By Aishani Rai and Ava Haidar
The relationship between ordinary citizens and their personal data carries several, significant values: access, inclusion, trust, and in the new regime of Digital India, crucial public services of healthcare, financial mobility and education. The Digital Personal Data Protection Bill, 2022 enhances a few transparencies of this relationship, such as consent-based processing and the use of examples to demonstrate provisions (eg. how deemed consent is determined, what may constitute infringement). However, it is difficult to locate features of access and knowledge that citizens can expect to strengthen their rights as Data Principals. We ask: does the Bill adequately enshrine these importances, and is it empowered to direct their protection by all stakeholders?
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Digital rights as a whole are tested in situations of harm, breach and misuse. What is currently missing from the Bill is a comprehensive cognisance of the various instances that comprise said breaches and negations beyond the specifics of consent and misuse of grievance and appeal mechanisms. The language of the Bill is also remiss towards due importance of trust, differential access to one’s own data, opportunities for technological development and underlying tenets of social progress that can make a data protection bill a bulwark against personal data harms. A look at the Bill and its implications for the right of grievance redressal points us in the direction of several opinions.
Under the existing Bill, a Data Principal is guaranteed by clause 14 “the right to readily available means of registering a grievance with a Data Fiduciary.” The Data Principal is also enabled by the Bill to file a complaint with the Data Protection Board if redressal needs are not met. This provision, while important to include, stands to be dangerously sparse and nugatory on various counts.
First, in order to enforce the right to grievance redressal, it is imperative that the data principal be adequately informed about this right as well as its surrounding clauses. The existing provision fails to address the gaps in awareness of the same that impede Data Principals from exercising their rights to grievance redressal. Further, what are the grievances that data principals can seek remedy for, and what may be the standard of proof around filing grievances? The Bill notes that Data Principals must not file “frivolous” complaints, but has not elaborated on what constitutes frivolity, making the case for one’s data protection based on vague terms. These areas remain unanswered, leading to possibly incomplete, ineffective governance of a data protection infrastructure.
Second, access to one’s own information is fundamental to being able to raise educated responses to grievances. Clause 12 of the Bill around the right to information affords Data Principals this right but lacks the trust and awareness-building modes that make it actionable. There is no process established around how clause 12 will be implemented, i.e., the next steps for action to be undertaken by the data fiduciary upon receiving a request for information from the affected data principal, have not been laid out. Further, the process should provide clarity around reasonable turnaround time and cover permissible exceptions to avoid ambiguity.
Though Clause 12 enumerates what information can be sought, access should also ensure that the Data Principal is afforded the right to request a copy of one’s own data in understandable formats and easily accessible modes to the layman. For instance, the Bill in clause 6(3) mandates notice to be provided in multiple languages; a similar provision can be incorporated to enhance the accessibility of information. There must be greater clarity on whom the request is to be made to and through what channels. In general, Data Principals with low access to information must be identified and suitable provisions for access be crafted to ensure they do not find themselves excluded from the positive impact of their personal data.
Third, there also is the unanswered question of liability and enforcement within this provision around how the Bill may guide stakeholders in identifying the appropriate body for redressal (to avoid inefficiency and overlapping of complaints), and the terms for the operation of an enforcement mechanism. Additionally, clause 9(5) directs Data Fiduciaries to inform Data Principals of data breaches as may be prescribed, possibly allowing future situations where Data Principals may not be informed of the same. The very essence of the statute is to ‘protect’ the Data Principal and apart from mandating means to prevent harm, protection must also include remedy. By only imposing financial penalties without any mention of compensatory measures, the protection of users is further sidelined by the penalisation of data fiduciaries. This can further diminish confidence in the ability of a Data Protection Act to adequately protect Data Principals from not just harm, but also a lack of knowledge that can enable their right of redress.
In these ways, we assert that the Bill does not appear to scope the pivotal values of knowledge, access and appropriate remedy for Data Principals that can give spiritual weight to grievance redressal. Finally, the overall governance, user safety and trust and enhancement of protection may lie in the public transparency of grievance redressal processes. The inclusion of a process of reporting by all fiduciaries can be mandated for greater accountability; fiduciaries may submit reports on a quarterly basis wherein the number of complaints, decisions taken, resolution rates and other metrics can increase the trust and efficiency associated with the Digital Personal Data Protection Act.
Aishani Rai and Ava Haidar are research analysts at Aapti Institute, Bangalore.
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2022
- Summary: India’s Digital Personal Data Protection Bill, 2022
- Twelve Major Concerns With India’s Data Protection Bill, 2022
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.