含羞草社区

With the Digital Personal Data Protection Act, 2023 (DPDPA), soon to be brought into force, individuals will see greater protection of their personal data. However, a seemingly extensive category of such data will be entirely exempt from scrutiny – “publicly available” data, which is data relating to an individual that is caused to be made public either by the individual themselves or by an entity under a legal obligation.

This exemption appears to offer relief for businesses that scrape or mine publicly available data, such as those training algorithms or building profiles. However, this may not be the case. Hurdles to availing the exemption include the source of the information, and the scope of the publicly available data itself.

Businesses will not be able to indiscriminately scrape data from publicly available sources, because availing the exemption first requires verification of the source of the personal data. Automated tools may fail to verify whether individuals themselves have permitted the publication of the data, and businesses may have to use potentially arduous manual means to ensure that personal data is collected only from sources listed in the exemption. Despite such efforts, businesses will still find it difficult to determine whether an individual has caused their personal data to be made available in cases where a third party has undertaken its publication.

It is ambiguous what “causing” personal data to be made publicly available entails. For instance, personal data about an individual may be published by their employer or a news outlet, based on other permitted grounds of processing, without the individual’s consent but with their knowledge. It is unclear in such cases whether the individual has “caused” the personal data to be published by virtue of being notified in advance of such publication.

Standards of consent under the DPDPA are high and implied consent is not legal grounds for processing. In this context, it is unsettled whether an individual’s knowledge of their personal data possibly being made publicly available will exempt that data – for instance, in case of paparazzi photos.

In the absence of guidance, the perimeters of what constitutes “publicly available” are blurred. By way of illustration, an individual may provide their personal data to an organisation without restricting it to a specific audience. If another business obtained such personal data directly from the concerned organisation, and not from a public source, will such data be considered publicly available? The California Consumer Privacy Act answers this question in the affirmative, but the position under the DPDPA is murky.

Another problematic circumstance may arise in case of publicly available personal information that is subsequently made private. For example, a user may have a public profile on Instagram, but thereafter make their profile private. Similarly, individuals may delete their social media posts or other public personal data. If personal data was once publicly available, it is uncertain whether it can continue to be processed even after it is no longer public.

Additionally, a user’s social media activity may be considered public to a certain extent. For example, comments on public posts on Facebook are also public, as a Facebook account is not necessary to access them. Such data may be useful for purposes such as profiling or targeted advertising, but its status under the exemption is similarly unresolved.

Concerns may also arise in relation to widely distributed personal data, which is considered “publicly available” under California law. This could include “private” social media profiles of those with extremely large numbers of followers, possibly in the millions, as well as WhatsApp broadcasts or other media that actively call for widespread sharing. In such cases, the scope of what constitutes wide distribution may be in dispute.

In the light of its ill-defined scope, the applicability and even utility of the exemption remains undecided. Given the deficiency of global jurisprudence in this regard, the rules to be issued under the DPDPA should clearly define the precise parameters of the exemption. At this stage, businesses ought not to rely on their ability to avail this exemption once the law is implemented. Data fiduciaries should identify alternate legal grounds to process personal data and gear up for overall compliance.

Ada Shaharbanu is a senior associate and Archita Sharma is an associate at Spice Route Legal.