(Part 1 of 4)
The Personal Data Protection Bill was introduced in Parliament on 11th December 2019. On the advice of the government, a special 30 member Joint Parliamentary Committee (JPC) under Smt Meenakshi Lekhi was set. The JPC has 20 members from the Lok Sabha (Lower House of the Parliament) and 10 members from Rajya Sabha (Upper House of the Parliament). Since Smt Lekhi has joined the Council of Ministers, according to protocol, she cannot be a member of JPC. Presently Sh P P Chaudhary is the chairperson of the JPC. The list of Members is appended below.
The JPC will be looking at all the sections and aspects of the PDPB-2019 but their primary focus is on the role & responsibility of government bodies, international transfer, the role of intermediaries & social media and anonymised personal data. It is expected that the provisions related to the rights of the Data Principal may be changed dramatically. Therefore let us look at the provisions of the right of a natural person under the Personal Data Protection Bill 2019 and compare it with similar rights under GDPR.
The law uses the words “Data Principal” for a natural person. There are two types of persons, according to the country’s law: Natural, meaning a human individual capable of assuming obligations and holding rights. The second group refers to “legal persons,” which refers to entities endowed with juridical personality, decided upon by the courts. Thus Data principals are those persons who are biologically human beings, irrespective of their caste, creed, religion, sex or nationality. Data Principal has the same meaning as Data Subject in GDPR.
The entity that has the duties towards the Data Principals are called Data Fiduciary in the PDPB-2019. It has a very similar meaning as Data Controller is the GDPR, except nuances carried with the word Fiduciary. The Hon’ble Supreme Court of India in Bihar Public Service Commission v. Saiyed Hussain Abbas Rizwi [Bihar Public Service Commission v. Saiyed Hussain Abbas Rizwi, (2012) 13 SCC 1] held that fiduciary refers to a person having duty to act for benefit of another, showing good faith and candour, where such other person reposes complete trust and special confidence in person owing or discharging duty, while fiduciary relationship refers to situation or transaction where one person places complete confidence in another person in regard to his affairs, business or transactions. While a data principal is sharing his information with a data fiduciary, he places complete trust and confidence in the data fiduciary to act in good faith and in the interest of the data principal. Therefore, the relationship between a data fiduciary and a data principal is a fiduciary relationship.
There are four rights that are created under the proposed PDPB-2019. These are:
Right to confirmation and access.
Right to correction and erasure.
Right to data portability.
Right to be forgotten.
Right to confirmation and access
Right to conformation and access is provided for under section 17 of PDPB-2019 to the data principal. (In GDPR it is covered under Article 15, Recitals 63 & 64). The right provides that a data principal can obtain the following information of data fiduciary:
To confirm if the data fiduciary or its group companies or through any data processor, is processing or has processed any personal data (including sensitive personal data) of the data principal.
To provide a summary of personal data being processed or was processed in the past by the data fiduciary, directly or its group companies or by any processor.
A brief summary of the processing activities of processing personal data of the data principal which is being undertaken or were undertaken in the past. As far as possible all present processing activities should form part of the ‘Notice’. Data principals can additionally seek information about past processing if any. The word processing includes obtaining, therefore if personal data is not collected directly from the data principal, then she can ask about the source of the personal data.
How does Data Principal exercise the right?
Data Principal is required to ask the confirmation and access to her own personal data by writing (writing includes seeking information through electronic means as may be mentioned in the contact information of the website of the Data Fiduciary authorised person.) The query should be addressed to the Data Protection Officer if appointed and mentioned on the website of the Data Fiduciary, else it should be addressed to the Grievance Officer of the concerned organisation. In accordance with the orders of Allahabad High Court and regulations under the Information Technology Act, it is mandatory for all organisations to clearly mention their Grievance Officer contact details.
The request for information can also be made through Consent Manager (a special software to manage consent) also and in such cases, it will be considered as if the request has been received in writing.
The Data Fiduciary is required to acknowledge within 48 Hrs that such a request has been received. The definition of the process is very wide, therefore much information under the word “process” can be asked. The Data fiduciary is required to provide a reply within 30 days of receipt of the request, excluding the day of receiving the request.
Data Fiduciary may use appropriate approach, technology and/or process to authenticate the data principal or her representative prior to providing any information. However, the period of authentication may not be excluded from the period within which data fiduciary is required to provide the response. The checks and balances for authentication of information seekers will be of the data fiduciary. The approach for such authentication should be mentioned in the notice, and normally it cannot be arbitrary.
