By Arya Tripathy on 3 Jan, 2020
Empowering data principal to exercise certain rights vis-à-vis their personal data is a fundamental element for creation of a robust data protection framework. Exercise of data principal rights is aimed at strengthening an individual’s informational privacy, providing them with autonomy and control over the processing cycle and in turn, boosts transparency and accountability. Chapter V of the Personal Data Protection Bill, 2019 (PDP 2019) deals with data principal rights and mechanism for exercising them. This Post aims at analysing the scope of the contemplated rights regime and its potential impact for organizations.
1 Existing framework: The concept of vesting an individual with legal rights concerning the processing of personal data is not new. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules) permit an individual to review personal information collected and seek rectification. It states that any organization acting on its own or through a third party must permit review of personal information provided when requested by the concerned individual. Additionally, organizations must ensure that inaccurate or deficient personal information is corrected or amended as feasible. However, the IT Rules clarify that such organizations have no responsibility for ensuring authenticity of the personal information provided. This essentially means that where an individual provides updated information, organizations depending on feasibility must rectify the processed information, without any obligation of verifying the authenticity.
The awareness around the right to review and seek correction is limited. While there is a theoretical possibility of their exercise, the IT Rules do not elaborate on whether processor entities are obligated to comply with individual’s requests directly, the timeline and mechanism for enforcing these rights. This gives organizations the flexibility to provide for their own implementation tools and processes as part of their privacy and informational security practices. Typically, organizations allow individuals to make written requests addressed to the grievance officer or any other designated data officer, and very few opt for consent and personal information dashboard or utilize consent manager1 tools to facilitate access rights.
2 Rights under PDP 2019: Clauses 17 to 21 of PDP 2019 provide for 6 data principal rights – (i) confirmation, (ii) access, (iii) correction, completion or updation, (iv) erasure, (v) data portability and (vi) forgotten. These rights impose corresponding obligations on the data fiduciary to comply with requests made by the principal, provided that in course of fulfilling the requests of one principal, the fiduciary does not harm rights of another principal. The draft 2018 bill provided for 5 rights and did not contemplate data principal’s right to seek erasure.
• Right to confirmation means a principal has a right to obtain confirmation from the fiduciary that her personal data is being processed or has been processed. The confirmation must be provided in a clear and concise manner that is easily understood by a reasonable man. Right to confirmation forms the basis for all other rights and was provided in the draft 2018 bill. Similar right to confirmation is allowed to individual data subjects under the European Union General Data Protection Regulations (EU GDPR).
• Right to access enables the principal to seek access to the following:
- personal data being processed or that has been processed, or a summarised report;
- summary of the processing activities performed with respect to her personal data;
- any information that is required to be provided in a notice at the time of collection or as soon as reasonably practicable before commencement of any other processing activity such as nature and categories of personal data, source, possibility of cross-border transfer, procedure of grievance redressal, etc.; and
- identities of all data fiduciaries with whom personal data has been shared along with the categories of personal data provided.
The accessed information must be provided in a clear and concise manner that is easily comprehensible for a reasonable man. The draft 2018 bill proposed a limited right to access where principal could only seek access to information under a priori notice, and brief summary of the personal data processed and processing activities. PDP 2019 enlarges the scope of right to access by obligating fiduciaries to provide detailed log of personal data processed if required by the principal. This revised scope is akin the right to access under EU GDPR which allows data subjects to have access to personal data, purposes of processing, categories of personal data processed, recipient details, retention period envisaged, and other details. • Right to correction, completion or updation refers to the principal’s right to rectify personal data processed. It provides that having regard to the processing purposes and subject to conditions that may be prescribed by the Data Protection Authority (DPA), a principal can require the fiduciary to
- correct inaccurate or misleading personal data;
- complete incomplete personal data; and
- update outdated personal data.
In the event that the fiduciary factoring the processing purposes disagrees with requested correction, completion or updation, it can reject principal’s request by providing adequate justification in writing. If the principal is not satisfied with the rationale provided, principal may require the fiduciary to take such reasonable steps to indicate alongside the relevant personal data that the authenticity and accuracy is being disputed by the principal. Further, the fiduciary after correction, completion or updation must take all necessary steps to ensure that the change is notified to all relevant entities to whom such personal data is disclosed, specifically if such change is likely to have an impact on principal’s rights, interests and decisions. The proposed scope of right to rectification is similar to the draft 2018 bill and EU GDPR.
• Right to erasure is principal’s right to seek erasure of personal data where it is no longer necessary for processing purposes. Similar to the right to correction, completion or updation, here also, the fiduciary can refuse to erase where it disagrees with principal’s request, provided it gives adequate justification in writing. In such scenario, the principal may require the fiduciary to take reasonable steps to demarcate the concerned personal data as being disputed by the data principal. Furthermore, fiduciary must take necessary steps to notify erasure to all relevant entities with whom personal data was shared.
