India: Exploring Property Rights In Personal Data

Introduction

Privacy of personal data is a relatively new legal concept, one which has taken form with the advent of the post-industrial era. Laws which relate to personal data are 'work in progress' and are constantly evolving. However, despite its relative youth, there is no doubting the importance personal information plays in modern life, and the imperative need to protect such data. In this context, we seek to explore whether personal data or information of a person can be or should be classified as "property" as understood under the existing Indian laws, and whether such classification would provide better protection for personal data or offer any other benefit to data principals or to other stakeholders, such as data fiduciaries.

Types of Properties

Traditionally, property has been classified into two types, namely tangible property and intangible property. Tangible property can be further subdivided into moveable and immovable property. Immoveable property consists of land and anything immoveable affixed to such land, such as buildings. Any property which is not immovable is treated as movable property and these range from furniture to personal belongings such as clothes to computers. There is some debate on whether plant and machinery are movable or not, since they can be, with some effort, moved, even if they are affixed to land. In the case of Sirpur Paper Mills Limited v. Collector of Central Excise, Hyderabad, AIR 1998 SC 1489, the Supreme Court of India ("Supreme Court") ruled that a paper machine, assembled at site mainly with the help of components bought from the market was a movable property. The court observed that just because a plant and machinery are fixed in the earth for better functioning, it does not automatically become an immovable property. In the case of Duncan Industries Ltd. v. State of U.P, (2001) 1 SCC 633 the Supreme Court examined a fertiliser plant which was embedded permanently in the ground and held it to be immovable. Things attached to the land that may become moveable by severance from the earth, for example a cartload of earth, or stones quarried and carried away from the land, becomes movable property.

Shares and other securities are also treated as moveable properties, since they have traditionally been evidenced by a share or debenture certificate. Even dematerialised securities are treated as tangible property since, they are represented by an underlying certificate, usually a jumbo one. Goodwill and intellectual properties such as patents, copyright, trademarks, geographic indicators are examples of intangible property.

Existing Definitions and Salient Features of Property

Section 3 (26) of the General Clauses Act, 1897 defines "immovable property" to include land, benefits to arise out of land, and things attached to the earth, or permanently fastened to anything attached to the earth. Section 3 (36) of General Clauses Act, 1897 defines "movable property" to mean property of every description, except immovable property. Section 2 (11) of the Sale of Good Act, 1930 defines property to mean the general property in goods, and not merely a special property. Section 22 of Indian Penal Code, 1860 ("IPC") defines moveable property to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything, which is attached to the earth.

The most important feature of property, whether tangible or intangible or whether moveable or immovable, is that it can be transferred or devised from one person to another. Such transfer may be accomplished with or without consideration. In many cases, a transfer of property has to comply with various legal requirements such as making the transfer in writing or payment of stamp duty or registration of the instrument of transfer, etc.

A transfer of property may also be for the purpose of creating a security, such as a pledge or mortgage or hypothecation. A lease results in the transfer of possessory rights over a property, for a fixed period, even as the title to the property remains with the lessor. A licence granted over real property, may permit the licence holder to occupy such property in a manner not unlike a lessee, but with lesser rights. If the property is intangible, such as a patent or a copyright or a trademark, the licence holder may exploit the patent or copyright or trademark for commercial purposes.

In the case of Vikas Sales Corporation v. Commissioner of Commercial Taxes, AIR 1996 SC 2082, the Supreme Court analysed the term 'property' as "that which is peculiar or proper to any person; that which belongs exclusively to one." .. "More specifically, ownership, the unrestricted and exclusive right to a thing; the right to dispose of a thing in every legal way, to possess it; to use it, and to exclude everyone else from interfering with it...... The word is also commonly used to denote everything which is the subject of ownership, corporeal or incorporeal, tangible or intangible, visible or invisible real or personal everything that has an exchangeable value or which goes to make up wealth or estate. It extends to every species of valuable right and interest and includes real and personal property, easements, franchises and incorporeal, and includes every invasion of one's property rights by actionable wrong."

What is Personal Data?

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules") define 'personal information' as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. The new Personal Data Protection Bill, 2019 ("PDP Bill") proposed to replace the SPDI Rules defines 'personal data' as data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling. To summarize, any information, personal to a person, including name, which identifies a person, is personal data.

Ownership of Data

In August 2017, the Supreme Court in the iconic judgement of Justice K.S Puttaswami v. Union of India, AIR 2017 SC 4161, recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India. The Supreme Court observed that "informational privacy" is a facet of the right to privacy, and that an individual has control over the dissemination of material which is personal to him. It further recognized the right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them online and to disseminate certain personal information for limited purposes alone.

