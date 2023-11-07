Wide-ranging exemptions to State agencies from various provisions for individual rights in the Digital Personal Data Protection (DPDP) Act, adequacy of information provided to users regarding data collection, and awareness about digital rights, were some of the key topics of discussion at the ‘User Rights and Principles for the Rules’ session of MediaNama’s annual conference PrivacyNama 2023.

Addressing questions concerning the application of individual rights in different situations, moderator Gangesh Varma (Principal Associate, Saraf and Partners) and panelists Vrinda Bhandari, lawyer, Swati Punia (formerly Centre for Communication Governance), and Amol Kulkarni (CUTS) delved into the implementational aspects of various provisions of the law, including right to access information on personal data processed by different entities, right to erasure, and the right to nominate among others. In this article, we will focus on observations surrounding implementation of exemptions to specific State agencies, granularity of information provided to a user, and the ways in which the government can build awareness around privacy rights.

Who decides if an entity is a ‘state instrumentality’?

Section 12 (3) of the Act provides individuals with the right to request a data-collecting entity, also called a data fiduciary, for the erasure of their personal data. The data fiduciary has to comply with the request unless the data has to be retained for fulfilling the purpose for which data was collected or for compliance with an existing law. According to Section 17 (4) of the DPDP Act, however, individuals cannot exercise their right to erasure of personal data when the processing of such data is being carried out by the State or “any instrumentality of the State”.

But which entities would qualify as a state instrumentality? An attendee at the session raised a question, “Who are state instrumentalities and where will it be? If I am going against somebody saying that my right of erasure is not being fulfilled by that entity, that entity, suppose if it has some control of government, they’ll take this defense [that] ‘I am a state instrumentality’. But who will answer this, whether or not they are, will it be answered by the Data Protection Board or will it be answered by the high courts or Supreme Court?”

According to Bhandari, a state instrumentality is separate from a government department and will mainly be understood as a broad category. She explained, “…in law, you see state agencies, which would be your CBI, ED, [and] state departments, which would be like government departments, ministry departments [etc.]. My sense is instrumentality is going to be defined in the broadest manner, which would be like your article 12 definition of state.”

As per Article 12 of the Indian Constitution, the State includes “the Government and Parliament of India and the Government and the Legislature of each of the States and all local or other authorities within the territory of India or under the control of the Government of India”.

“If it’s a sort of any part that has things to do with the state is how the government would likely want to define that. And I think if you want to challenge it, you try basically everywhere. You’d probably first file a challenge with the board saying this exemption is being wrongfully or illegally being invoked. So, that’s the way you would frame the challenge. Then you’d have to go up and appeal and then you’d have to or you could try a writ move. I mean, that would be a litigation strategy issue,” she added.

Section 17 (2) of the DPDP Act says that Central government-notified State instrumentalities are exempted from the provisions of the Act if personal data is being processed in the interests of objectives related to sovereignty and security of the State and maintenance of public order. Further, such entities are exempted if personal data is being processed for research, archiving, or statistical purposes if such processing activity is not to be used to make any decision specific to the data subject or principal.

Kulkarni pointed out that there’s a fine line between an exemption from consent provisions under the DPDP Act and an exemption from the Act. He explained, “I think from consent, the scope is broader and any and every state instrumentality has that right to use the data which is collected for providing any other service within the database, which is notified or which is used. But I think from exemption of Act, the Act says that state instrumentalities as may be notified. So, I think those instrumentalities which are exempted from obligations would be notified and then those will be exempted from obligations which are provided for data fiduciary.”

What must a summary of information entail?

The Data Protection Act provides individuals with basic rights to stay informed about how, where, and why is their personal data being shared and processed by data fiduciaries. Citizens have the right to request entities involved in collecting and processing their personal data in exchange for services, for providing them with a summary of their personal data, which is being processed and the processing activities undertaken by such entities. However, the Act does not specify what details must the summary of the information include.

“How meaningful is the right to information right now? Because they only require to give you a summary of the data. So, if I ask Facebook, they might say we have your contact details, your preference of apps that you use and websites. But I want something more granular. What contact details do they have? What’s the preferences they have? So how does the GDPR [General Data Protection Regulations] deal with this? And is there scope and delegated legislation for prescribing more granularity?” asked an attendee.

Punia responded stating that there’s scope for providing more details, for example, regarding third-party sharing information, in the delegated rules and codes of practice. She gave the example of the format of the notice provided under the European Union’s data privacy regulations that is the GDPR, stating that the notice has to be in a granular and unambiguous format for acquiring consent. She also highlighted that this can sometimes lead to “consent fatigue”.

