India’s Digital Personal Data Protection Bill, 2023: What privacy rights do individuals have?

Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!

Personal data of Indian citizens can now be used for prevention, detection, or investigation of offences and cyber incidents by entities recognised by law without the knowledge of the individual whose data is being shared and used. India’s latest version of the Digital Personal Data Protection (DPDP) Bill tabled in the Parliament on August 3, 2023, restricts the rights of an individual from accessing information on the ways in which their personal data is being processed by such entities processing data for law enforcement purposes.

At the same time, the bill introduces some key rights for individuals, including the right to information, the right to correction and erasure of data, the right to grievance redressal, and the right to nominate. It’s worth noting that individual rights under the latest data protection bill have shrunk considerably since the first version of the bill came out for public feedback in 2018. After the removal of the right to be forgotten, the right to data portability, and a broader right to information, citizens are now left with a limited set of rights with conditions that can potentially obstruct them from exercising their rights freely. 

Read full summary of the bill here.

Rights of an individual under the DPDP Bill, 2023

1. Right to obtain information on personal data

The data protection bill provides individuals with basic rights to stay informed about how, where, and why is their personal data being shared and processed by “data fiduciaries” or simply put, entities like Google, Amazon, telecom providers like Reliance, and institutions like banks, insurance companies etc., who are involved in collecting, sharing and processing data. Such rights are applicable to individuals who have previously given consent to the use of their personal data or have voluntarily provided such information, but have not indicated that they “do not consent to the use” of their personal data.

Citizens have the right to request entities involved in collecting and processing their personal data in exchange of services, for providing them with a summary of their personal data, which is being processed and the processing activities undertaken by such entities. For instance, an individual struggling with spam calls or emails from different banks for loans can ask a telecom provider or even institutions like banks to provide information on the places their data is being shared or processed and take necessary action for identifying the spammer.

Individuals also have the right to know the identities of the third-party companies or agencies involved in processing data, with whom a primary data fiduciary has shared the individual’s personal data. For example, if an individual is using a telemedicine service via an app, they can request the operator to provide information on third-party sources like pharmaceutical companies or other health agencies if their personal data is being shared through the app. The primary entity involved in collecting or processing data also has to share a description of personal data shared with other entities to the individual.

Advertisement. Scroll to continue reading.

Where is the right to information not applicable? Citizens can ask for information related to their personal data and its processing except in cases where such data is in possession for crime investigation purposes. For instance, a telecom provider may share a user’s or many users’ personal data with the cyber-crime department for investigation into a cyber-crime involving fake sim cards, the individual whose data is being shared will not be able to access information on which cyber department has their data and for what purposes. 

As per Section 11(2) of the bill, the right to obtain information shall not be applicable if any data fiduciary—who originally is in possession of the individual’s personal data—has shared the data with:

“… any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.”

The clause restricting the right to obtain information was not a part of the 2022 version of the bill. This essentially means that now law enforcement agencies will have easy access to a large amount of personal data with little control by the individuals over their personal information. 

Citizens still won’t have complete information: The right to obtain information about one’s personal data evidently appears to be weakened in the current version of the bill as discussed above. Additionally, in its feedback to the 2022 bill to the Ministry, the Internet Freedom Foundation (IFF) pointed out that while data fiduciaries are obligated to provide identities of the third-party entities with whom the data is shared, the provision does not mandate them to share information on the purpose for which the data is shared. However, they themselves are required to disclose the purposes for processing one’s personal data.

“It is essential that data principals are provided with identical rights against all data fiduciaries and data processors who gain access to their data irrespective of whether they are the data fiduciary that the data principal shared their personal data with initially or they are a third party which has obtained the personal data from another data fiduciary,” IFF wrote.

Advertisement. Scroll to continue reading.

The Ministry has not addressed this concern in the current version of the bill and the provision regarding information on third-party entities is retained in its original form.

Article continues below ⬇, you might also want to read:

• A Complete Guide to India’s Digital Personal Data Protection Bill, 2023
• India’s Digital Personal Data Protection Bill, 2023 gives the government powers to exempt itself from the Bill, block content, and more
• How India’s Digital Personal Data Protection Bill impacts children’s privacy and access
• Here’s when entities don’t need to ask for consent as per India’s Digital Personal Data Protection Bill

2. Right to correction and erasure of personal data

Importantly, citizens have the right to request the erasure of their personal data under Section 12(3) of the bill. They can make a request to the entities with whom they have shared their data, and the respective company will have to erase the data if the purpose for which the data was collected is fulfilled. For example, if an individual has registered for an online educational course and has consented to the processing of their personal data for that purpose by the operator of the platform, then the individual has the right to get their data erased once the course duration is completed and procedures regarding certifications are fulfilled.

Entities collecting or processing such data must erase their personal data unless retention is necessary to fulfill the objective the data was collected for or for compliance with any law. For example, if an individual wishes to end their subscription to a telecom service provider and has requested for erasure of their data, the telecom service provider may retain the data for a specified duration if the law mandates retention of such data for a specific number of years.

