Editor’s note: It has been a while since the release of the much highlighted white paper on data protection in India. Vide press release dated 28th December 2017, the government had extended the submission of responses to the white paper until 31st January 2018. Now that the responses are complete we take a look back at several aspects of the white paper.
This post discusses one of the several aspects stated in the white paper which form the heart of data protection law – the “rights” under the proposed Bill. This post recommends some individual participation rights – as incorporated under EU’s General Data Protection Regulation – which should also be a part of the data protection and privacy law of India. These rights provide with transparency and allow an individual to know where and how this data is being controlled, processed or stored. The scope of these rights is much beyond the issue of consent, it is about, but not limited to, a citizen’s participation in the decision-making process related to this information.
Right to Access
It is based on the principle that an individual should know what sort of information data controller has about him and how it’s handled. It includes the right to access information of one’s personal data, the period of storage, place of storage, the source of the data, grievance mechanism to lodge a complaint. Although it is to determine the accuracy of data but is also subject to restrictions like cost, a threat to life, privacy invasion etc.
Right to Confirmation
It is the right of an individual to confirm whether an entity is processing his personal data or not. Right to access and confirmation forms the core principle of Data protection legislation to keep a check that data is correct and lawfully handled by the entities.
Right to rectification
These individual rights are to determine the accuracy of the data and if the level of accuracy is not achieved then the user must have right to get it rectified. Therefore, data can be rectified based on :
- Partially updated
- more than required (Excessive)
These rights are not enough to deal with different problems posed by new practices like use for marketing purposes, decision solely based on automated decisions. It leads to explore new rights (as in GDPR) and the even white paper looks for their relevance in the Indian context.
Right to Data portability
Indian law allows transfer of data but only under contractual obligations. This means that data of one company can be moved, copied or transferred to another company but on the request of the individual, therefore data must be held in inter-operable format. Example: By the consent of the patient, one hospital can transfer his data to another for further treatment. The limited application of this right has been seen in Indian context like in telecom industry but it should be broadly applied in all sectors to have better control of the data.
Right to object automated decisions
The new technologies make excessive use of artificial intelligence despite its prejudicial consequences. Many decisions are taken on based on automated decision using logical algorithm without human intervention making a lot of mistakes. However, AI has a lot of popularity in the digital economy. Therefore, keeping its practical enforceability in the Indian context, the effective right must be carved out.
Right against direct marketing
Right to be forgotten
The recent decision of European Court of Justice in Google Spain case and reference to this right in Puttaswamy judgement makes it necessary to look it as a facet of privacy. Everything on the internet stays stuck in the cobweb of the internet and can lead to embarrassing situations later on. Permanency of data online leads to use of other apps like Snapchat which has an effective mechanism to erase data. An individual should have control of information about them and also right to erasure. There should be a proper balancing of the right of being forgotten with that of the right to freedom of speech and expression (Article 19) carving out reasonable restrictions or exceptions.
Major challenges posed in above rights are fees to be prescribed to exercise these rights, technical challenges and vexatious requests. The data protection authority and sectoral regulators can prescribe the reasonable fees. Also, reasonable exceptions should be carved out for the effectiveness of these rights.
Image from here.