wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Protection Bill: Possibility of misuse of Right to be Forgotten, overlap with Right to Erasure and more #NAMA

While the bill grants users certain rights, experts at a MediaNama discussion point to redundancies and scope for abuse.

Key takeaways

  • The current form of the bill has removed purpose specification for usage/processing of data
  • There is a lot of overlap between the Right to be Forgotten and the Right to Erasure/Correction
  • Possibility of misuse of Right to be Forgotten

These were some of the key points raised at MediaNama’s ‘Decoding India’s Data Protection Bill’ event held on January 19 and 20, 2022, wherein Supreme Court advocate Vrinda Bhandari, Executive Director for Center for Internet and Society Amber Sinha, Senior Resident Fellow at Vidhi Center for Legal Policy Lalit Panda, and lawyer Prasanna S shared their thoughts on the Data Protection Bill 2021 and the Joint Parliamentary Committee (JPC) report on the Bill, both of which were tabled in Parliament in December 2021.

This discussion was organised with support from Google, Flipkart, Meta, and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.

Why is the lack of purpose specification for data processing a concern? 

Lalit Panda said that the bill has removed purpose specification, and replaced it with a purpose limitation provision that equated purposes with grounds. “So that provision is now gone. That provision which said that purposes must be specific, now there is only a provision which says processing of personal data shall be subject to provisions of this act and the rules and regulations made thereunder,” he added.

  • Purpose specification and Aadhaar: Panda termed purpose specification in relation to Aadhaar as a concern. He said that in the case of Aadhaar authentication, the purpose is already specified – authentication. “Any kind of data processing, which is aimed at identifying you as a person, is a kind of authentication. So if that is the case, then we have a little bit of confusion about what kind of specificity is needed,” he said.
  • The new provision is ‘entirely redundant’: The replacement of purpose specification with a provision that says processing of personal data should be made under the law was ‘entirely redundant’, Panda felt. “There is no point to say follow this law because all laws are supposed to be followed. The JPC has missed out on the importance of purpose specification and found it vague, and so has just put a provision which is redundant,” he added.

Recommendation: Amber Sinha recommended that provisions of purpose distribution and collection limitation, which have been removed from the bill, be inserted back.

Can the Right to be Forgotten be misused?

Vrinda Bhandari opined that the Right to be Forgotten would be the most used provision of the Data Protection Bill.

  • Request can be forwarded to anybody: Bhandari said that going by the current structure, anybody can say that a company is currently disclosing or processing personal data and ask for it to be removed.
  • Many ‘privileged’ requests: Bhandari foresees requests from many privileged sections, who “may want to take down information that shows bad things about them.”
  • The incentive to comply for a company is very high: She opined that in many companies the incentive to comply with a Right to be Forgotten request will be very high as they would want to avoid a hearing before the Data Protection Authority.

“I think there’s going to be, there will be misuse, I think 100% yes it is an important right. I have always been just a little bit suspect of how broadly it can be implemented.” – Vrinda Bhandari, Supreme Court advocate

Recommendation: “I think companies do need to take that stand. And not just, you know, over-comply, if necessary, even if it’s going to be expensive, obviously go before the Adjudicating Officer and fight it out. But I obviously understand that cost considerations will probably ensure that that doesn’t happen,” Bhandari said.

Advertisement. Scroll to continue reading.

How does the Right to be Forgotten overlap with the Right to Erasure/Correction?

Lalit Panda said that there are similar provisions in both Right to be Forgotten and Right to Erasure/Correction. “In a sense, the person has a choice. They can go under the right to erasure and say that listen, I said, erase my name and then you have to erase it and then there is the right to be forgotten,” he said.

  • Inclusion of ‘processing’ in Right to be Forgotten, a complication: Panelists pointed out that in the previous draft of the bill, the word ‘processing’ was not mentioned under the Right to be Forgotten. The inclusion of this word in the current draft means that a company cannot just stop storing or publicising a person’s data but also stop an operation that may be going on with that data. The complication comes from the fact that, while the previous draft, in the absence of ‘processing’ dealt with only Freedom of Speech, the new draft would also have to be balanced against the Rights of a Company.
  • People may choose Right to Erasure over Right to be Forgotten: In the case of Right to be Forgotten, Bhandari said that a company may ask a user to take their request to an adjudicating officer. However, in the case of Right to Erasure, there is an obligation to respond in part by the company.

Recommendation: Panda said a policy has to be formulated which would lay down when to forward requests under Right to Erasure or Right to be Forgotten. “Perhaps the erasure provision should be entirely removed from where it is currently placed alongside correction, and made only a question of the right to be forgotten,” he added.

Overlap between Right to Data Portability and Right to Access

Panda also pointed out that there was an overlap between provisions of the Right to Data Portability and the Right to Access in the current draft of the bill. While portability allows one to get a copy of one’s data, Right to Access also allows a user to avail the same feature.

Which provision do you invoke to retrieve your data from the government? “Do you go under portability, where you’re not allowed –  you can’t get it from the government?  Or do you go under access, which literally says that the government has to give you access to your data?” Panda asked.

Also Read:

What changes do you want in the Data Protection Bill from a company’s perspective? Do leave a comment.

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

News

The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.

News

In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?

News

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.

News

The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