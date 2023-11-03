“How the users’ rights will get interpreted in practice will depend a lot on the Data Protection Board. The constitution of the Data Protection Board, which as I’ve spoken before, and many people have pointed out, is going to determine everything. “If the Data Protection Board today is going to be decided completely by the central government…and if the people who are there have certain [ways] of thinking, then that will mean that your entire obligations or your entire rights vis-a-vis the state will effectively become nullified.,” observed lawyer Vrinda Bhandari while speaking about the enforcement of individual rights to privacy provided by India’s Digital Personal Data Protection Act, 2023 (DPDPA).

Bhandari was speaking as a panellist at the ‘User Rights and Principles for the Rules’ session at MediaNama’s annual conference PrivacyNama 2023, which focused on how the data protection law approaches digital rights of individuals and what are the challenges that might arise for users while exercising these rights. The session was moderated by Gangesh Varma (Principal Associate, Saraf and Partners) and co-panellists Swati Punia (Centre for Communication Governance), and Amol Kulkarni (CUTS) also delved into the implementational aspects of various provisions of the law, including right to access information on personal data processed by different entities, right to grievance redressal, and right to nominate among others. In this article, we focus on discussions about the role of the data protection board in the effective implementation of the right to grievance redressal in cases where a user’s data rights are violated.

How will a “readily available means of grievance redressal” look like?

Under Section 13(1) of the DPDP Act, a data principal shall have the right to have access to “readily available means of grievance redressal” provided by a data fiduciary or consent manager to report instances wherein their rights related to their personal data are violated or if they are unable to exercise their rights effectively.

This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.

While discussing sectoral provisions that speak of different privacy rights outlined in the law, Kulkarni pointed out that the obligation of a data fiduciary to establish a readily available means to address grievance raises uncertainty. He explained that the right to get personal information corrected, right to erasure and retention of data, are some of the rights already been observed in the finance sector. For example, as Kulkarni stated, the Reserve Bank of India (RBI) released a circular that all financial consumers have the right to get their information corrected with the credit information companies and credit institutions. And if that information is not corrected within the specified period of 30 days or so, they have the right to claim compensation for 100 rupees per day of delay. Similarly, another RBI guideline requires lenders to return the original property document to an individual, who has taken a loan, once the loan term ends or the purpose is served. However, according to Kulkarni, when it comes to grievance redressal, Kulkarni is of the view that the term is not being utilised in other sectors.

“Now, what does it mean by readily available means of grievance address? I’m not really sure because it’s the term which is not being utilized anywhere else. There is no clear sort of clarity on what is the role of the Data Protection Board in enforcement of such some of these rights, including grievance address. Neither there is any discussion around enforcement of rights at state and at district level because we have a three-tiered consumer grievance address sort of mechanism. So, how does that interact?” Amol added.

Responding to Kulkarni’s observations on grievance redressal structure, Bhandari stated that the phrase readily available could be interpreted as information that’s indicated on the website, for example, who is the grievance redressal officer, their email, contact details, and a guide on how can users file a complaint. Given that the Act requires a user to exhaust every opportunity before approach the data protection board, for an individual to file a complaint with the data fiduciary, she added that the provision would be interpreted in the manner explained above.

Bhandari also raised an important question of how grievance redressal systems would work in offline settings. She explained, “So, if you’re going to a hospital where your records are digitized, you’re then covered under the law…in an online setting, we’re all sort of used to, you go to the ‘contact us’, or for any grievances or in the privacy policy, it’ll say ‘contact the grievance redressal officer’. I think it’ll be interesting to see how that will happen in the offline setting where the data is digitized. If you go to a hospital, does it have to say that for any grievances or for any details, contact so-and-so. So, for instance, you see all these notices under the Prenatal Diagnostics Act where you go to any ultrasonologist and they have all these big posters that are put, which is that for any violation, this is what happens. They have a copy of the law, et cetera, given. So, to me, that’s actually very interesting because intuitively, people understand when you’re giving data online that there is some collection online. But if I’m giving my data, so if I’m going to a hospital, I’m not sure how many people will realize that that data is being digitized.”

