Data Protection Bill Series: A person’s right over data is compromised in the Bill | Top Stories
Editor’s note: The Data Protection Bill series carefully examines the various sections of the draft Personal Data Protection Bill, 2018 as laid down by the Justice Srikrishna Commission and submitted to MEITY for approval. This is Part VII of the series.
The rights granted to an individual under a data protection law play a key role in allowing him to exercise control over his own data. This may allow him to, for instance, prevent misuse of his data, or take decisions as to what can be done with his data. The rights provided under the Personal Data Protection Bill, 2018, allows an individual to find out what is being done with his data through the rights of confirmation, access, and correction. However, these rights do not allow him to prevent any use/misuse of the data directly, except via the limited right to be forgotten.
Key rights such as the right to object, the right to restrict processing and the right to deletion are missing. Thus, whereas the inclusion of these rights would have granted a direct remedy between the data principal and the data fiduciary, under the Bill his sole option if he disagrees with the processing will be to file a complaint with the Adjudicatory Officers to be appointed under the Bill.
Rights granted under the Bill
Chapter VI of the Bill outlines the rights granted. These include:
i) Right to confirmation, access and rectification: Under Section 24 of the Bill, a data principal can approach a data fiduciary and confirm if his data is being processed by him, receive a copy of the personal data held by him, and receive information on the processing being done with it.
ii) Right to rectification: Further, under Section 25, the data principal can have the data corrected, completed or updated as necessary. All of these except for the receipt of information on processing activities must be provided free of charge. As per the Report accompanying the Bill, this applies to both input (data provided by the data principal) as well as output (profiles, etc., created by the data fiduciary) data.
iii) Right to data portability: Section 26 of the Bill allows a data principal to have his data transferred in a commonly used, machine-readable format. This includes transfer to another data fiduciary and may be exercised for a charge. Further, this right applies only when the processing is automated. It also does not apply to processing by the State under Section 13 or in compliance with the law under Section 14.
iv) Right to be forgotten: Section 27 of the Bill further provides a right to be forgotten, in an approach that is similar to the commonly understood notion of the right to be forgotten in relation to Google search results. This is a right to prevent the disclosure of certain data, as opposed to the right to erasure as provided under the General Data Protection Regulations (GDPR). The exercise of this right requires a determination by an Adjudicatory Officer that the data principal’s rights override the right to freedom of speech and the right to information of any citizen. Further, any person who is not satisfied with the conditions for restriction can approach the Adjudicatory Officer to review his order.
v) Right to transparency: The right to transparency has been provided via the requirement for a notice and as well as through transparency obligations under section 30 (these will be discussed in the next part of this series).
Missing Rights under the Bill
As can be seen, the rights provided under the Bill are informatory in nature. Further steps require approaching the Adjudicatory Officer, instead of dealing directly with the data fiduciary. The only exception is the right to data portability, for which the data fiduciary can be approached directly, but the data fiduciary cannot be stopped from retaining the data after it is transferred to another data fiduciary. The key rights that are missing and could have provided better protection are:
The right to deletion
Among the missing rights, the key right is the right to deletion, which allows a data principal to withdraw his data from a data fiduciary. Under the Bill, in the absence of the right to deletion, the only limitation is via the data storage limitation principle under Section 10, which requires the data to be erased once the purpose for which it was processed is completed. However, when this is the only limitation, it is easy to cite continuing purposes to retain the data such as for legal claims, maintenance of records, research and so on.
Article 17 of the GDPR, for instance, thus allows a right to erasure under certain circumstances, such as if the processing is unlawful, consent is withdrawn or the processing of the data is no longer necessary. This allows the data principal to put a limit to the use his data is put to. This right, however, has not been made available under the Bill. Only if the processing is unlawful or some other provision is violated, can a data principal seek redressal through an Adjudicatory Officer.