The draft 2018 bill did not recognize principal’s right to seek erasure. It provided for right to be forgotten, which is explained subsequently. In fact, the recommendations of Justice Srikrishna committee do not refer to principal’s right to seek erasure, and only elaborate on the scope of right to be forgotten in the Indian context. In our opinion, the committee viewed both rights as distinct ones, which may not be entirely correct. As it may be, PDP 2019 recognizes this right which is akin to data subject’s right to erasure in certain circumstances under EU GDPR. It is worth noting here that right to erasure and right to be forgotten are one and the same under EU GDPR. The inclusion of erasure right under PDP 2019 is in line with evolving global jurisprudence that views an individual’s right to demand erasure of data as a facet of nformational privacy and control over personal data. However, PDP 2019 continues to retain the right to be forgotten as a separate right and this could create confusing interpretations.
• Right to be forgotten is principal’s right to restrict or prevent continual disclosure of personal data by a fiduciary. This right can only be exercised when (i) there is no necessity for continual disclosure bearing in mind the purpose of collection and disclosure, or (ii) where consent has been withdrawn, or (iii) where disclosure is made in breach of PDP 2019 or any other applicable law. Further, the right can be enforced when the principal makes an application and obtains approval from the adjudicating wing of DPA. While granting principal’s application, the adjudicating officer must consider the sensitivity of personal data, scale and nature of disclosure, degree of accessibility, role of principal in public life, relevance of personal data to public, and impact of the restriction on fiduciaries activities. In essence, right to be forgotten under PDP 2019 means principal’s right to limit disclosure and not any other form of processing such as storage, analysis, etc. Similar right was provided under the draft 2018 bill.
It is unclear as to why a principal would exercise right to be forgotten when it can opt for a right of erasure where the processing purposes have been achieved or where consent has been withdrawn. In our opinion, the right to be forgotten is a misleading nomenclature that is likely to create interpretational and implementation issues as its scope is not in line with the common perception around right to be forgotten. Instead, it may have been prudent to structure the afore described right as right to restrict processing of personal data.
• Right to data portability permits the principal to
- receive personal data provided, or generated in the course of provision of goods or services, or that which forms part of the individual’s profile, or that which has been otherwise obtained in a structured, commonly used and machine-readable format from the fiduciary; and
- require transfer of such personal data to any other fiduciary.
However, right to data portability will not apply where personal data is not processed through fully automated means, or where processing is for functions of the state, or if compliance would reveal fiduciary’s trade secret, or where it is not technically feasible. The right to data portability is substantially borrowed from EU GDPR and similar portability right was also provided in the draft 2018 bill.
3 Implementation mechanism: For exercise of all the above mentioned rights, except the right to be forgotten which can only be enforced with prior approval from DPA’s adjudicating wing, the following mechanism is proposed:
- Principal must make a request in writing directly to the fiduciary or through a consent manager; the draft 2018 bill proposed that DPA will prescribe the form in which principal can make requests, but this has been omitted in PDP 2019.
- The request must provide necessary information substantiating principal’s identity.
- When request is made, the fiduciary must acknowledge the receipt within such time period as may be specified by DPA through regulations.
- Fiduciary may charge such fee as may be prescribed for complying with principal’s requests, except that no fee shall be charged for right to confirmation, access to personal data processed or being processed or its summary, correction and completion; there is some
- ambiguity in the manner PDP 2019 is drafted and it is unclear if fiduciary can charge fees for right to updation and erasure2.
- Fiduciary must comply with the request made within such time frame as will be prescribed by DPA through regulations; the draft 2018 bill proposed 90 days.
- If the fiduciary refuses to satisfy the request, it must provide reasons in writing to principal and inform the principal regarding her right to file complaint with DPA
4 Analysis: The IT Rules provide an individual with bare minimum rights, and owing to the lack of awareness, they are rarely exercised. This has allowed organizations dealing with personal information to maintain flexible processes around retention, storage, retrieval, and access to processed information. PPD 2019 aims at expanding the scope of principal’s rights and consequently, ensure principal’s control and autonomy on how personal data is processed.
While this is likely to foster transparency and accountability, fiduciaries will have to revisit their existing practices factoring the rights and invest in technology enabled tools to equip themselves. Existing data processing systems may have to be reviewed and possibly revised, so that organizations can swiftly identify and trace copies of personal data relating to a particular data principal. Organizations may have to adopt policies that streamline grounds, and also consider alternative options such as de identification and anonymization techniques to justify situations where principal’s requests are being refused. Privacy policies and terms of use have to be updated to accommodate the rights. Simultaneously, detailed logs for different stages of processing, specifically regarding disclosure with other fiduciaries and processors and the underlying purpose for such sharing must be maintained with accuracy. In all, the proposed rights under PDP 2019 will require a thorough review and potential overhaul of how organizations process personal data where it will be imperative to focus on implementing mechanisms that enable compliance with principal’s right requests.