With our recognized leadership in applying legal service and technology innovation.
The proposed Digital Personal Data Protection has seen a major shift in its applicability over publicly available personal data. The 2022 version of the Bill allowed the processing of publicly available personal data without exclusive consent if it was of public interest. The interpretation of the “personal interest” in the Bill was quite strict to allow Data Fiduciaries to use it as a loophole to process publicly available personal data without consent.
However, the latest 2023 version takes a contrary approach that comes as welcome news for the businesses involved in profiling and processing personal data. The Bill explicitly states that it does not apply to the processing of publicly available personal data.[1] However, it does not define what publicly available personal data constitutes. Importantly, the business could face severe penalties if the personal data was not “publicly available” but processed under this purview. A global perspective may shed some light until the law is clearly laid in the form of rules.
The California Privacy Rights Act (CCPA 2.0), defines “publicly available information” as
“Information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.”
Implying, that the information available on the social media of a user can be utilized without disclosing to the user as publicly available information. However, it should not be limited to a a “specific audience” which means that social media has to the public for undisclosed or unconsented processing.
The Information Commissioner’s Office, the UK’s body to enforce privacy rights (including GDPR) provides that publicly accessible sources include social media, open electoral register, etc.
Thereby, it is safer to assume that the personal information that is made available by the government to the public and the personal information shared by a Data Principal in the public domain with no restriction can be considered “publicly available personal data” under the 2023 version of the Bill, until further clarifications are provided by the government.