“And it’s also problematic because if you’re getting so many of these kinds of notice consent formats where things are granular, are you that conscious and aware about, knowing exactly what leads to what. So, I think every time you get a choice, it’s also a burden in that sense. And hence, we all know about the consent fatigue, and that power asymmetry in terms of what you understand and what actually translates into. But I think there’s a lot of work also done around nutrition labels in different kinds of format for notice and consent for people who have different accessibility needs. So, the word accessible, I think, needs to be understood in a broader sense and not just access to infrastructure and connectivity, [but to understand] what different kinds of people understand content in, because not everybody has the same context and background. I think that kind of a market is going to develop if you have these kinds of requirements coming in,” Punia explained.

In the context of how are user rights specified in the notice, an attendee at the ‘Notice, Consent, and Grounds for Processing’ session asked, “While we understand that apart from the huge host of information obligations that are there in the GDPR, we have in ours, the notice provision, basically talks about the providing of two rights, and that is of grievance redressal and the right to withdraw consent. Do you think there’s any rationale behind not including the other two rights that we have, that is to nominate and access, more importantly? Because as a user, I will be more interested, or as interested about the information or the data that an organization has, even if it is a summary of it that I can access. But if I’m not told about it in the notice itself, do you think that has a bearing on transparency?”

Panelist Abha Tiwari from Renault, from the same session, responded by saying that the notice will contain a list of elements including the personal data that is being collected, the purpose for such data collection or processing, and the manner in which the data subject may exercise their rights under subsection 4 of section 6 and section 13 of the DPDP Act, and the manner in which individuals can make a complaint to the Data Protection Board.

Abha observed, “One, the purpose is provided to the data subject. Two, the list of rights that the data subject has. This list also includes that the data subject has a right to withdraw consent, has a right to nominate, has a right to access the information that is processed by the organization about the data subject. Let’s also look at another interesting scenario. It may happen that the data of the data subject could be collected over a period of time. So, when the first notice is given or the notice could be required to be given at different stages because different kinds of data could be collected by the data subject, right? So it is, I think by this provision of right to access being there at all times, right to withdraw the consent being there at all times and right to nominate at any stage of the data lifecycle management makes it more comprehensive and makes it more holistic.”

Rethinking access to digital rights

As the speakers pointed out the uncertainties surrounding privacy rights in an offline setting, Varma raised an important question concerning adequate access to education on privacy and the role of the government in improving awareness, especially when the Data Protection Board has been significantly disempowered.

“Some of the panelists also spoke to elements in the ecosystem that play to build this role and building a culture of privacy. That’s not just about complying with this law or adhering to the legal aspects of this law, but also building a culture of privacy. So, are there any suggestions that you can bring on board to see how data fiduciaries or principals, or even the government can improve in terms of awareness or passing guidelines? And the second aspect is, you talked about how important the data protection board is, but the fact that it’s been drastically disempowered from the previous versions of it. And by disempowered, I don’t mean just holding data fiduciary accountable or suo moto powers, but also simply in terms of building awareness and engaging with the community on understanding and providing privacy education.”

Punia was of the view that while under the GDPR’s vision, there are conversations about moving from digital skills to a digital culture, in India we are still talking about infrastructure services and are yet to reach the point of digital skills. She observed that there’s still no clarity over the defining aspects of digital literacy, given that there are people who are on the digital medium, but are not literate.

“What other than this, that you have something unique is the linguistic choice which is unique to India. But I think that could turn out very problematic because it’s not easy to translate language and who’s going to be responsible for going wrong in that sense. So, when you translate something from English to Hindi, to French, to some other regional language, the emotion is usually not the same who’s going to be responsible for that and how are you going to ensure that the other person is able to understand the same thing in the same way? That’s, I think, going to be extremely tricky,” she added.

In the context of accessibility to information, Punia also pointed out that the provision for the right to nominate is available in cases of death or incapacity of mind and body, but it does not factor in the concept of incapability of skills and knowledge and understanding of the digital space, which is going to be a large section of this country.

She further noted, “And another point for the right to nominate is that in one sense, we are acknowledging that you need consent managers and that whole ecosystem to practice your digital consent management and all of that, but then you are assuming that people would know how to exercise their rights. So, I think that linkage needs to come across through codes, and I think the most important thing is the codes of practice or the general technical codes, how we push the companies to build into building a responsible technology and the kind of ethical system we build through these codes of practice. I think that’s the most important part.”

You can watch the video of the discussion here:

