Cryptocurrency to Cryptography: Analyzing the DPDP Act vis-à-vis Blockchain Startups
[Priyansh and Rujhan are students at Institute of Law, Nirma University.]
The Digital Personal Data Protection Act 2023 (Act) was passed by Parliament recently. A plethora of analytical articles have been written till now to draw out the similarities between the EU's General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Bill 2023 (Bill) since it was tabled in Parliament, and some of them also suggested few amendments to be incorporated in the Bill before transforming it into a legislation. It is pertinent to note that the novel Act is highly inspired from the GDPR, and the rationale behind this is conspicuous, i.e., the latter is one of the most stringent laws regarding data protection and privacy.
The drastic developments witnessed in blockchain technology make the general public apprised of the interplay of one's privacy and blockchain profits. The startup culture has transgressed into this arena too, and one such booming startup idea is developing software for facilitating cryptocurrency taxation. Cryptocurrency exchange platforms like WazirX, Binance, etc., have a dilemma in common that the transaction history of a user's wallet is difficult to comprehend. These startups possessing Software-as-a-Service (SaaS) portals aid their users in organizing their transaction history to ascertain their profit/loss on each transaction. Such financial analysis can help users file income tax returns on their income from cryptocurrency trading.
However, the requisite of some personal information by these startups from its users is inevitable at the account creation stage. It is also pertinent to note that these startups must inter alia possess the transaction history of their customers, which compels one to contemplate the privacy concerns regarding the misuse of personal data. The GDPR, upon which the Act is based, has certain safeguards against alleged 'data selling' and similar clandestine activities, nevertheless, there are some pressing concerns which are not addressed in the Act per se.
Exploiting the Law: The Inevitable Loopholes
There are certain aspects of a legislation that requires great scrutiny to ascertain whether the said legislation will be efficacious or not. If a bill is not deliberated extensively, it can have far-reaching adverse implications once it becomes a legislation. We have figured out some fundamental flaws in the conceptual methodology adopted in privacy frameworks spanning across different countries. The protagonist here is the Act, but it will not be justifiable if the article does not analyze the most appraised privacy law, i.e., the GDPR.
Processing: Is the purpose righteous?
The definition of 'processing' used in the Act is heavily borrowed from the GDPR. An entity processes 'personal data' if it performs operations like storage, retrieval, collection, structuring, etc., on the personal data. Companies with portals that require their users' personal data to create an account are necessary for providing their services. The Crypto-Taxation software collects personal data at the time of the 'Signing Up' page. Once users connect their e-wallet to the portal after the sign-up, the overlooked shenanigans emerge. The Act stipulates that entities that receive online data of Indian residents will be subjected to it. However, a blockchain startup has to comply with all the existing privacy laws because citizens of any country can sign up for its services.
Turning to the precautions, a safeguard against retention of personal data is incorporated in the Act under Section 7(a), which mandates the data fiduciary (entity ascertaining the purpose of processing) to delete personal data once the purpose for which it is collected is fulfilled. It can be argued that the once a user provides its personal information (personal details and e-wallet transactions) to the portal, the algorithm starts delivering the output on the dashboard of the portal. The processing of data, i.e., collection, recording, storing, organizing, structuring, etc., is a perpetual process because even if the user is not active on the dashboard all the time, the portal will be functional until the point of account deletion. People have this dreadful tendency to neglect the existence of their accounts on such websites, even after they become passive on them. This signifies that personal data can be stored in identifiable form till the account is permanently deleted from the website.
A solid countermeasure for protecting users from this quagmire is through automatic delinking of the e-wallet of a user from the portal due to inactivity for a particular duration. This will ensure that financial data cannot be retained by companies for illicit purposes. The processing of personal data (by means of storage) will be restricted till the time of activity on the portal, thus rendering the purpose of further retention void.
Data anonymization: Masking the wicked intent
Under Section 7(a) of the Act, apart from the mandate to delete personal data, an alternative can be inferred in which a data fiduciary can discharge its obligations when the purpose of data processing is finished. The term 'personal data' in Section 7(a) of the Act signifies that 'pseudonymization' as a practice will be resorted to in the Indian framework. The process includes delinking personal identifiers from personal data and keeping these identifiers separate from the remaining data.
It is pertinent to note that pseudonymized data is considered personal data under the European framework, and for that reason processing pseudonymized data attracts the provisions of GDPR. The rationale behind such classification is that the process of pseudonymization is generally reversible, i.e., the data principal can be identified through pseudonymized data by reverse engineering (linking it to the missing variables of the original data set).
On the contrary, the Act suggests that pseudonymized data is not personal data because the definition of personal data under the Act indicates the removal of personal identifiers from a set of data to render it non-personal. Data companies can utilize such practices (pseudonymization) after account deletion to retain personal data in such a form that does not enable an individual to identify a data principal from a given set of data per se. People who opt for account deletion are not aware of the back-of-the-door tactics of these companies to sell their personal data to third parties even after their account is deleted from their respective websites.
Data transfer: Distinguishing collection from transfer
Section 16 of the Act allows the central government to restrict the transfer of personal data to third countries through notification to that effect. It is to be noted that European law has express grounds on which data transfer to third countries is valid, which prompts the inclusion of several grounds on similar structures in the Act to reduce ambiguities.
The Act is so negligently drafted that the authorities did not include the meaning of data transfer in it. Data transfer to third countries is explained in the EDPB guidelines, and within its purview, the route for transfer must have controllers/processors at both ends. The importer of personal data must be present in a third country.
The Data Protection Board of India should also be empowered to bring guidelines to foster privacy and avoid potential regulatory arbitrage. In the EDPB guidelines, it was clarified that data collection is not data transfer. For instance, if an Australian company receives data from the user itself at the time of sign-up and e-wallet linking, then such flow of data across international boundaries is not data transfer but only data collection. Hence, it is outside the ambit of the data protection framework. In the said setup, people fail to comprehend that the collected data is mostly stored in third-party servers only. Amazon, Google, etc. are major providers of cloud and database services, which means if a user is signing up on a portal for calculating blockchain income, then his data is being stored on servers of Google or Amazon which act as data processors for such SaaS portals.
As discussed above, data can be retained in a pseudonymized form even after account deletion, and consequently, such retention could be done by processors after providing a monetary consideration to data fiduciaries/controllers as a quid pro quo for such agreements irrespective of the obligation of a data fiduciary to cause its data processors to delete personal data after its purpose is fulfilled as stipulated in Section 7(b) of the Act. It is to be noted that once a set of data is pseudonymized, it is no longer categorized as personal data, at least in the Act, which potentially creates an arrangement to transfer data across countries without following the requisite compliance. The said data can later be converted to its original form.
The market of cryptocurrency is going to explode in the next few years. With the upscaling of this new market segment, the thin line between respecting one's privacy and breaching it willingly or unwillingly will vanish. As influential as it is, the GDPR still has some minor drawbacks which must be taken into cognizance. It is submitted that the Indian lawmakers did not pay heed to the existing data scams across the globe while preparing a draft for the privacy legislation. However, since the Act has been passed, which is itself commendable, it gives us hope that the lawmakers will further act cautiously while treading this imperfect road.