It is widely understood, and rightfully so, that personal data of a person is owned by that person. This right is also protected by laws such as the SDPI Rules, the IPC and the Information Technology Act, 2000. In certain instances though, an argument may be made that in such data could be owned by many people. For example, where a person invests in mutual funds, the investment history, and details of the investment could belong to various entities, such as the investor, the investor's family, fund manager, custodian, trustee, internet companies, website traffic tracking agencies, etc. In such a case, we need to understand how property rights in such data will be allocated and who the owner of such data is. All these entities have different rights and obligations with respect to such data, including under different laws.

In Chandrakant Manilal Shah v. CIT, (1992) 1 SCC 76, while discussing the contribution of a partner of a proprietorship firm, the Supreme Court observed that like a cash asset, the mental and physical capacity generated by the skill and labour of an individual, is possessed by or is a possession of such individual. As previously discussed, anything which has a money value or exchangeable value or which achieve a benefit for the individual may be considered as property. Thus, it can be argued that collection, processing, and dissemination of personal data by data fiduciaries,¹ with the consent of relevant data principals,² (or data subject, if one uses terminology used by the General Data Protection Regulation, 2016) or as may be permitted by law, and compiling such personal data into meaningful databases, requires or is a result of skill and labour, and such databases could be considered property. However, to give rights over such databases to the data fiduciaries, which are superior to or override the rights held by relevant data principals, may not be tenable. Data fiduciaries can only be considered as trustees of such processed personal data since the data principals own such personal data. At best the data fiduciary may be provided a copyright in the databases, but the rights in the personal data itself must belong to the data principal.

Mapping Personal Data to Traditional Features of Property

If one were to compare a data principal's rights with that of the owner of a piece of real estate, it quickly becomes very clear that the former is not a patch on the latter.

Can title to personal data be transferred?

Assuming that the data principal has title to his or her personal data, such title cannot be transferred by the data principal to any other person on the lines of traditional transfer of property rights. Imagine trying to irrevocably transfer one's date of birth or the names of one's parents or spouse or children or details of one's medical history to a third party. For starters, these pieces of personal data are worthless in the hands of a third party, unless it is a part of a wider database. Also, after such a transfer, would the original owner cease usage of his date of birth? Or forget the names of this parents or spouse or children?

Comparing "consent" with a "licence"

When a data principal grants consent to a data fiduciary for the use of his or her personal data, the data principal or owner is granting the data fiduciary the equivalent of a licence to use such personal data for a specific purpose. Thus, "consent" in the context of personal data, is comparable with a "licence" over property. The use of a data principal's personal data by a data fiduciary who has received consent for such usage, is not very unlike the use of intangible property (such as a patent or a copyright or trademark) by a licensee. Usually, the transfer of a licence results in gains for the licensor and the licensee. The licensor, who may be the owner, receives some consideration, usually in the form of cash or services, and the licensee gets the benefits of the transferred property as per the terms of the licence. In the case of personal data, the data principal who gives consent, usually benefits, directly or indirectly, in some form or the other, due to the data fiduciary processing his/her personal data. This benefit could be on account of the data fiduciary being able to understand the data principal's requirements and offering tailored services. The benefit to the data principal may also be because the data fiduciary processes such personal data for the benefit of a larger community, which includes the data principal. The data fiduciary gets the benefit of using the transferred personal data as part of a larger database or being able to offer bespoke services to the data principal.

Comparing the right to grant or withdraw consent with actionable claims

A receivable or an actionable claim is intangible property, recognised by the Transfer of Property Act, 1882. A receivable gives its holder the right to receive back or recover money from a debtor and can be transferred or assigned by the holder of the receivable to a third party, including by way of creation of a security interest. Currently, if a data principal gives his or her consent to a data fiduciary for the usage of his or her personal data, such consent may permit further transfer of such personal data by the original data fiduciary to a data processor or to a third-party data fiduciary. In parallel, the data principal also has the right to withdraw such consent.

It is possible that, if the current Indian legal regime were to be suitably modified, data principals may be able to irrevocably transfer to third parties for a specific period, their right to grant or withdraw consent on their behalf for the usage of their personal data. Such a transfer may be for valuable consideration and may not be related to any other transaction. The holder of such a right may be entitled to further transfer it to third parties, in a manner akin to the transfer of receivables.

The PDP Bill has introduced the concept of consent managers,³ who are data fiduciaries registered with the Data Protection Authority that provide interoperable platforms that aggregate consent from a data principal. Data principals may provide their consent to these consent managers for the purpose of sharing their information to various data fiduciaries and may even withdraw their consent through these consent managers. This is a unique construct and appears to have been introduced to support the Data Empowerment and Protection Architecture (DEPA) for financial and telecom data that currently powers the Account Aggregators licensed by the RBI. Until rules are framed by the PDP Bill, the exact mechanism under which these consent managers would operate shall not be clear. It seems likely that the data principals would have to pay or compensate the consent managers for the management of their consent.

