- The current form of the bill has removed purpose specification for usage/processing of data
- There is a lot of overlap between the Right to be Forgotten and the Right to Erasure/Correction
- Possibility of misuse of Right to be Forgotten
These were some of the key points raised at MediaNama’s ‘Decoding India’s Data Protection Bill’ event held on January 19 and 20, 2022, wherein Supreme Court advocate Vrinda Bhandari, Executive Director for Center for Internet and Society Amber Sinha, Senior Resident Fellow at Vidhi Center for Legal Policy Lalit Panda, and lawyer Prasanna S shared their thoughts on the Data Protection Bill 2021 and the Joint Parliamentary Committee (JPC) report on the Bill, both of which were tabled in Parliament in December 2021.
This discussion was organised with support from Google, Flipkart, Meta, and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.
Why is the lack of purpose specification for data processing a concern?
Lalit Panda said that the bill has removed purpose specification, and replaced it with a purpose limitation provision that equated purposes with grounds. “So that provision is now gone. That provision which said that purposes must be specific, now there is only a provision which says processing of personal data shall be subject to provisions of this act and the rules and regulations made thereunder,” he added.
- Purpose specification and Aadhaar: Panda termed purpose specification in relation to Aadhaar as a concern. He said that in the case of Aadhaar authentication, the purpose is already specified – authentication. “Any kind of data processing, which is aimed at identifying you as a person, is a kind of authentication. So if that is the case, then we have a little bit of confusion about what kind of specificity is needed,” he said.
- The new provision is ‘entirely redundant’: The replacement of purpose specification with a provision that says processing of personal data should be made under the law was ‘entirely redundant’, Panda felt. “There is no point to say follow this law because all laws are supposed to be followed. The JPC has missed out on the importance of purpose specification and found it vague, and so has just put a provision which is redundant,” he added.
Recommendation: Amber Sinha recommended that provisions of purpose distribution and collection limitation, which have been removed from the bill, be inserted back.
Can the Right to be Forgotten be misused?
Vrinda Bhandari opined that the Right to be Forgotten would be the most used provision of the Data Protection Bill.
- Request can be forwarded to anybody: Bhandari said that going by the current structure, anybody can say that a company is currently disclosing or processing personal data and ask for it to be removed.
- Many ‘privileged’ requests: Bhandari foresees requests from many privileged sections, who “may want to take down information that shows bad things about them.”
- The incentive to comply for a company is very high: She opined that in many companies the incentive to comply with a Right to be Forgotten request will be very high as they would want to avoid a hearing before the Data Protection Authority.
“I think there’s going to be, there will be misuse, I think 100% yes it is an important right. I have always been just a little bit suspect of how broadly it can be implemented.” – Vrinda Bhandari, Supreme Court advocate
Recommendation: “I think companies do need to take that stand. And not just, you know, over-comply, if necessary, even if it’s going to be expensive, obviously go before the Adjudicating Officer and fight it out. But I obviously understand that cost considerations will probably ensure that that doesn’t happen,” Bhandari said.
How does the Right to be Forgotten overlap with the Right to Erasure/Correction?
Lalit Panda said that there are similar provisions in both Right to be Forgotten and Right to Erasure/Correction. “In a sense, the person has a choice. They can go under the right to erasure and say that listen, I said, erase my name and then you have to erase it and then there is the right to be forgotten,” he said.
- Inclusion of ‘processing’ in Right to be Forgotten, a complication: Panelists pointed out that in the previous draft of the bill, the word ‘processing’ was not mentioned under the Right to be Forgotten. The inclusion of this word in the current draft means that a company cannot just stop storing or publicising a person’s data but also stop an operation that may be going on with that data. The complication comes from the fact that, while the previous draft, in the absence of ‘processing’ dealt with only Freedom of Speech, the new draft would also have to be balanced against the Rights of a Company.
- People may choose Right to Erasure over Right to be Forgotten: In the case of Right to be Forgotten, Bhandari said that a company may ask a user to take their request to an adjudicating officer. However, in the case of Right to Erasure, there is an obligation to respond in part by the company.
Recommendation: Panda said a policy has to be formulated which would lay down when to forward requests under Right to Erasure or Right to be Forgotten. “Perhaps the erasure provision should be entirely removed from where it is currently placed alongside correction, and made only a question of the right to be forgotten,” he added.
Overlap between Right to Data Portability and Right to Access
Panda also pointed out that there was an overlap between provisions of the Right to Data Portability and the Right to Access in the current draft of the bill. While portability allows one to get a copy of one’s data, Right to Access also allows a user to avail the same feature.
Which provision do you invoke to retrieve your data from the government? “Do you go under portability, where you’re not allowed – you can’t get it from the government? Or do you go under access, which literally says that the government has to give you access to your data?” Panda asked.
- Data Protection Bill: Lower age of consent, limit data portability, strengthen data breach rules, and introduce more grounds for processing data #NAMA
- A Complete Guide To The Data Protection Bill, 2021
- Data Protection Bill 2021: How Data Fiduciaries Must Handle The Personal Data Of Children
- Data Protection Bill 2021: What Is The Protocol When Data Breaches Occur In India?
- Data Protection Bill 2021: What Are The Obligations Of Data Fiduciaries?
What changes do you want in the Data Protection Bill from a company’s perspective? Do leave a comment.