(Part 2 of 4)
Please read part 1 HERE (Rights to Confirmation and Access)
Right to correction and erasure
Right to correction and erasure is provided for under section 18 of PDPB-2019 to the data principal. (In GDPR right to correction is covered under Article 16, Recitals 65. Right to erasure in GDPR has an entirely different connotation). The right provides that a data principal can request data fiduciary to undertake:
the correction of inaccurate or misleading personal data;
the completion of incomplete personal data;
the updating of personal data that is out-of-date; and
the erasure of personal data which is no longer necessary for the purpose for which it was processed. It is unlike GDPR where the right of erasure is the same as the right of being forgotten.
How does Data Principal exercise the right?
Data Principal is required to inform the Data Protection Officer or the Grievance Officer in respect of her own personal data (writing includes seeking information through electronic means as may be mentioned in the contact information of the website of the Data Fiduciary authorised person.)
The request for correction or erasure can also be made through Consent Manager (a special software to manage consent) also and in such cases, it will be considered as if the request has been received in writing.
The Data Fiduciary is required to acknowledge within 48 Hrs that such a request has been received. The Data fiduciary is required to undertake action within 30 days of receipt of the request, excluding the day of receiving the request.
A Data Fiduciary may use appropriate approach, technology and/or process to authenticate the data principal or her representative prior to undertaking any correction or erasure. However, the period of authentication may not be excluded from the period within which data fiduciary is required to provide the response. The checks and balances for authentication of data principal will be of the data fiduciary. The approach for such authentication should be mentioned in the notice, and normally it should not be arbitrary.
Data Principal can make the request either directly himself or through a representative including an advocate or solicitor. Similarly, a child can be represented by her parents or guardians or any representative appointed by them.
The request for information can also be made through Consent Manager (a special software to manage consent) also and in such cases, it will be considered as if the request has been received in writing.
Can a data principal be charged any fee to make an access request?
A data principal cannot be charged anything for following activities:
the correction of inaccurate or misleading personal data;
the completion of incomplete personal data;
For updating or erasure of data, Data Fiduciary may charge such amount as appropriate and as guided by the regulations promulgated by Data Protection Authority of India, from time to time.
How can the data principal be informed by the Data Fiduciary about action completed?
A Data Fiduciary is required to undertake correction or erasure, after completion of activity is required to inform the data principal in writing within 30 days of receipt of request. It is important to note that Data Fiduciary should also get these corrections and erasure made from whomsoever the data got shared with, including data processors, Group companies or any collaborative or third party.
Another important issue in Indian context should be noted is that request for data erasure, does not mean simply deleting the requested personal data, but removing it from public view and further process and distribution. However, Data Fiduciaries should keep a forensically safe copy of it for a reasonable period of time. If we take the Limitation Act as the guidelines then such forensically secured data should be preserved for 3 years.
Can a Data Fiduciary refuse to make corrections or erasure?
Data Fiduciary can refuse to make changes for following reasons
If any change can harm any other data principal.
If the information is for public good about public personalities and truthful. (For example, erasure requests about the criminal past of a political leader may be refused in larger public interest.)
Any information which may compromise trade secrets.
If any change impacts the business model or business objective.
If any, change the time context. ( Example if there is a write up which is related to past time. Let’s say the person was not graduated at the time of the incident, later he gets his graduation degree. By making correction the education qualification the incident narration may get impacted).
What if the Data Fiduciary does not respond or gives an unsatisfactory answer?
In case Data Fiduciary refuses to make correction or erasure, the Data Principal can ask the Data Fiduciary to make notation next to the concerned personal data that this data is disputed. This is a mandatory provision till the final decision is not given by the DPAI, if either Data Principal or Data Fiduciary approaches DPAI for resolution. Otherwise the statement of dispute will always be mentioned.