Data Principal can request the information either directly himself or through a representative including an advocate or solicitor. Similarly, a child can be represented by her parents or guardians or any representative appointed by them.
The definition of the process is wide, therefore many information under process can be asked.
Can a data principal be charged any fee to make an access request?
A data principal cannot be charged anything for confirmation and summary of the personal data being processed. However, if there are significant efforts is involved and something which is not there in the Notice, Data Principal may charge the Data Principal. The amount of such charges will be promulgated through regulations by the Personal Data Protection Authority of India.
How the Information is to be provided by the Data Fiduciary?
Data Fiduciary is required to provide information in writing which is clear and concise that is easily comprehensible to a reasonable person. The response to the data principal request should not be so legally complex as to become difficult to grasp without the help of a person from the legal fraternity.
What information can be denied?
Data Fiduciary can deny or provide part information on the following grounds:
Detailed information about any process
Any information which may impact other data principle(s).
Any information which may compromise trade secrets.
What if Data Fiduciary does not respond or gives an unsatisfactory answer?
If data fiduciary does not provide the reply within the stipulated time limits, the matter can be raised with the Data Protection Authority of India (DPAI). DPAI has wide powers to call for information, conduct inquiry and issue directions. In case the Data Principal is not happy with the decision of the Data Protection Authority of India, an appeal can be made to the Appellate Tribunal and in case the decision of the Appellate Tribunal is also not satisfactory then a further appeal can be raised in the Supreme Court of India.
In case, the DPAI or higher courts do not find a reasonable explanation for complying with the request made by the data principal then the data fiduciary can be penalized with the penalty of Rs 5,000 (about US $ 65) per day of the default. The limit of this penalty is up to rupees 10 lakh (about US $ 13,000) in case the defaulter is a significant data fiduciary, while for other data fiduciary the maximum limit per instance is Rs 5,00,000 (about US $ 6500).
What compensation will the data principal can claim?
Please note that the penalty will go to the consolidated fund of India, unlike GDPR there is no provision to give full or part of the penalty to the data principal. However Data Principal has the right to get compensation, which gets created automatically when such an order is passed. The data principal is required to make a complaint about compensation for the harm caused to her to the Adjudicating Officer. (Please note - The compensation can not be asked from any other court but only to the government-appointed Adjudicating Officer). The format and manner of conduct and process for adjudicating for compensation will be described through rules by the Central Government.
While adjudicating for compensation, if there are many similar petitions from similar data principals, then the adjudicating officer can merge them together as a class of data principals. While deciding the quantum of compensation for an individual complaint or class action complaint, the adjudicating officer is required to take the following factors into the account:
(a) nature, duration and extent of the violation by the data fiduciary or data processor or both;
(b) nature and extent of harm suffered by the data principal;
(c) intentional or negligent character of the violation;
(d) transparency and accountability measures and code of practices issued by DPAI including cyber security measures;
(e) action taken for minimisation and to mitigation of the damage suffered by the data principal;
(f) previous history of any, or such, violation
(g) evaluation of the arrangements between the data fiduciary and data processor, including cyber security measures
(h) any other aggravating or mitigating factor relevant to the circumstances
The Personal Data Protection Bill 2019 defines what is lawful and what is not lawful for the data fiduciary. There are unliquidated (unlimited) damages for compensation. Therefore Laws of Tort come into play. The Limitation Act, 1963 states that such compensation can be claimed within one year of the passing of orders on a penalty by the appropriate authority.
Is there any significant difference from GDPR?
Indian PDPB-2019 has no provision for ‘why’ personal data is being processed, therefore unlike GDPR no information regarding how decisions are made, the significance and the consequences of processing can be asked.
Under PDPB-2019 the information cannot be asked verbally, whereas under GDPR such information can be asked orally too.
The GDPR provides for the full or part of the penalties that can be given to the complainant, there is no such provision in the Indian proposed law. The Srikrishna Committee PDPB-2018 had such provision but the version sent to the Parliament in 2019, the same was removed.
The rights of confirmation and access are the first grounds to know if and what personal data of a natural person (data principal) is being or was processed by any organisation (data fiduciary). It could be the basis of exercising further rights.
Declaration: Please note that this article is for awareness, and should not be considered as a piece of legal advice. Please approach your advocate/solicitor for the same.
Please feel free to ask for any clarification in the comments section or drop the message from within the website.
List of Members of Joint Parliamentary Committee on Personal Data Protection Bill
Responsible Officer: Shri B.N. Mohapatra, Joint Director, Tele- 01123035460, 01123035164 and 01123035022; email ID: jpc-datalaw@sansad.nic.in
Comments