Data processing

WHAT IS ‘PROCESSING’?

'Data processing' refers to the action of collecting data and transforming it into usable information. It is an umbrella legal concept to capture any technical operation performed on data or a database. Data processing entails any operation or set of operations, such as collecting, organising, structuring, recording, altering or storing data.

OFFICIAL DEFINITION OF PROCESSING

Term as defined in legislation

• “Processing”  in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.^[1]

• Section 3 of the Digital Personal Data Protection Act stipulates that the Act shall apply to the processing of digital personal data within the territory of India. The Act shall also apply to the processing of digital personal data outside the territory of India if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India.

• SDPI RULE- The term ‘processing’ has not been defined under the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011. The Information Technology Act, of 2000, while not defining ‘processing’, states that data could be processed in a computer system or computer network and may be stored internally in the memory of the computer.^[2]

Term as defined in official government report

• The report of the Expert Committee, which made the 2008  amendments to the IT Act, did not provide a definition for ‘data processing’. However, the 2008 Amendment to the IT Act was successful in bringing about significant changes related to data protection and privacy. It introduced Section 43A which provides for ‘compensation for failure to protect data’. It also introduced provisions to deal with cybercrime and focused on security and accountability frameworks for handling personal data.
• A Group of Experts under the chairmanship of Justice AP Shah, former Chief Justice of Delhi, was constituted in 2011 to study the privacy laws and make recommendations to protect data privacy in India. The report outlined nine principles that were central to and defined the Right to Privacy. The Privacy Principles were central to ensuring that the data controller is accountable for processing data and ensuring the privacy of data.
• The Justice BN Srikrishna Committee of Experts Report on Data Protection published its report on the “Data Protection Framework” to the Government in 2018. The report covered the ‘processing’ of personal data by private and public entities. The report also stressed ensuring that consent is the centrepiece of data sharing. The report also provided for the state to process data without the consent of the user on the grounds of public welfare, law and order and emergency situations. The Committee made specific mention of the need to have stringent norms governing the protection of children’s data. The Committee also proposed a draft Personal Data Protection Bill.
• The Personal Data Protection Bill, 2018 provides a definition for ‘processing’ as “Processing” in relation to personal data, which means an operation or set of operations performed on personal data and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
• The Parliament had introduced the Personal Data Protection Bill, 2019 to provide for the protection of the personal data of individuals and provide a framework for processing personal data. The 2019 Bill had marked differences with the 2018 Personal Data Protection Bill. The 2019 Bill provided for the government to exempt any agency from provisions of the Act for processing of personal data in the interest of the security of the state, public order, friendly relations with foreign states and emergency situations. The 2019 Bill provided that re-identification and processing of de-identified personal without consent is the only offence punishable with imprisonment. The 2019 Bill was referred to a Joint Parliamentary Committee [JPC] for detailed examination. The JPC made recommendations pertaining to the timeline for implementation of the Bill.
• The Data Protection Bill, 2021 was applicable to the processing of personal data which has been collected, shared or otherwise processed in India or to the processing of personal data by the State or State bodies, Indian corporate entities and citizens.
• The Digital Personal Data Protection Bill defined processing as  automated action or series of actions carried out on digital personal data such as collection, structuring, storage, modification, retrieval, transmission or otherwise making the data accessible.^[3]
• The Digital Personal Data Protection Act, 2023 defines processing similarly to the Data Protection Bill of 2021 under Section 2(x).

Legal Provision(s) related to Term

Data Collection: Data Collection refers to the gathering of information (data) for various purposes.

Data Use: Data Use refers to instances where data is reviewed and utilized for varied purposes.

Data Transfer: Data Transfer is the process of moving data from one location to another. The transfer of data could take place between devices, systems, organizations or countries and can be enabled through several mediums such as cables, the internet or wireless networks.

Data Storage: Data Storage means the retention and preservation of data in a medium for subsequent retrieval. It is recorded and saved in a storage system for future use.

The terms outlined above collectively form integral parts of ‘processing’ data as per the Digital Personal Data Protection Act, of 2023.  

Data Profiling: Data Profiling refers to the processing of personal data which analyses behavioural aspects, attributes and interests of the individual. It can be used to generate profiles about the individual and predict the individual’s behaviour. It can additionally be used to analyse aspects of the individual such as personal preferences, interests, movements and economic situation.

INTERNATIONAL EXPERIENCE

International Framework

The OECD Privacy Guidelines are the first internationally agreed-upon principles which have resulted in data protection frameworks across nations. The Guidelines were a response to the growing concerns about the impact on individual rights generating from the processing of personal data.

