Revisiting The Public Domain Exception Under the DPDP Act : Part I
Introduction
Indian data protection law has long assumed that privacy interests recede once information is made available to the public. This assumption has largely gone uncontested. However, the development of artificial intelligence (AI) technologies that employ web-scraping techniques has pushed lawmakers to reconsider this assumption.
Under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), information that is “freely available or accessible in the public domain” does not amount to sensitive personal data or information (SPDI). As a result, information in the public domain is not protected in the way that SPDI otherwise is. The Digital Personal Data Protection Act (“DPDPA”) carries forward (and perhaps, expands) this logic. The DPDPA provides that it shall not apply to personal data in the public domain, if it is made public by (i) the person to whom the data relates or (ii) any person acting under a legal obligation.
The assumption that privacy interests subsist only insofar as information remains in the private domain is unjustified. The Indian Government appears to have recognised the dangers of such an exception in the context of AI. However, AI technologies only expose the weakness in an assumption that has scarcely been challenged in India. This article is an attempt to identify the conceptual weaknesses in the idea that privacy interests recede once information reaches the public domain. It argues that privacy interests are not inconsistent with the public domain, and that certain protectable interests ought to subsist even when information is made public. On this basis, it proposes a framework to evaluate whether uses of publicly available information are legitimate.
The next section of this article traces the public domain exception in legislative frameworks across the world. The third section identifies that the public domain exception falsely conflates privacy with secrecy, and certain protectable interests may subsist in the public domain. The fourth section concludes.
The Public Domain Exception
The public domain exception has been a part of the Indian data protection regime since the introduction of a data protection law. Under the SPDI Rules, information in the public domain was not subject to the same kind of protection that other kinds of SPDI were. Objections to the SPDI Rules generally conceded that information in the public domain would not amount to SPDI. However, the SPDI Rules attached obligations even against information that did not qualify as SPDI. While this position has been attributed to poor drafting, it is unclear whether it carried any implications for non-SPDI information in the public domain.
Following the judgment of the Supreme Court in K.S. Puttaswamy v Union of India, the Committee of Experts under the chairmanship of Justice B.N. Srikrishna (“Committee”) was constituted. The Committee was to study issues relating to data protection in India, to suggest principles underlying a data protection law, and to draft a bill. The Committee first published a white paper in 2017, which did not discuss the public domain exception.
In 2018, the Committee submitted a report and a draft bill. In its report, the Committee noted that conventional views of privacy do not see a protectable interest in information that is made publicly available. This view is called the “third-party doctrine” or the “plain view doctrine” in American jurisprudence. It assumes that by making one’s personal information public, one implicitly relinquishes any reasonable expectations of privacy.
Notably, European law does not assume that individuals who make their information public may not retain expectations of privacy. The General Data Protection Regulations (GDPR) does not exempt controllers from certain obligations such as providing information about the period of storage, categories of personal data concerned, and from which source the personal data originates. Under the GDPR, the processing of certain special categories of personal data revealing racial or ethnic origin, political opinions, religious beliefs, and other such information is generally barred, but is allowed where the data is manifestly made public by the data subject. This is, nevertheless, subject to a requirement that processing be lawful under the GDPR.
Interestingly enough, the Committee suggested that Indian position is more closely aligned to that of Europe than to that of America. The basis for this position is a judgment of the Supreme Court where it was held that documents shared voluntarily with a bank continue to remain confidential even if they are no longer in the customer’s possession. This is a rejection of the third-party doctrine under which protection is not granted to information made available to third-parties. However, this judgment does not appear to lend support to the position that privacy-related obligations subsist even when data is made publicly available.
Importantly, the European example illustrates that the public nature of information is not necessarily incompatible with privacy interests. It is possible that information in the public domain may yet be subject to certain kinds of privacy protections. The next section of this article evaluates the strength of the justification for the public domain exception.
Should Privacy Protections Operate in the Public Domain?
Preliminarily, legal protections are not conceptually inconsistent with information in the public domain. Copyright law, for example, does protect material that is publicly available. The relevant question is whether the purpose of privacy law is limited to protecting information that people choose to keep in the private domain. If the purposes of privacy law are served even where information is made public, then it may be the case that certain protections must be afforded even in such cases.
The public domain exception might seem intuitive, since the act of putting one’s information in the public domain might appear to belie an expectation of privacy. Along these lines, some such as Richard Posner have suggested that purpose of privacy law is simply to enable people to hide discreditable facts about themselves. However, privacy is not so much about hiding information as it is about drawing boundaries. People often do not keep their data entirely secret. Instead, they draw different boundaries in different contexts to decide how much personal information they want to divulge. For example, a person might be more comfortable revealing information about personal lives to their colleagues than to their employer. Since privacy is not about secrecy, the public domain exception cannot be justified merely by contending that the purpose of privacy protection is to enable people to hide their information.
Daniel Solove argues that privacy is not merely an individual interest, but rather a social value. Protecting individual privacy generally makes for a better social environment. He identifies that privacy performs several roles, including limiting the power of the government and companies, enabling reputation management, maintaining social boundaries, enabling persons to make fair decisions about their lives, and enabling freedom of thought and speech.
Of course, some of the interests that Solove identifies may reasonably be limited to the private domain. For instance, consider expectations of privacy that are attached to particular relationships (such as a doctor-patient relationship), and interests that are grounded in solitude or retreat. In these cases, the privacy interest is valuable specifically because it restricts the access of third-parties to the information.
However, many other privacy interests are valuable not because they restrict third-parties from accessing information, but instead because they allow people control over what may be done with their information. For example, it might seem like a stretch to say that by publishing a post on Instagram, you are implicitly comfortable with a bank using that information to assess your creditworthiness and to deny you a loan. The important conceptual point here is that the social boundaries of data flows are highly contextual. For this reason, privacy protections must necessarily also be contextual.
It is insufficient to reduce privacy protections to a question of whether information is still in the private domain. It is instructive to return to the example of copyright law here. Copyright law serves specifically to prohibit certain kinds of information flows and uses of information, and to permit certain others. Privacy protections should operate similarly.
Conclusion
The foregoing discussion demonstrates that the public domain exception rests on a mistaken premise. Privacy is not exhausted by secrecy, nor are privacy interests necessarily extinguished once information becomes publicly available. While public disclosure may justify relaxing certain expectations concerning access to information, it does not follow that all uses of such information become legitimate. Many of the interests protected by privacy law, including the maintenance of social boundaries, the limitation of informational power, and the protection of individual autonomy, continue to operate even where information has been voluntarily disclosed.
Recognising that privacy interests may subsist in the public domain, however, only resolves part of the problem. It establishes that publicly available information ought not to be categorically exempt from legal protection, but it does not explain the extent to which such protection should operate. The more difficult question is how to distinguish legitimate from illegitimate uses of publicly available information. The next part of this article will address some of these questions.
The author is a Year IV student at National Law University, Delhi.