If a data fiduciary does not provide the reply within the stipulated time limits, the matter can be raised with the Data Protection Authority of India (DPAI). DPAI has wide powers to call for information, conduct inquiry and issue directions. In case the Data Principal is not happy with the decision of the Data Protection Authority of India, an appeal can be made to the Appellate Tribunal and in case the decision of the Appellate Tribunal is also not satisfactory then a further appeal can be raised in the Supreme Court of India.
In case, the DPAI or higher courts do not find a reasonable explanation for complying with the request made by the data principal then the data fiduciary can be penalized with the penalty of Rs 5,000 (about US $ 65) per day of the default. The limit of this penalty is up to rupees 10 lakh (about US $ 13,000) in case the defaulter is a significant data fiduciary, while for other data fiduciary the maximum limit per instance is Rs 5,00,000 (about US $ 6500).
What compensation will the data principal can claim?
Please note that the penalty will go to the consolidated fund of India, unlike GDPR there is no provision to give full or part of the penalty to the data principal. However Data Principal has the right to get compensation, which gets created automatically when such an order is passed. The data principal is required to make a complaint about compensation for the harm caused to her to the Adjudicating Officer. (Please note - The compensation can not be asked from any other court but only to the government-appointed Adjudicating Officer). The format and manner of conduct and process for adjudicating for compensation will be described through rules by the Central Government.
While adjudicating for compensation, if there are many similar petitions from similar data principals, then the adjudicating officer can merge them together as a class of data principals.
While adjudicating for compensation, if there are many similar petitions from similar data principals, then the adjudicating officer can merge them together as a class of data principals. While deciding the quantum of compensation for an individual complaint or class action complaint, the adjudicating officer is required to take the following factors into the account:
(a) nature, duration and extent of the violation by the data fiduciary or data processor or both;
(b) nature and extent of harm suffered by the data principal;
(c) intentional or negligent character of the violation;
(d) transparency and accountability measures and code of practices issued by DPAI including cyber security measures;
(e) action taken for minimisation and to mitigation of the damage suffered by the data principal;
(f) previous history of any, or such, violation
(g) evaluation of the arrangements between the data fiduciary and data processor, including cyber security measures
(h) any other aggravating or mitigating factor relevant to the circumstances
The Personal Data Protection Bill 2019 defines what is lawful and what is not lawful for the data fiduciary. There are unliquidated (unlimited) damages for compensation. Therefore Laws of Tort come into play. The Limitation Act, 1963 states that such compensation can be claimed within one year of the passing of orders on a penalty by the appropriate authority.
Is there any significant difference from GDPR?
Indian PDPB-2019 is dramatically different from GDPR insofar as Data Erasure request is concerned. Data Erasure in GDPR is Right to Forgotten. Whereas in PDPB 2019, Right to Forgotten has a different meaning. There are no requirements under GDPR to preserve a forensically secure copy of the erased data.
Under PDPB-2019 the information cannot be asked verbally, whereas under GDPR such information can be asked orally too.
The GDPR provides for the full or part of the penalties that can be given to the complainant, there is no such provision in the Indian proposed law. The Srikrishna Committee PDPB-2018 had such provision but the version sent to the Parliament in 2019, the same was removed. Now penalty money goes to the Central Consolidated Fund of India and Data Prinicial needs to make a complaint for compensation separately.
The rights of Correction and Erasure are important rights with the Data principal to keep their personal data updated and corrected. Also to remove any data which is inaccurate or no more relevant to the requirements of the Data Fiduciary or the consent is withdrawn
Declaration: Please note that this article is for awareness, and should not be considered as a piece of legal advice. Please approach your advocate/solicitor for the same.
Please feel free to ask for any clarification in the comments section or drop the message from within the website.
List of Members of Joint Parliamentary Committee on Personal Data Protection Bill
Responsible Officer: Shri B.N. Mohapatra, Joint Director, Tele- 01123035460, 01123035164 and 01123035022; email ID: jpc-datalaw@sansad.nic.in
Comments