Additionally, Section 12(3) of the bill also allows individuals to correct, request for completion and update their personal data in possession with entities collecting their data. For instance, correction of personal data in records of educational institutions, banks, Employment Provident Fund Organisation, among others. This provision can be availed by those individuals who have previously consented or are deemed to have given consent for processing their data.

3. Right to Grievance Redressal

Advertisement. Scroll to continue reading.

Under Section 13 of the bill, individuals have the right to access “readily available” methods for grievance redressal provided by the data fiduciary or ‘Consent Manager’, with regards to the obligations of the entities involved in collecting or processing data, and the rights of the individual. The bill defines Consent Manager as “a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform”.

The data fiduciary or consent manager is required to respond to such grievances within such period as may be prescribed from the date of its receipt. Individuals can approach the data protection board only if they “exhaust the opportunity of redressing” as per this provision.

4. Right to Nominate

As per rights under Section 14 of the DPDP Bill, individuals can nominate any other individual to exercise their rights as a data principal—the person to whom the personal data relates—in the event of death or incapacity of the individual.

According to the explanation provided in the bill, the term incapacity means “inability to exercise the rights of the Data Principal under the provisions of this Act due to unsoundness of mind or infirmity of body.” 

Duties for individuals in the bill

The duties outlined in the bill [Section 15] prohibit individuals from indulging in impersonation, registering a false or “frivolous” complaint and suppressing any “material information” while applying for any government document. The 2023 bill retains the clause under user duties which mandates users to provide “verifiably authentic” information in order to be able to exercise the right to erasure under the Act.

Advertisement. Scroll to continue reading.

As pointed out by IFF these conditions would impact the rights of the individuals who use pseudonyms on the internet. For example, the identity of people using pseudonyms on social media platforms for their profiles in order to remain anonymous be considered false as well?

“Clubbing such actions with actions which may be illegal such as impersonation and fraud can result in individuals no longer being able to enjoy the internet without excessive and unreasonable restrictions,” IFF noted.

Further, an individual may want to withhold some information and only provide what’s necessary for official purposes in order to protect their privacy. It is unclear in the bill if such an act will be seen as a suppression of material information. A breach of the duties mentioned above will attract a penalty of up to ten thousand rupees according to the bill. 

Speaking at MediaNama’s ‘Reworking the Data Protection Bill’ event, Tejaswitha, from the Centre for Communication Governance (CCG) observed that imposition of fine for a false or frivolous complaint will in fact discourage people from filing a complaint as the bill does not specifically define the term “frivolous” or what can be categorized as such.

“So now there’s no reason for you to actually go and file a complaint because it’s very likely that there’s a good possibility that it will be deemed as a false or frivolous grievance so it’s like this active act of ensuring the data principles don’t complain” she stated.

Evolution of privacy rights for individuals:

Individual rights under the 2023 version of the bill are similar to those outlined in the 2022 draft bill, with minor changes mentioned above. Here is a summary of the rights individuals had in the past versions of the bill:

Advertisement. Scroll to continue reading.

2021: The Joint Parliamentary Committee’s (JPC) report recommended that the word “processing” should be added along with the word “disclosure” to the definition of the Right to be Forgotten, giving users the right to restrict continued disclosure as well as processing of their personal data once the purpose is fulfilled. Other rights from the 2021 draft include:

• Data rights of a deceased person: Individuals were conferred the right to decide how their data has to be dealt with in case of causality/death, including the right to:
  • Nominate legal heir or legal representative as his nominee;
  • Exercise the right to be forgotten; and
  • Append the terms of the agreement in the event of death.
• Right to data portability: The bill stipulated that companies can only deny data portability (i.e. allowing individuals to obtain and transfer their personal data) in case of technical non-feasibility, which will be determined by the Data Protection Authority. The committee was of the view that the 2019 draft provided scope for data fiduciaries to conceal their actions by denying data portability under the garb of non-feasibility or trade secrets.
• Remedy against denial of requests: The DPA was empowered to frame regulations to determine specific conditions under which data fiduciaries can refuse to comply with requests made by the data principal to exercise the rights outlined in the bill.

2019: The bill gave a user the right to be forgotten, that is to stop their data from being disclosed if the purpose of data collection has been served, the user withdrew consent, or the data was disclosed illegally. The user was empowered to make a complaint to the Data Protection Authority (DPA), who could then order the data fiduciary to remove the user’s data.

2018: The Srikrishna Committee’s bill provided the data principal or the citizen with the right to confirmation and access, right to correction, right to data portability, and right to be forgotten. The adjudicating officer, who is appointed under the data protection authority of India, was provisioned to process applications based on sensitivity and necessity, among other factors.

• Right to confirmation and access: Individuals had the right to obtain a confirmation whether their data is being processed by the data fiduciaries. Citizens were also entitled to obtain a summary of the personal data being processed or has been processed and of the processing activities undertaken by the entities involved in collection and processing of data. This information must be provided to the individual in a clear and concise manner that is easily comprehensible to a person.

STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!