The Report, in fact, doesn’t discuss the right to deletion except in relation to the right to be forgotten. The absence of the right to deletion in relation to the right to be forgotten makes sense, but its absence in the Bill altogether does not. For instance, for the right to be forgotten, a person may want a search result of his conviction for a crime to be removed, but people, in general, may have a valid interest in knowing of this conviction. This is why the need to justify the right with the fundamental rights of others is required, and why the lack of the right to erasure in relation to this is fine. However, a lack of the right to erasure in the law altogether restricts the power of the data principal from truly exercising control over his own data.
Right to restrict to processing
The GDPR grants further rights in the form of the right to restrict processing under Article 18. This applies to specific situations where a basic need to retain the data is there, but a restriction is imposed on the uses that can be made of the data. For instance, this may apply if the data is no longer required to be processed but is required to be retained for the defence of legal claims. This can also apply where the processing is unlawful but the data principal wishes to retain his data as opposed to erasing it. Such a right thus gives a data principal greater control and choice with respect to his data.
Right to object to processing
A related right is the right to object to processing under the GDPR. This allows the data principal to object to the processing of his data that is justified on the grounds of public interest or legitimate interests. This is in view of the special circumstances of the individual. The data fiduciary then cannot continue processing the data unless he can show compelling grounds to do so.
Such a right, again, grants certain freedom to a data principal with respect to the uses his data can be put to. The Report states that this right was not included since the grounds of legitimate interests and public interests are not provided under the Act. Whereas this is true and consent is the primary ground for processing (Discussed in Part V of this series), several grounds of non-consent based processing and exemptions have also been made under the Act (discussed in Part VI of this series). There is no protection available to the data principals against such processing.
The exception to exercise of rights for exemptions
Similarly, the rights are not exercisable for processing under the exemptions provided under the Act, such as for research or security of the state purposes. Under other data protection laws, the restriction of these rights for exemptions under the law is not so complete. For instance, under the GDPR, a derogation from the exercise of rights for processing for national security purposes has been allowed, but this is exercisable only when an EU Member state enacts a law to this end. This will restrict the purposes for which the exercise of the rights can be exempted, even under the security of state exemption.
Other Missing Rights
In addition to these crucial missing rights, some other rights that were discussed in the White Paper did not make it to the Bill, including:
Right against discriminatory AI decisions
Another missing right is the right against discriminatory AI (artificial intelligence) decisions. This right may not be very relevant at present, given that fully automated decisions are not as common here as abroad. However, it is likely to become so in the near future, given the increasing uses envisaged with AI. On this, the Report suggests that in case of lawful but discriminatory automated processing, the data principal may go to Court for a breach of fiduciary duties.
Right against direct marketing
Further, data protection laws normally involve a discussion on direct marketing—an activity that is normally permitted until a person objects to it. The Bill has not taken a position on this, but the Report recommends consent as the lawful basis to conduct direct marketing. This means that to object to direct marketing, consent will have to be withdrawn.
Rights against spam
Another key right that was missed was the right against spam. Formerly, a right against spam was found under Section 66A of the Information Technology Act, 2000. This, as is known, was struck down by the Supreme Court in the Shreya Singhal judgment. The data protection law presented a good opportunity for creating a substitute provision against spams. Though this was discussed in the White Paper, the right did not make it to the Bill. Hopefully, TRAI’s Commercial Communication regulations will deal adequately with this issue.
Need to strengthen rights under the Bill
The Bill, thus, while envisaging a trust-based relationship between a data principal and a data fiduciary, does not provide the data principal with adequate rights to exercise control over his data. For any action, the data principal will be forced to file a complaint with the Adjudicatory Officer, which may result in firstly, overburdening the Adjudicatory Officers as well as creating a time-consuming and possibly expensive solution for the data principals. The rights provided under the Bill thus need to be strengthened further.
The next part of the series deals with transparency and accountability obligations imposed under the Bill.
Part I: Quick overview of India’s draft data protection law
Part II: Understanding jurisdiction within and outside the country
Part III: The importance if defining personal data
Part IV: Data protection obligations on data fiduciaries
Part V: Standard of consent and processing of data
Part VI: Non-consent based processing by state and non-state actors
The author is a lawyer specialising in technology, privacy and cyber laws. She is also a certified information privacy professional.