wordpress blog stats
Connect with us

Hi, what are you looking for?

Protecting Personal Data: Where Grievance Redressal Falls Short

The provisions around grievance redressal in the Data Protection Bill “stands to be dangerously sparse and nugatory on various counts.”

By Aishani Rai and Ava Haidar

The relationship between ordinary citizens and their personal data carries several, significant values: access, inclusion, trust, and in the new regime of Digital India, crucial public services of healthcare, financial mobility and education. The Digital Personal Data Protection Bill, 2022 enhances a few transparencies of this relationship, such as consent-based processing and the use of examples to demonstrate provisions (eg. how deemed consent is determined, what may constitute infringement). However, it is difficult to locate features of access and knowledge that citizens can expect to strengthen their rights as Data Principals. We ask: does the Bill adequately enshrine these importances, and is it empowered to direct their protection by all stakeholders? 

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Digital rights as a whole are tested in situations of harm, breach and misuse. What is currently missing from the Bill is a comprehensive cognisance of the various instances that comprise said breaches and negations beyond the specifics of consent and misuse of grievance and appeal mechanisms. The language of the Bill is also remiss towards due importance of trust, differential access to one’s own data, opportunities for technological development and underlying tenets of social progress that can make a data protection bill a bulwark against personal data harms. A look at the Bill and its implications for the right of grievance redressal points us in the direction of several opinions. 

Under the existing Bill, a Data Principal is guaranteed by clause 14 “the right to readily available means of registering a grievance with a Data Fiduciary.” The Data Principal is also enabled by the Bill to file a complaint with the Data Protection Board if redressal needs are not met. This provision, while important to include, stands to be dangerously sparse and nugatory on various counts.

First, in order to enforce the right to grievance redressal, it is imperative that the data principal be adequately informed about this right as well as its surrounding clauses. The existing provision fails to address the gaps in awareness of the same that impede Data Principals from exercising their rights to grievance redressal. Further, what are the grievances that data principals can seek remedy for, and what may be the standard of proof around filing grievances? The Bill notes that Data Principals must not file “frivolous” complaints, but has not elaborated on what constitutes frivolity, making the case for one’s data protection based on vague terms. These areas remain unanswered, leading to possibly incomplete, ineffective governance of a data protection infrastructure. 

Advertisement. Scroll to continue reading.

Second, access to one’s own information is fundamental to being able to raise educated responses to grievances. Clause 12 of the Bill around the right to information affords Data Principals this right but lacks the trust and awareness-building modes that make it actionable. There is no process established around how clause 12 will be implemented, i.e., the next steps for action to be undertaken by the data fiduciary upon receiving a request for information from the affected data principal, have not been laid out. Further, the process should provide clarity around reasonable turnaround time and cover permissible exceptions to avoid ambiguity.

Though Clause 12 enumerates what information can be sought, access should also ensure that the Data Principal is afforded the right to request a copy of one’s own data in understandable formats and easily accessible modes to the layman. For instance, the Bill in clause 6(3) mandates notice to be provided in multiple languages; a similar provision can be incorporated to enhance the accessibility of information. There must be greater clarity on whom the request is to be made to and through what channels. In general, Data Principals with low access to information must be identified and suitable provisions for access be crafted to ensure they do not find themselves excluded from the positive impact of their personal data.

Third, there also is the unanswered question of liability and enforcement within this provision around how the Bill may guide stakeholders in identifying the appropriate body for redressal (to avoid inefficiency and overlapping of complaints), and the terms for the operation of an enforcement mechanism. Additionally, clause 9(5) directs Data Fiduciaries to inform Data Principals of data breaches as may be prescribed, possibly allowing future situations where Data Principals may not be informed of the same. The very essence of the statute is to ‘protect’ the Data Principal and apart from mandating means to prevent harm, protection must also include remedy. By only imposing financial penalties without any mention of compensatory measures, the protection of users is further sidelined by the penalisation of data fiduciaries. This can further diminish confidence in the ability of a Data Protection Act to adequately protect Data Principals from not just harm, but also a lack of knowledge that can enable their right of redress.

In these ways, we assert that the Bill does not appear to scope the pivotal values of knowledge, access and appropriate remedy for Data Principals that can give spiritual weight to grievance redressal. Finally, the overall governance, user safety and trust and enhancement of protection may lie in the public transparency of grievance redressal processes. The inclusion of a process of reporting by all fiduciaries can be mandated for greater accountability; fiduciaries may submit reports on a quarterly basis wherein the number of complaints, decisions taken, resolution rates and other metrics can increase the trust and efficiency associated with the  Digital Personal Data Protection Act. 

Aishani Rai and Ava Haidar are research analysts at Aapti Institute, Bangalore. 

Also Read

Advertisement. Scroll to continue reading.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