Sectoral problems with implementation of user rights

Following up on Bhandari’s comments, Kulkarni noted that a grievance redressal mechanism requiring users to exhaust all forums before approaching the regulator has failed miserably, particularly in the financial sector. He explained why:

“…because you write a complaint to a financial service provider and you will not get a response, and you don’t know if that is the correct financial service provider, because there is a chain of financial service providers, including intermediaries in between, and that service provider will automatically direct a complaint to somebody else and will mark the complaint as resolved, and the next time you file a complaint, it will be marked as a frivolous complaint. So, that is the risk which we are dealing with, having seen how grievance interest operates in the real world in other sectors and now there is an obligation of not filing grievance complaints. That brings consumer interest down.”

Similarly, there are problems pertaining the right to nominate, which ultimately renders the right ineffective or works against consumer interests. “…there is a whole obligation of blaming nominees in other sectors, including the financial sector, and there are unclaimed deposits to the tune of one lakh crore in our banks, and one of the major reasons is that people have not nominated somebody and because of debt or incapability or moving on, there is no clarity on who are the legal heirs or nominees, and given that there is such huge distress in the financial sector, and there is quite a high recognition that this right of nomination in real money sense is not being enforced and implemented effectively. So, how do we think that this would be implemented in a digital protection, data protection scenario?” Kulkarni questioned.

Why is a Data Protection Board crucial for upholding user rights?

In context of uncertainties regarding protection of data collected in offline settings, an attendee raised a question regarding instances across the country where individuals have to provide facial scans or ID scans to enter certain complexes or offices. The attendee gave the example of the DLF Cyber City area in Gurgaon, where he was asked to scan his ID at the entry.

Bhandari replied, “The success of the law in some senses will depend on the everyday consumer taking up these issues because in some ways we all have the opportunity to shape the law, right? The next two, three years is when the jurisprudence of the Data Protection Board will be built. And that means, you file complaints, you file, like in your case, you go to them and you say, you’ve not provided me this information. So, here is my complaint to Cyber City and say, what is your data privacy policy? Where is it mentioned? Why is it not publicly available? Why can’t I see it? Why does everybody not know about it? When they respond, if you’re unsatisfied with that response, then we go to the board.”

“And that’s why the board is so important to me, the board is central to the success of the law. How easy it is to approach the board. Do you always need lawyers? Because at the end of the day, fortunately or unfortunately, you’ll see this in the consumer context as well. It was built with the idea that consumers can come on their own,” she added.

Highlighting examples from the media broadcasting space, Bhandari highlighted grievance redressal practices from other sectors. She stated that the News Broadcasters & Digital Association follows a code that allows users to approach the Board if they are unsatisfied with the response from the broadcaster. Here, there’s a specific timeline between the two-level mechanism. According to Bhandari, this has enabled speedy transfer of complaints to the Board, which may take time to resolve the case through subsequent hearings. She states that a similar mechanism has not proved to work well when it comes to the IT rules and complaints concerning the intermediaries.

Talking about the Data Protection Board, she observed, “If everybody is going to the board, does the board have the capacity to handle these kinds of complaints? Just in terms of the volume, right? How is it going to work? How is it going to work in terms of, is it going to be an office located in Delhi with branches and like physical branches in other parts? It’s digital by design, so does it mean that they’re encouraging only digital complaints? Because as we know, the number of people who are digitally literate is sort of very low. So, I think a lot will depend on also, how are we going to staff this board? How is it going to work? And so like, if it’s based in Delhi, our complaints in some rural sector, forget even rural, semi-urban, et cetera, in southern parts of India may have that distance. And that makes a difference because you don’t know a lawyer there, you don’t know how to approach them. So, that to me is also going to be an interesting practical implementation problem.”