It is not inconceivable that at some point in the future, the payment or flow of consideration could be the other way round, whereby the data principals grant consent managers, for a consideration, the right to give consent on their behalf to third party data fiduciaries under clear-cut parameters. In such a case, the consent managers would be entitled to and able to monetise the consent received from the data principals by selling or transferring the consent to third party data fiduciaries.

Individual names

The difference between "goodwill" and "reputation" is very slim. The former is property and is transferable, whilst the latter is not. In the same manner, the name affixed to an enterprise could be a trademark, registered or otherwise, whilst an individual's name, which is his or her personal data, is not considered to be intellectual property. Such name can, over time, in the case of a celebrity become a trademark, enabling the person to monetize his or her name. However, even if such name (with goodwill) is assigned to a third party, nothing prevents the celebrity from continuing to use his or her name. An individual's date of birth or gender or sexual orientation is his or her personal data and would not be, under any circumstance, as per existing law, become intangible property of any kind.

Should Personal Data be Formally Classified as 'Property'

Considering that personal data has some of the features of 'property', should it be formally classified as property? In the event personal data is classified as property, all the attendant rights and obligations available, are attracted, including offences in relation to any damage to or theft or misappropriation of that property, under the IPC. The response to this question above may be in the affirmative if the classification of personal data as property would confer better protection for personal data. However, classifying personal data as property in the traditional sense of the word, would commoditise privacy, and make it freely transferable and also easier to commercially exploit, and thus in fact may offer lesser privacy.

Quasi-property classification

It is interesting to note that all types of property (whether it be tangible or intangible) have the same basic hallmarks, such as the property holder's right to convey or transfer such property, pledge, mortgage or hypothecate or licence such property, etc. As discussed above, personal data does not have many of such characteristics. Therefore, if at all personal data is to be classified as property, we suggest that it be classified as 'quasi-property', of some form, and allocated a specific set of rights which are lesser than the entire basket of rights associated with property. This we believe is a much more practical classification, which protects the ownership rights of the data principals and the commercial interests of the data fiduciaries. Thus, personal data may be licenced, but cannot be sold or assigned as a whole, though specific rights relating to personal data could be pledged, assigned or even sold. For example, an individual may give another a licence to use his or her name and contact details for a specific purpose, such as for the provision of certain services to him, or say, inclusion in a commercial database that may be further licensed to a marketing company. A data fiduciary (for instance, a social media entity) may be able to obtain a loan by offering as security its rights over personal data under its control (subject to consent of the data processor). This security may be created by assigning the rights to a trustee, who would be contractually bound to transfer such rights to the lender in case of a payment default by the data fiduciary. A data fiduciary could permanently alienate its rights over personal data under its control to a third party, for consideration, provided it has the data principal's consent for such transfer.

Is a quasi-property classification for personal data more equitable than heavy handed statutory protection?

Data privacy legislations seek to strike a balance between data principals' rights and data fiduciaries' commercial and practical considerations. Over the years, the needle on this balance has swung much more in favour of the data principals. The PDP Bill is a lot more biased in favour data principals than the SPDI Rules or even the GDPR. It is expected that when the PDP Bill comes into effect, every business enterprise which processes personal data in the course of its operations will incur an enormous amount of expenditure towards the cost of compliance. Would it be possible to cut down on such costs without compromising on the protection afforded to data principals if personal data is classified as quasi property? If instead of treating personal data as a form of holy grail and merely treating it as "quasi property", which comes with a specific set of rights, are we likely to achieve a better balance between the rights of the data fiduciary and the data principal?

In our view, since personal data can at best be classified as "quasi property" and cannot be armed with all the standard rights linked to property, even through legal fictions or deeming provisions, it is impossible to envisage a situation where the existing suite of rights that accompany personal property can be bettered or at least effectively replaced with property or quasi property rights, even though, such a balance may be more equitable and fair to all stakeholders in the personal data ecozone.

Monetisation of personal data by data fiduciaries

The main impediment to the monetisation of personal data held by data fiduciaries is the data principal's right to withdraw consent. Even if at the time of collection of personal data a data fiduciary has obtained a data principal's consent for the transfer of such data to third parties, such consent may be withdrawn at any time. If it were possible for data fiduciaries to obtain irrevocable consent from data principals at the time of collection of personal data, it would be possible for personal data held by data fiduciaries to be monetised in accordance with the initial consent.

A formal quasi-property status, which is in addition to the existing suite of rights, but without the right to withdraw consent, will make it possible and commercially viable for data fiduciaries to monetise personal data and thus encourage innovation. However, monetisation of personal data is a far cry from the protection of personal data privacy. In fact, it goes against the grain of privacy being sacrosanct. As human beings come to better grips with data privacy laws and reach a better understanding of the realities involved, it may become necessary to facilitate the monetisation of personal data and for such purpose, a formal award of a quasi-property status for personal data may become imperative.

Footnotes