Rights under the proposed Data Protection framework

Editor’s note: It has been a while since the release of the much highlighted white paper on data protection in India. Vide press release dated 28th December 2017, the government had extended the submission of responses to the white paper until 31st January 2018. Now that the responses are complete we take a look back at several aspects of the white paper.

This post discusses one of the several aspects stated in the white paper which form the heart of data protection law – the “rights” under the proposed Bill. This post recommends some individual participation rightsas incorporated under EU’s General Data Protection Regulation – which should also be a part of the data protection and privacy law of India. These rights provide with transparency and allow an individual to know where and how this data is being controlled, processed or stored. The scope of these rights is much beyond the issue of consent, it is about, but not limited to, a citizen’s participation in the decision-making process related to this information. 

Right to Access

It is based on the principle that an individual should know what sort of information data controller has about him and how it’s handled. It includes the right to access information of one’s personal data, the period of storage, place of storage, the source of the data, grievance mechanism to lodge a complaint. Although it is to determine the accuracy of data but is also subject to restrictions like cost, a threat to life, privacy invasion etc.

Right to Confirmation

It is the right of an individual to confirm whether an entity is processing his personal data or not. Right to access and confirmation forms the core principle of Data protection legislation to keep a check that data is correct and lawfully handled by the entities.

Right to rectification

These individual rights are to determine the accuracy of the data and if the level of accuracy is not achieved then the user must have right to get it rectified. Therefore, data can be rectified based on :

  • Inaccuracy
  • Irrelevant
  • Incorrect
  • Partially updated
  • more than required (Excessive)

These rights are not enough to deal with different problems posed by new practices like use for marketing purposes, decision solely based on automated decisions.  It leads to explore new rights (as in GDPR) and the even white paper looks for their relevance in the Indian context.

Right to Data portability

Indian law allows transfer of data but only under contractual obligations. This means that data of one company can be moved, copied or transferred to another company but on the request of the individual, therefore data must be held in inter-operable format. Example: By the consent of the patient, one hospital can transfer his data to another for further treatment. The limited application of this right has been seen in Indian context like in telecom industry but it should be broadly applied in all sectors to have better control of the data.

Right to object automated decisions

The new technologies make excessive use of artificial intelligence despite its prejudicial consequences. Many decisions are taken on based on automated decision using logical algorithm without human intervention making a lot of mistakes.  However, AI  has a lot of popularity in the digital economy. Therefore, keeping its practical enforceability in the Indian context, the effective right must be carved out.

Right against direct marketing

The right to object for privacy invasion without prior consent for direct marketing must be included and it should indeed be a discrete privacy principle. India already has specific legislation to control direct marketing, even same is mentioned in every privacy policy of the organization, therefore it is a universal issue and should be dealt with general rules.

Right to be forgotten

The recent decision of European Court of Justice in Google Spain case and reference to this right in Puttaswamy judgement makes it necessary to look it as a facet of privacy. Everything on the internet stays stuck in the cobweb of the internet and can lead to embarrassing situations later on. Permanency of data online leads to use of other apps like Snapchat which has an effective mechanism to erase data. An individual should have control of information about them and also right to erasure. There should be a proper balancing of the right of being forgotten with that of the right to freedom of speech and expression (Article 19) carving out reasonable restrictions or exceptions.

Major challenges posed in above rights are  fees to be prescribed to exercise these rights, technical challenges and vexatious requests. The data protection authority and sectoral regulators can prescribe the reasonable fees. Also, reasonable exceptions should be carved out for the effectiveness of these rights.

Image from here.

Gurleen Kaur

Gurleen is a 5th year Techno-Legal student who aspires to build a better Cyber space for the netizen's. She is fond of researching in the field of Cyber security and loves to delve into the gap between technology and law. She is passionate about writing on diverse legal issues impacting citizens.