wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Protection Bill 2021: What rights will individuals have on their data?

Among other recommendations, the JPC has proposed the right to be forgotten with thoughts on how to enforce it.

The Data Protection Bill 2021 presented by the Joint Parliamentary Committee (JPC) confers certain rights upon data principals (or individuals) which deal with correction and erasure of personal data, Right to be Forgotten, data portability, among other things, giving data principals an opportunity to prevent or restrict continued disclosure of their personal data.

Expanding the scope of Right to be Forgotten

The Joint Parliamentary Committee’s report recommended that the word “processing” should be added along with the word “disclosure” to Clause 20 which deals with the Right to be Forgotten.

It now reads as: “The data principal shall have the right to restrict or prevent the continuing disclosure or processing of his personal data by a data fiduciary where such disclosure or processing” has served the purpose, the consent was withdrawn or if data was disclosed illegally.”

  • Earlier version: The 2019 draft of the PDP bill only had the word ‘disclosure’ and the rest of it reads the same in both versions. The user can make a complaint to the Data Protection Authority in case of a grievance. The DPA will then order the data fiduciary to remove the user’s data.
  • Reasons for change: The JPC said that the expression “disclosure” cannot serve the purpose of the Right to be Forgotten. The committee observed that data fiduciaries can process personal data without disclosing the data with anybody even after the right is exercised by a data principal as the earlier draft allowed only for restriction or prevention of disclosure of personal data. The recommendation will make the clause more “comprehensive and meaningful,” it said.

Data rights of a deceased person

The Committee recommended that the data principal must have the right to decide how their data has to be dealt with in case of causality/death under Clause 17, including the right to:

  1. Nominate legal heir or legal representative as his nominee;
  2. Exercise the right to be forgotten; and
  3. Append the terms of agreement in the event of the death
  • Earlier version: The earlier version of the PDP Bill did not formulate the data rights of deceased individuals.
  • Reason for the change: The committee believed that the PDP Bill needs to have a provision which “empowers the data principal to exercise his or her right to decide how his or her data has to be dealt with in case of causality/death.”

Right to data portability

The Data Protection Bill 2021 stipulates that companies can only deny data portability (i.e. allowing individuals to obtain and transfer their personal data) in case of technical non-feasibility, which will be determined by the Data Protection Authority.

  • Earlier version: The earlier version of the PDP Bill allowed data fiduciaries to deny data portability at their own will due to technical non-feasibility or for protecting trade secrets.
  • Reasons for the change: The committee was of the view that the earlier draft provided scope for data fiduciaries to conceal their actions by denying data portability under the garb of non-feasibility or trade secret. Trade secrets also can’t be clearly defined as they differ from domain to domain.

Principles for enforcing Right to be Forgotten

  • Rights must be straightforward: DPA should frame regulations that can ensure that the rights of data principal could be exercised in a simple manner and at the same time the data fiduciaries could discharge those obligations in a way that is practically possible.
  • Regulations must keep evolving: The committee also suggested that the regulatory body (Data Protection Authority) should evolve in line with the best practices internationally and frame the regulations which ensure that the rights of data principal can be exercised in a simple manner and at the same time the data fiduciaries could discharge those obligations in the way that is practically possible.
  • Keeping pace with technical limitations: The Committee said that the individual’s liberty and right to privacy are of primary concern but how far the same can be achieved depends upon multiple factors such as available technology, cost, practicability, etc.
  • Storing data longer than required: There may be instances when the data may have to be stored for a period longer than required for providing that service, for the purpose of verification and record.
  • Criteria to access rights: The right of the data principal for complete erasure of data need not qualify for compliance in cases of false declarations.
  • Ambiguity around erasure of personal data: The committee wrote that Clause 18(1)(d) is ambiguous as it says erasure can be sought in case the data has served its purpose for which it was processed. The committee said that in certain cases, the financial costs associated with the erasure request might make it unfeasible for the data fiduciary to serve the request.

Denial of requests

The DPA is empowered to frame regulations to determine the specific conditions under which data fiduciaries can refuse to comply with requests made by the data principal to exercise the rights outlined in the Act.

  • Earlier version: The earlier version of the PDP bill did not leave this opening for the DPA to frame regulations. It allowed DFs to refuse requests on their own accord if they believed that the rights of any other data principal were being harmed.
  • Reason for the change: The committee believed that the earlier version of the bill gave DFs arbitrary powers to refuse requests from data principals, and wanted to prevent any unnecessary denial of requests.

Suggestions received by the JPC on Right to be Forgotten

  • The nature and scope of the right to be forgotten including enforcement measures should be specified in the Bill.
  • There should be a timeline prescribed for the Privacy Officer to decide the application for the process.
  • The right to be forgotten should be limited to only personal data shared by the data principal.
  • Intellectual Property Rights acquired by the data fiduciary should be removed from the purview of this clause.
  • It should not apply to the collection of information by banks and financial institutions.

Right to be Forgotten cases in India

Given that the right to be forgotten has not been formalised to date, most of the attempts to exercise the right have been through the legal route in India. Here are some of the cases:

Laksh Vir Yadav: The petitioner filed a case against the Union of India and others, after a criminal case involving his wife and mother, showed up alongside search results of his name despite not being a party to the case. He argued that it affected his employment opportunities. The Internet Freedom Foundation (IFF) then secured a legal intervention with consent from the Delhi HC and filed its arguments against the case. Delhi HC is yet to pronounce its verdict.

Nikhil Rajan: A case was filed in the Kerala High Court by Nikhil Rajan, who sought the erasure of his personal details from Google search results. Rajan, a dentist by profession, contended that when his name is searched on the internet, the first result is a bail order from 2014 containing his personal details. This is despite his subsequent acquittal in the case. The bail order has details of the crime, Rajan’s address and father’s name.

Ashutosh Kaushik: In 2021, an Indian reality television celebrity approached the Delhi High Court with a petition wherein he urged the court to direct relevant parties to remove posts, videos, and articles from nearly a decade ago. Kaushik, who won the MTV Roadies in 2007 and Big Boss in 2008, courted controversy in 2009 when he was arrested for drunk driving, and again in 2013, due to a drunken altercation. Ashutosh, in his petition, said that the content related to these occurrences were still available on search engines such as Google, “which are irrelevant in the present times and are causing grave injury to the Petitioner’s dignity and reputation…”

Advertisement. Scroll to continue reading.

The Right to be Forgotten was put into practice by the European Union and was upheld by the Court of Justice of the European Union on May 13, 2014, allowing certain people to ask search engines to remove specific results for queries that include their name, where the interests in those results appearing are outweighed by the person’s privacy rights.

Update, December 17, 2021: The report has been updated following editorial inputs.

Get our white paper on the Data Protection Bill 2021 in your inbox

We may also reach out occasionally with our coverage of the Data Protection Bill and more.
By filling out this form, you agree to receive a copy of MediaNama's white paper and further information about MediaNama's work and services.

Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report:

Written By

I cover several beats such as crypto, telecom, and OTT at MediaNama. I will be loitering at my local theatre and consuming movies by the dozen when I am off work.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