Personal Data Protection Bill: The Three Important Rights You Must Know

(This is the second part in the series of BloombergQuint’s coverage on Personal Data Protection Bill, 2019. The first part on obligations proposed for data fiduciaries can be found here and the third story on data localisation norms here.)

India may soon join the league of nations having a full-fledged data privacy law. The government has released a copy of the Personal Data Protection Bill, 2019, which aims to protect privacy and rights of an individual and regulate the processing and transfer of their personal data.

Personal data is defined in the bill as the data about or relating to a natural person who is directly or indirectly identifiable. It can relate to a person’s characteristic, attribute or any other feature of his identity. The bill confers three broad rights to individuals in relation to their personal data—the right to be forgotten, right to correction and erasure and right to access data.

The bill, which will be tabled in the ongoing session of Parliament, will become a law after receiving approval from both its houses and receiving Presidential assent.

Here are the details of the three rights conferred by the proposed bill:

Right To Be Forgotten

Indians will soon be able to remove their online presence from the internet. The bill allows people to approach an adjudicating officer to restrict or prevent continuing disclosure of their personal data by a data fiduciary. This is similar to the ‘Right to be forgotten’ under the European General Data Protection Regulations.

Disclosure of personal data can be prevented or restricted if:

• Persons have withdrawn the consent given to a data fiduciary for use of their personal data.
• Disclosure by the data fiduciary isn’t according to law or is no longer necessary.

People seeking to enforce their ‘right to be forgotten’ must approach an adjudicating officer, who can pass an order for enforcement of their rights. The officer, according to the bill, can pass an order only if they are able to demonstrate that their request is more important, overriding the freedom of speech and expression of other citizens.

Right to Correction and Erasure

At present, persons seeking to remove inaccurate or misleading personal data from the internet can face hurdles and a complex legal process. This may change with the introduction of the Data Privacy Bill, which confers a ‘right to correction and erasure’ on people sharing their personal data.

Such people can approach a data fiduciary and seek:

• Correction of inaccurate or misleading personal data.
• Completion or updating of incomplete or obsolete personal data.
• Erasure of personal data which is no longer necessary for the intended purpose for which it was processed.

A data fiduciary can accept or reject any such request. The bill, however, requires a data fiduciary to provide written justification for rejection, who must also take steps to notify connected parties about the correction or erasure of the personal data after implementing the received request.

Right To Data Portability

Data portability refers to the transfer of personal data from one data fiduciary to the other. The bill aims to ease portability of personal data if it’s processed through automated means. Persons sharing personal data will have the right to receive a copy of their personal data along with the data generated by the data fiduciary in the course of provision of services to them.

The bill aims to achieve data portability by mandating provision of personal data by a data fiduciary in a structured and machine-readable format.