The African Union Convention on Cyber Security and Personal Data Protection provides comprehensive framework for data processing and is aimed at strengthening the protection of data.^[4] The Convention stipulates that any form of data processing must respect the fundamental rights of the individuals, the prerogatives of the State, rights of local communities and purposes for which the business were established. Article 10 of the Convention provides for preliminary formalities which are to be satisfied prior to processing personal data. Furthermore, Section III of the Convention provides obligations relating to conditions governing personal data processing. The Convention places great emphasis on ensuring that processing is done with the consent of the individual. The Convention also provides for processing to b e governed by the principles of lawfulness and fairness.

The EU Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is an international treaty which focuses on data protection across European and non-European Countries. The Convention is with regard to automated processing of personal data, as opposed ot manual processing. The Convention necessitates parties to set up supervisory mechanism to ensure protection of individual personal data. The Convention also has provisions for transborder flow of personal data.^[5] The Convention updates the original Convention 108 and focuses on enhancing data protection standards globally.

DOMESTIC LAWS

European GDPR

The European Union’s General Data Protection Regulation (GDPR) is the strongest privacy law in the world. The GDPR was adopted in 2016 and has updated and modernized the principles of the 1995 Data Protection Drive. The GDPR entered into application in 2018 and unifies data privacy law across the European Union (EU). Article 4 of the GDPR defines processing as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’. Article 6 of the GDPR outlines circumstances that allow for the lawful processing of personal data. Article 6(2) of the GDPR stipulates that EU Member States can introduce specific provisions to adapt the application of the rules of this Regulation by providing more specific requirements for the lawful and fair processing of data. The European Data Protection Board has recently prepared Guidelines 1/2024 on the processing of personal data based on Article 6(1)(f) of GDPR. Article 6(1)(f) of GDPR is regarding the lawful processing of personal data for the purpose of legitimate interests of the controller or third party, except where the interests are overridden by the fundamental rights of the data subject, particularly when the data subject is a child. The main objective of the guidelines is to assess whether Article 6(1)(f) of GDPR may be invoked as a valid legal basis for the processing of personal data. The European Data Protection Board has not finalised the Guidelines and has opened the same for comments.

SINGAPORE PDPA

The Singapore Personal Data Protection Act, 2012 defines processing as “ carrying out of any operation or set of operations in relation to personal data and includes any of the following such as recording, holding, organisation, adaptation or alteration, retrieval, combination, transmission and erasure or destruction. The Act applies to the processing of personal data by organizations within Singapore, including when an organization may collect personal data overseas and transfer it to the city-state.

DEVIATIONS FROM INDIAN PRACTICE

There are marked differences between the DPDP and GDPR with regard to children’s data. The GDPR, unlike the DPDP, does not expressly prohibit targeted advertising or behavioural monitoring of children. The DPDP prescribes the necessity for verifiable parental consent and stipulates express prohibition on processing data that is likely to result in detrimental effects on the well-being of a child. The DPDP additionally requires the data fiduciary to notify the Data Protection Board and the affected data principal in the case of the personal data breach. Unlike DPDP, the GDPR stipulates an obligation to inform the data subject of a breach only when there is a high risk to the impacted individual.

RIGHTS UNDER DPDP Act

The Digital Personal Data Protection Act envisages a Data Protection Board of India.^[6] The Board shall have the power to direct mitigatory and remedial measures to correct personal data breaches. The Act provides for the Board to conduct inquiry into complaints of data breach and impose penalties. The Act empowers the data principals, the individuals to whom the personal law relates, with several rights such as the right to access a summary of personal data that is being processed and the right to correct, complete and update the processed data. The Act empowers citizens to control their personal data and ensures accountability on the part of organisations, thus playing a vital role in shaping India’s digital landscape.

AUTOMATED PROCESSING v. MANUAL PROCESSING

Automated Processing refers to the use of software that processes data without any human involvement. Automated processing employs such technology that automatically processes data. The technology used in automated processing could comprise computers and software which perform processing related tasks such as collection, storage and analysis. The Digital Protection of Data Act defines ‘automated’ as any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data. The use of technology to process data makes the process smoother and more efficient.

Manual Processing of data means when the processing of data is done completely by human beings without using automatic technologies or software. It is a basic form of data processing and is labour-intensive. Data is manually collected and moved from place to place and is processed by individuals. It is more time-consuming and could be more prone to errors owing to human fallibility.

Under the DPDPA, "processing" applies exclusively to operations (such as collection, use, storage, or transfer) conducted on digital personal data that involve full or partial automation. Consequently, unlike the GDPR, the DPDPA does not aim to govern any processing activities that are entirely manual or non-automated.