In part 4 of the #DataProtectionTop10 series, we explore the issues with the user rights granted under the Bill and the provisions that affect the effective exercise of these rights. Certain rights under the Bill, specifically, the right to correction and erasure and the right to data portability are not absolute and contain significant exemptions. The Bill also fails to include certain rights like the right to object to the processing of certain personal data and the right to seek exemption from automated decision making. To address these concerns, we recommend certain changes to strengthen the rights of users.
Last time around, in part 3, we looked at how the consent architecture operated under the Personal Data Protection Bill, 2019. In this post, we will be looking at the various rights granted to users under the Bill and the issues with them.
In a data protection regime which claims to be rights-based, it is imperative that the users are given certain rights against the data fiduciaries. These rights are essential for the users to exercise control over their personal data. As we had noted in our explainer on the Bill, Chapter V of the Bill grants users the following rights:
- Right to confirmation and access: Users have the right to obtain their personal data as well as a summary of activities performed upon their data in a clear and concise manner.
- Right to correction and erasure: Users have the right to correct, complete, and update their personal data. Users also have the right to erase their personal data after it is no longer necessary for the purpose for which it was processed
- Right to Data Portability: Users have the right to receive and have transferred to any other fiduciary their personal data as well as any data generated during the provision of services.
- Right to be Forgotten: Users have the right to restrict or prevent the disclosure of their personal data if it is no longer necessary for the purpose for which it was collected or if they withdraw their consent.
While it is true that these rights empower the users and protect them, the Bill also creates certain impediments to the exercise of these rights. Therefore, it is important that we discuss the issues with the rights available to the users under the Bill, as well as the provisions that make the exercise of the rights cumbersome.
The issue: Significant exemptions that curtail users' rights
The right to correction, completion, updation and erasure of personal data is contained in clause 18 of the Bill. This right is important as it enables the users to ensure the accuracy of the personal data that they gave to the data fiduciaries, as well as the data that the data fiduciaries use to create profiles or arrive at certain conclusions about the users. However, this right is not absolute. Data fiduciaries can reject requests for correction, completion, updation or erasure of personal data if they disagree with such requests. Given that this right is also an integral part of the data fiduciary’s obligation to maintain the quality of data, the data fiduciaries should not be given the power to reject the requests of users unilaterally.
Clause 19 contains the right to data portability, which enables the users to receive their personal data in a structured, commonly used, and machine-readable format. Like the right to correction and erasure, this right is also conditional, as the data fiduciary may deny a request for data portability on the grounds of technical infeasibility or protection of a trade secret. A request cannot be denied on the ground that the compliance with the request would reveal a trade secret of the data fiduciary, as personal data is not a trade secret that belongs to any data fiduciary, rather, it belongs to the users and control over it is a fundamental right of the users. There is no option for the users to challenge the decision of the data fiduciary when the request is rejected on the ground of technical infeasibility.
What rights are missing?
The Bill has left out a few important rights like the right to object to processing of certain personal data and the right to seek exemption from automated decision making. The right to seek exemption from automated decision making includes the right to object to automated decision-making and to access the logic behind such decisions. The object of this right is to protect the users against the prejudice and discrimination that results from algorithmic decision-making without any human intervention. Moreover, automated decision making affects the autonomy of users negatively.
This is a right guaranteed under the European Union’s General Data Protection Regulation (GDPR), a benchmark rights respecting data protection legislation. Article 22 of the GDPR gives the users the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects on them. We have seen in recent years how entities like Ola and Uber use algorithmic pricing and profiling to discriminate against their customers. Therefore, it is important that we have the right to seek exemption from automated decision-making and profiling in our data protection law.
The right to object to the processing of personal data for direct marketing and related profiling is another right that is present in the GDPR (Article 21) but is absent in our data protection law. The rationale behind the exclusion of such a provision from the Bill, as can be gathered from the Sri Krishna Committee report, is that direct marketing can be done only with the consent of the users. Hence, if the users do not consent to direct marketing, the data fiduciaries cannot approach the users for the same. Consent provisions are not unique to the Personal Data Protection Bill, it serves as the foundation of the GDPR as well. Yet the right to object to the processing of personal data for direct marketing exists only under one!
Solution: Strengthen user rights!
In order to strengthen user protection, it is also important that the users are given mandatory notice in the event of data breaches. Clause 25 provides that in case of a breach of data, the data fiduciary shall inform the Data Protection Authority, as soon as possible, where such breach is likely to cause harm to any data principal. Furthermore, the section leaves it to the determination of the Data Protection Authority, whether the users should be notified of the breach. Thus, the data fiduciaries are denied the opportunity to inform the users of breaches even if they wish to and the users are denied their right to be informed of breaches to their personal data.
According to the first principle of the Indian Privacy Code, individual rights should be at the centre of privacy and data protection. Therefore, the rights of users under the Bill have to be reviewed to ensure that the right to privacy of users gets primacy and the interests of data fiduciaries are addressed through limited exceptions. The Bill should make the disclosure of data breaches to users the rule rather than the exception. Rights such as the right to object to the processing of certain personal data and the right to seek exemption from automated decision-making have to be included in the Bill to protect the users from the challenges of emerging technologies.
This is the third post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here, part 2 here, and part 3 here. Do join us next Tuesday (18th May, 2021) as we analyse the provisions of the Bill related to social media entities.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.