The Data Protection Bill 2021 presented by the Joint Parliamentary Committee (JPC) confers certain rights upon data principals (or individuals) which deal with correction and erasure of personal data, Right to be Forgotten, data portability, among other things, giving data principals an opportunity to prevent or restrict continued disclosure of their personal data.
Expanding the scope of Right to be Forgotten
The Joint Parliamentary Committee’s report recommended that the word “processing” should be added along with the word “disclosure” to Clause 20 which deals with the Right to be Forgotten.
It now reads as: “The data principal shall have the right to restrict or prevent the continuing disclosure or processing of his personal data by a data fiduciary where such disclosure or processing” has served the purpose, the consent was withdrawn or if data was disclosed illegally.”
- Earlier version: The 2019 draft of the PDP bill only had the word ‘disclosure’ and the rest of it reads the same in both versions. The user can make a complaint to the Data Protection Authority in case of a grievance. The DPA will then order the data fiduciary to remove the user’s data.
- Reasons for change: The JPC said that the expression “disclosure” cannot serve the purpose of the Right to be Forgotten. The committee observed that data fiduciaries can process personal data without disclosing the data with anybody even after the right is exercised by a data principal as the earlier draft allowed only for restriction or prevention of disclosure of personal data. The recommendation will make the clause more “comprehensive and meaningful,” it said.
Data rights of a deceased person
The Committee recommended that the data principal must have the right to decide how their data has to be dealt with in case of causality/death under Clause 17, including the right to:
- Nominate legal heir or legal representative as his nominee;
- Exercise the right to be forgotten; and
- Append the terms of agreement in the event of the death
- Earlier version: The earlier version of the PDP Bill did not formulate the data rights of deceased individuals.
- Reason for the change: The committee believed that the PDP Bill needs to have a provision which “empowers the data principal to exercise his or her right to decide how his or her data has to be dealt with in case of causality/death.”
Right to data portability
The Data Protection Bill 2021 stipulates that companies can only deny data portability (i.e. allowing individuals to obtain and transfer their personal data) in case of technical non-feasibility, which will be determined by the Data Protection Authority.
- Earlier version: The earlier version of the PDP Bill allowed data fiduciaries to deny data portability at their own will due to technical non-feasibility or for protecting trade secrets.
- Reasons for the change: The committee was of the view that the earlier draft provided scope for data fiduciaries to conceal their actions by denying data portability under the garb of non-feasibility or trade secret. Trade secrets also can’t be clearly defined as they differ from domain to domain.
Principles for enforcing Right to be Forgotten
- Rights must be straightforward: DPA should frame regulations that can ensure that the rights of data principal could be exercised in a simple manner and at the same time the data fiduciaries could discharge those obligations in a way that is practically possible.
- Regulations must keep evolving: The committee also suggested that the regulatory body (Data Protection Authority) should evolve in line with the best practices internationally and frame the regulations which ensure that the rights of data principal can be exercised in a simple manner and at the same time the data fiduciaries could discharge those obligations in the way that is practically possible.
- Keeping pace with technical limitations: The Committee said that the individual’s liberty and right to privacy are of primary concern but how far the same can be achieved depends upon multiple factors such as available technology, cost, practicability, etc.
- Storing data longer than required: There may be instances when the data may have to be stored for a period longer than required for providing that service, for the purpose of verification and record.
- Criteria to access rights: The right of the data principal for complete erasure of data need not qualify for compliance in cases of false declarations.
- Ambiguity around erasure of personal data: The committee wrote that Clause 18(1)(d) is ambiguous as it says erasure can be sought in case the data has served its purpose for which it was processed. The committee said that in certain cases, the financial costs associated with the erasure request might make it unfeasible for the data fiduciary to serve the request.
Denial of requests
The DPA is empowered to frame regulations to determine the specific conditions under which data fiduciaries can refuse to comply with requests made by the data principal to exercise the rights outlined in the Act.
- Earlier version: The earlier version of the PDP bill did not leave this opening for the DPA to frame regulations. It allowed DFs to refuse requests on their own accord if they believed that the rights of any other data principal were being harmed.
- Reason for the change: The committee believed that the earlier version of the bill gave DFs arbitrary powers to refuse requests from data principals, and wanted to prevent any unnecessary denial of requests.
Suggestions received by the JPC on Right to be Forgotten
- The nature and scope of the right to be forgotten including enforcement measures should be specified in the Bill.
- There should be a timeline prescribed for the Privacy Officer to decide the application for the process.
- The right to be forgotten should be limited to only personal data shared by the data principal.
- Intellectual Property Rights acquired by the data fiduciary should be removed from the purview of this clause.
- It should not apply to the collection of information by banks and financial institutions.
Right to be Forgotten cases in India
Given that the right to be forgotten has not been formalised to date, most of the attempts to exercise the right have been through the legal route in India. Here are some of the cases:
Laksh Vir Yadav: The petitioner filed a case against the Union of India and others, after a criminal case involving his wife and mother, showed up alongside search results of his name despite not being a party to the case. He argued that it affected his employment opportunities. The Internet Freedom Foundation (IFF) then secured a legal intervention with consent from the Delhi HC and filed its arguments against the case. Delhi HC is yet to pronounce its verdict.
Nikhil Rajan: A case was filed in the Kerala High Court by Nikhil Rajan, who sought the erasure of his personal details from Google search results. Rajan, a dentist by profession, contended that when his name is searched on the internet, the first result is a bail order from 2014 containing his personal details. This is despite his subsequent acquittal in the case. The bail order has details of the crime, Rajan’s address and father’s name.
Ashutosh Kaushik: In 2021, an Indian reality television celebrity approached the Delhi High Court with a petition wherein he urged the court to direct relevant parties to remove posts, videos, and articles from nearly a decade ago. Kaushik, who won the MTV Roadies in 2007 and Big Boss in 2008, courted controversy in 2009 when he was arrested for drunk driving, and again in 2013, due to a drunken altercation. Ashutosh, in his petition, said that the content related to these occurrences were still available on search engines such as Google, “which are irrelevant in the present times and are causing grave injury to the Petitioner’s dignity and reputation…”
The Right to be Forgotten was put into practice by the European Union and was upheld by the Court of Justice of the European Union on May 13, 2014, allowing certain people to ask search engines to remove specific results for queries that include their name, where the interests in those results appearing are outweighed by the person’s privacy rights.
Update, December 17, 2021: The report has been updated following editorial inputs.
Get our white paper on the Data Protection Bill 2021 in your inboxWe may also reach out occasionally with our coverage of the Data Protection Bill and more.
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: