Hyderabad: Personal data refers to information that pertains to an identified or identifiable individual. Both businesses and government entities engage in the processing of personal data to provide goods and services. This processing enables the understanding of individual preferences, facilitating customisation, targeted advertising, and the development of recommendations. Additionally, the processing of personal data can assist in law enforcement efforts. However, unregulated processing poses risks to individuals' privacy, recognized as a fundamental right, and can result in negative consequences such as financial loss, reputational damage, and profiling.
Currently, India lacks an independent law specifically dedicated to data protection. The utilization of personal data is governed by the Information Technology (IT) Act of 2000. However, it has become evident that this framework falls short in ensuring adequate protection for personal data. To address this, the central government established a Committee of Experts on Data Protection in 2017, chaired by Justice B. N. Srikrishna, to examine data protection issues within the country. The Committee submitted its report in July 2018, and based on its recommendations, the Personal Data Protection Bill of 2019 was introduced in the Lok Sabha in December 2019. The Bill was subsequently referred to a Joint Parliamentary Committee, which presented its report in December 2021. In August 2022, the Bill was withdrawn from Parliament. In November 2022, the Ministry of Electronics and Information Technology released the Draft Digital Personal Data Protection Bill of 2022, inviting public feedback.
Additionally, the bill seeks to regulate entities known as "Data Processors" that process such data on behalf of these companies. For instance, an application that utilises the services of a cloud storage provider for storing personal data would require the cloud storage service provider to strictly adhere to the instructions of the company. Furthermore, the bill encompasses the rights of individuals, referred to as "Data Principals," to whom the personal data pertains.
What data falls under the definition of personal data according to the proposed bill?
The proposed bill defines personal data as information relating to an identifiable individual. This includes both directly identifiable information like name and contact details, as well as indirectly identifiable information such as vehicle numbers, location data, employee codes, or similar data that can be used to identify an individual. These various types of data collectively constitute personal data as they contribute to the identification of an individual.
On the other hand, any data that does not contribute to personally identifying an individual does not fall under the category of personal data. For instance, non-personal data may include aggregated usage data, such as the amount of time spent on an application or the pages visited on a website, without any specific reference to an individual.
What are the rights granted to individuals under the proposed bill?
The proposed bill does not aim to restrict the use of personal data but acknowledges its significance in the growth of the digital economy. Its objective is to strike a balance between safeguarding the rights of individuals and protecting the interests of businesses that utilize and process personal data.
To achieve this, the bill establishes a set of obligations that companies must adhere to. Additionally, data can only be processed with explicit consent or under circumstances where consent is assumed from individuals, or when required by law. The proposed bill grants individuals several rights to request information from apps and websites regarding their personal data.
The proposed bill grants individuals the following rights:
(A) Right to access information and summary of personal data processing:
Individuals have the right to be informed whether a company is processing or has processed their personal data and how it is being processed. This is crucial for understanding the company's role in data processing and exercising other individual rights.
(B) Right to withdraw consent:
Building upon the previous right, individuals can request a summary of their processed or processing data, including activities performed by the company. They can also obtain details of third-party companies with whom their data and data categories have been shared. Once aware, individuals have the option to withdraw their consent if they do not want their data to be processed. This is a significant right available to individuals.
(C) Right to correction and erasure:
Individuals have the right to correct or erase their personal data. This right allows them to:
Rectify inaccurate or misleading personal data, such as correcting the spelling of their name or other personal details.
Complete incomplete personal data, such as adding a missing PIN code to their postal address information.
Update personal data, such as changing their mobile phone number, email address, or other communication details.
Erase personal data that is no longer needed for processing, unless retention is required by law. For instance, personal data collected for order fulfillment by an e-commerce application can be deleted after the delivery, unless legal obligations necessitate its retention for a specified period.
Comparatively, it is evident that the existing law does not expressly provide for the right to erasure but allows for the withdrawal of consent instead. In contrast, the proposed law grants individuals the right to request the erasure of personal data, in addition to the right to withdraw consent.
(D) Right of grievance redress:
Individuals have the right to approach a designated office or authority appointed by a company to register and address concerns or questions regarding the processing of their personal data. Companies must have an established procedure and effective mechanism in place to handle individuals' grievances. They are also required to publish the contact information of a Data Protection Officer or authority who can address individuals' queries about personal data processing.
If individuals are not satisfied with the resolution provided by the Grievance Officer, they have the option to file a complaint with a Data Protection Board (DPB) established under the proposed bill within seven days.
(E) Right to nominate:
Under the proposed bill, individuals have the right to nominate another person to exercise their rights in the event of their death or incapacity due to physical or mental health issues. The ability to nominate another individual is not currently present in the provisions of the existing law.
(F) Right to withdraw consent:
The proposed law allows individuals to withdraw their consent for the processing of their personal data by a company when such processing is based solely on consent. For instance, if an individual provided consent for a contact information collection through an application, they can withdraw that consent. It's important to note that the bill permits data processing on various grounds, such as public interest (e.g., debt recovery), legal compliance (e.g., EPFO KYC), and emergencies (e.g., medical emergencies). In such cases, individual consent is assumed. However, when express consent is obtained, it can be withdrawn by the individual.
The bill specifies that individuals would bear the consequences of such withdrawal. For example, if a bank processes personal data based on an individual's consent, and the individual withdraws their consent, they would be responsible for the resulting consequences, such as the termination of banking services according to the agreement between the customer and the bank.
The proposed bill aims to empower individuals while also ensuring that the rights guaranteed under the Bill are not abused. As part of this, the bill outlines certain duties for individuals, including:
(a) Individuals are required to exercise their rights in accordance with the procedures specified in the Bill.
(b) Individuals must refrain from filing false or frivolous complaints or grievances, either with the Fiduciary or with the DPB.
(c) Individuals should not provide false information, withhold material facts, or impersonate others when applying for documents, services, etc.
(d) Individuals are encouraged to make corrections or deletions to their personal data, but only if such changes are genuine and accurate.
Compared to existing laws, the bill significantly expands the rights of individuals, granting them greater visibility, awareness, decision-making autonomy, and control over their data. At the same time, it imposes obligations on companies to comply with individual rights and establishes effective mechanisms for resolving grievances, with substantial penalties of up to Rs 50 crore for violations of individual rights.
