A recent data leak from the Indian Council of Medical Research exposing the personal information of 815 million people has raised serious concerns regarding the privacy of citizens’ data. Such data leaks not only pose a serious threat to the right to privacy guaranteed by the Constitution but also the very security of the citizens that the government ought to protect.
Below we analyse how the newly enacted Digital Personal Data Protection Act (DPDPA) aims to safeguard the privacy and security of individuals and prevent a potential misuse or breach of data.
It is important to understand few terms and definitions that will come across this article for a clear understanding.
- Data Principal– “means the individual to whom the personal data relates and where such individual is—
- child, includes the parents or lawful guardian of such a child.
- a person with disability, includes her lawful guardian, acting on her behalf.”
- Data Processor– “means any person who processes personal data on behalf of a Data Fiduciary.”
- Personal Data– “means any data about an individual who is identifiable by or in relation to such data.”
- Data Fiduciary– “means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.”
- Consent Manager- “means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.”
What are the rights of data principals?
Individuals as data principals have the right to be informed about what personal data is being collected and the entities accessing it, and have the authority to take appropriate action in case of violation of their rights. This extends to:
- A right to access information
Data principals, have the right to obtain an overview of the process as to how their personal data is being processed, and the identities of the data fiduciaries with whom this data is being shared.
- A right to correct and delete data
A data principal has the right to correct, update, complete and erase their data, and a data fiduciary is bound to act accordingly, upon the receipt of such request.
- A right to grievance redressal
If a data fiduciary fails to abide by the obligations under the Act, thae data principal will have the right to a grievance redressal, which is to be facilitated by the data fiduciary. A data principal can only approach the Board after exhausting this right to a grievance redressal.
- A right to nominate a representative
If a data principal is unable to exercise their rights, owing to their unsoundness of mind or infirmity of body, they can nominate another individual who can exercise the rights in place of the data principal.
What are the duties of data principals?
A data principal has the following duties under the Act:
- A data principal is under a duty to not impersonate other people.
- When furnishing data for proof of identity, address, or other documents, a data principal must not suppress any material information.
- A data principal must refrain from making a false or frivolous grievance with a data fiduciary or the Board.
- When making a request for the correction or deletion of data, a data principal must only provide authentic and verifiable information.
Consent – A necessary element of the Act
- The personal data shared by a data principal, can only be processed and used for a lawful purpose, with their ‘consent’.
- The consent given by the data principal must be specific, free and informed. The use of the data provided must also be for a specific purpose.
- The request to obtain the consent from a data principal requires a Data Fiduciary to send a notice prior to or with the request for consent.
- The notice should mention the purpose of processing the personal data and outline the procedure to make a complaint to the Board.
- A data principal has the right to withdraw their consent anytime.
When is consent not necessary?
Consent is not necessary in exceptional cases, such as when data is utilized for ‘legitimate uses’, as outlined in Section 7 of the DPDPA. Such uses include:
- A purpose for which the data principal shared their data and has not explicitly revoked consent/not given consent.
- Where a person is required by law to share information with the government or its agencies, as specified by the existing laws.
- In order to follow a court decision or any judgment related to contractual or civil claims according to the laws in force in India.
- During a medical emergency or public health crisis, data can be used to respond and provide necessary medical help to a person whose life is in danger.
- To ensure the safety of citizens during disasters and/or the breakdown of public order.
- The State and its instrumentalities can provide benefits like subsidies to data principals if they have given consent for data processing or if the data is digitally available and maintained by the State, as notified by the central government; additionally, they can perform functions authorized by law or in the interests of sovereignty, integrity, or security of the state.
What are the obligations of data fiduciaries?
- Consent: Data fiduciaries need to obtain clear, specific, unambiguous, unconditional and informed consent from data principals before collecting or processing their personal data. When a data principal withdraws consent, the data fiduciary and its agents must stop processing the personal data of the data principal within a reasonable time, unless the processing without their consent is required under law.
- Notice: The consent request shall be accompanied by a notice specifying the purpose, duration, and manner of data processing, how a complaint can be made to the Data Protection Board by the data principal and the rights of the data principal to withdraw or modify their consent at any time. If consent has been obtained before the commencement of the DPDPA, a notice with the above-mentioned details should be served to the data principal as soon as reasonably practicable. The content of the notice should be made accessible to the data principal, either in the English language or in any other language in the 8th Schedule of the Indian Constitution.
- Ensure completeness, accuracy and consistency:If the personal data processed is likely to be used to make a decision which affects a data principal or may be disclosed to another data fiduciary, the data fiduciary must ensure its completeness, accuracy and consistency.
- Technical and organizational measures: A data fiduciary should implement appropriate technical and organizational measures to ensure observance of their duties under the Act.
- Reasonable safeguards: A data fiduciary must protect personal data and take reasonable security safeguards to prevent personal data breaches. In case of any data breach, the data fiduciary must inform the Data Protection Board and the data principal.
- Erasure of data: A data fiduciary must erase data and oblige its data processor to delete data following any withdrawal of consent by the data principal.
- Publishing information: The data fiduciary must publish the business contact information of a data protection officer or other person who should answer any questions raised by a data principal.
- Redressal Mechanism: The data fiduciary should set up an effective redressal mechanism to address any grievances of a data principal.
- Processing personal data of children: Data fiduciaries are required to secure verifiable consent from a guardian or parent of the child. The Act does not provide details on the definition or procedures for “verifiable consent,” leaving these aspects to be addressed in the rules. Data fiduciaries are prohibited from processing data that could harm the well-being of a child.
Who is a Significant Data Fiduciary?
A data fiduciary may be categorised as a significant data fiduciary and notified by the Central Government, based on the following parameters:
- (i) the volume and sensitivity of the data processed;
- (ii) the risk of harm to data principals;
- (iii) the impact on the sovereignty and integrity of India;
- (iv) the security of the state;
- (v) risk to electoral democracy; and
- (vi) public order.
Significant data fiduciaries are mandated to adhere to stricter compliance measures than other data fiduciaries. Significant data fiduciaries are subject to additional obligations such as
- Appointment of a data protection officer to represent the significant data fiduciary;
- Appointment of a data auditor to evaluate the compliance of the significant data fiduciary and to conduct a data audit;
- And conducting data protection impact assessments and periodic audits.
What are the anticipated challenges for data fiduciaries?
In the course of complying with the provisions of the DPDPA, data fiduciaries may have to restructure and revamp their methods of data collection and the procedures required in the case of a data breach. In addition, they will need to implement clear processes for the deletion and correction of data or to allow requests for access to data. Navigating the complexities of the new Act will require additional time, resources and guidance from the government, which is expected to be provided through forthcoming rules and notifications.
Specific questions to be addressed by the rules
The Act requires greater clarity on specific key definitions, such as:
- What constitutes “verifiable consent” that needs to be given by a parent or legal guardian?
- What is the “grievance redressal” system and how does it work?
Section 40 of the Act confers gives authority to the central government to establish rules to implement the Act. Further, at various instances the Act provides that the further clarification or procedures to be followed will be in accordance with the ‘rules’. Therefore, it is reasonable to anticipate that these terms will be clarified and enforced accordingly.
The principles elucidated by the Supreme Court have been incorporated in the Act, but only implementation will unveil the realities of many practical implications.
Photo: 76224363 / Data Privacy © Vchalup | Dreamstime.com