data. Article 6(2) of the GDPR stipulates that EU Member States can introduce specific provisions to adapt the application of the rules of this Regulation by providing more specific requirements for the lawful and fair processing of data. The European Data Protection Board has recently prepared Guidelines 1/2024 on the processing of personal data based on Article 6(1)(f) of GDPR. Article 6(1)(f) of GDPR is regarding the lawful processing of personal data for the purpose of legitimate interests of the controller or third party, except where the interests are overridden by the fundamental rights of the data subject, particularly when the data subject is a child. The main objective of the guidelines is to assess whether Article 6(1)(f) of GDPR may be invoked as a valid legal basis for the processing of personal data. The European Data Protection Board has not finalised the Guidelines and has opened the same for comments.

SINGAPORE PDPA

The Singapore Personal Data Protection Act, 2012 defines processing as “ carrying out of any operation or set of operations in relation to personal data and includes any of the following such as recording, holding, organisation, adaptation or alteration, retrieval, combination, transmission and erasure or destruction". In other words, Singapore law likewise treats any handling of personal data from collection to deletion as “processing.” The PDPA also requires organizations to have justifiable purposes for collection and to obtain consent for processing, akin to the consent-centric approach in GDPR and India’s DPDP Act. The Act applies to the processing of personal data by organizations within Singapore, including when an organization may collect personal data overseas and transfer it to the city-state.

DEVIATIONS FROM INDIAN PRACTICE

India’s DPDP Act shares many features with GDPR, but there are notable differences. The DPDP Act pays special attention to children’s data, it defines a child as under age 18 and explicitly prohibits tracking or behavioral monitoring of children and targeted advertising directed at children.[6] It also mandates verifiable parental consent before processing a child’s personal data. In contrast, the GDPR does not have an outright ban on targeted ads to children though GDPR does set a parental consent age of 16 for online services, unless member states lower it to 13. Thus, India’s law is stricter in this regard. Another difference is breach notification the DPDP Act requires that any personal data breach must be promptly reported to the Data Protection Board and to each affected individual.[7] Under the GDPR, by contrast, organizations must notify the supervisory authority of any breach within 72 hours (unless it’s unlikely to pose risk), but they are required to notify data subjects only if the breach is likely to result in a high risk to their rights and freedoms.[8] (If the risk is low, the GDPR does not obligate informing each user.) These examples show that while the core concept of processing is similar, certain obligations in the DPDP Act such as stronger protections for children and mandatory broad breach notification go beyond those in the GDPR.

RIGHTS UNDER DPDP Act

The Digital Personal Data Protection Act envisages a Data Protection Board of India.^[7] The Board shall have the power to direct mitigatory and remedial measures to correct personal data breaches. The Act provides for the Board to conduct inquiry into complaints of data breach and impose penalties. The Act empowers the data principals, the individuals to whom the personal law relates, with several rights such as the right to access a summary of personal data that is being processed and the right to correct, complete and update the processed data. The Act empowers citizens to control their personal data and ensures accountability on the part of organisations, thus playing a vital role in shaping India’s digital landscape.

At the same time, the Act empowers data principals (individuals) with specific rights. It grants^[8] the right of access: a person can request from the data fiduciary a summary of what personal data is being processed about them, the purposes of processing, and the parties with whom it has been sharedmeity.gov.in. Further grants the right to correction, completion, updating or erasure of personal data for which the individual had given consentmeity.gov.in. In practice, this means an individual can get inaccurate data about them corrected, ask that outdated information be updated, or that no longer needed data be erased. By combining these rights with enforcement by the Board, the DPDP Act aims to give individuals control over their data and compel organizations to be transparent and secure in their data processing.

AUTOMATED PROCESSING v. MANUAL PROCESSING

Automated Processing refers to the use of software that processes data without any human involvement. Automated processing employs such technology that automatically processes data. The technology used in automated processing could comprise computers and software which perform processing related tasks such as collection, storage and analysis. The Digital Protection of Data Act defines ‘automated’ as any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data. The DPDP Act’s very definition of processing emphasizes automation, it applies to “wholly or partly automated operations” on digital personal data The use of technology to process data makes the process smoother and more efficient.

Manual Processing of data means when the processing of data is done completely by human beings without using automatic technologies or software. It is a basic form of data processing and is labour-intensive. Data is manually collected and moved from place to place and is processed by individuals. It is more time-consuming and could be more prone to errors owing to human fallibility. The DPDP Act explicitly covers only digital (computerized) data, purely manual data processing falls outside its scope, a notable contrast with some older laws. Indeed, the title of Council of Europe Convention 108 itself highlights “automatic processing,” reflecting an older distinction between computerized and manual filing systems.[9] In practice, most modern data processing is automated; therefore the DPDP Act focuses on these activities, aligning with international norms that emphasize securing computerized personal data.

Under the DPDPA, "processing" applies exclusively to operations (such as collection, use, storage, or transfer) conducted on digital personal data that involve full or partial automation. Consequently, unlike the GDPR, the DPDPA does not aim to govern any processing activities that are entirely manual or non-automated.