India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).
On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.
Part 6 of this series closely looks at the “Rights of Data Principals” under the PDPB Bill.
DATA PRINCIPAL RIGHTS
-
-
- Right of Confirmation and Access to Information:
- (a) Data principals have a right to:
-
- (i) seek confirmation on whether the data fiduciary is processing or has processed personal data of such data principal;
- (ii) access all personal data being processed or a summary of such data;
- (iii) be provided with information of processing activities undertaken with respect to their data;
- (iv) access such information in a clear and concise manner easily comprehensible to a reasonable individual in a similar context; and
- (v) access the identities of the data fiduciaries with whom personal data has been shared by any data fiduciary, together with the categories of personal data shared.
(b) While the PDPB was silent on the privacy rights of deceased individuals, the Committee has identified a need for data principals to have specific rights upon death. Accordingly, data principals have the right to nominate legal heirs or representatives as nominees who can exercise specific rights on behalf of data principals upon their death.
-
- Right of Correction and Erasure:
- (a) Data principals have a right to:
-
- (i) correct inaccurate or misleading personal data;
- (ii) complete and update personal data; and
- (iii) seek the erasure of personal data if the purpose of collection is satisfied,
(b) Data fiduciaries must take necessary and practicable steps to notify any correction, completion, updation, or erasure of any personal data to all entities to which they have disclosed such data.
-
- Right to be Forgotten:
-
- (a) Data principals have the right to apply to the Authority to restrict the continued disclosure or processing of their personal data by a data fiduciary if the data:
-
- (i) has served its purpose or is no longer necessary for the purpose;
- (ii) is not permitted to be processed due to withdrawal of consent; or
- (iii) is processed contrary to any applicable law.
- (b) An “adjudicating officer” appointed under the Bill may grant the request to be forgotten on the following grounds:
- (i) the sensitivity of the personal data;
- (ii) the scale of disclosure or processing and degree of restriction of accessibility sought;
- (iii) the data principal’s role in public life;
- (iv) the relevance of such personal data to the public; and
- (v) nature of disclosure or processing and impact on the activities of the data fiduciary.
- (c) This right cannot be exercised unless the data principal proves that their right to prevent the continued disclosure or processing of their personal data overrides:
- (i) the right to freedom of speech and expression, or the right to information of any other citizen; or
-
(ii) the right of the data fiduciary to retain, use and process such data in accordance with the Bill.
-
-
- Right to Data Portability:
Data principals have the right to receive data in a structured, commonly used, and machine- readable format if the processing has been undertaken through automated means and transfer this data to any other data fiduciary, except where:- (a) processing is necessary for state functions, compliance with the law, any judgement or order of any court, quasi-judicial authority, or tribunal; or
-
(b) compliance would not be technically feasible by the data fiduciary. The Authority will prescribe regulations to guide such decision making.
- Exercise of Rights and Grievance Redressal:
As a general process, data principals may exercise their rights either directly to the data fiduciary or through a consent manager (which is a data fiduciary that enables data principals to give, withdraw, and otherwise manage their consent). A request to exercise the right to be forgotten, however, must be made to the Authority. Data fiduciaries must comply with these requests in accordance with the timelines and processes specified by the Authority; any refusal to act upon such request must be accompanied by a written explanation. Data principals have the right to file complaints with the Authority if a data fiduciary fails to comply with a request. -
- Right of Confirmation and Access to Information:
-
Key Divergence from the PDPB
Data principals have the right to nominate legal heirs and representatives to exercise specific data principal rights in the event of the death of a data principal.
The exercise of the right to be forgotten must be balanced with the right of data fiduciaries to retain, use, and process personal data in accordance with the provisions of the Bill.
