THE LAWWAY WITH LAWYERS JOURNAL
VOLUME:-15 ISSUE NO:- 15 , SEPTEMBER 25 , 2024
ISSN (ONLINE):- 2584-1106
Website: www.the lawway with lawyers.com
Email: thelawwaywithelawyers@gmail.com
Authored By :- Izal Eldita Lobo
INTERSECTION OF PRIVACY AND RESPONSIBILITY : A STUDY OF DATA PROTECTION DUTIES AND RIGHTS.
ABSTRACT
The Digital Personal Data Protection Act (DPDPA) 2023 marks India’s first comprehensive data protection legislation, aiming to provide data principals with control over personal data and impose stringent obligations on data fiduciaries. The Act addresses emerging challenges in data privacy and protection in the context of increasing digitization. Data protection is a significant area of law in a country like India, which is digitalising at a fast rate. The right to privacy is an essential human entitlement that involves an individual’s independence and authority over their personal data. In this era, the right to privacy has become increasingly pertinent. The concept of data privacy encompasses the protection of personal information from unauthorized access, use, and disclosure. In this fast-paced digital landscape, the Digital Personal Data Protection Act, 2023, is a momentous stride in safeguarding individual privacy rights and promoting responsible data management practices. The primary purpose of the Act is to regulate the processing of digital personal data and respect individuals’ right to protect their data while recognising the necessity of processing and using such data for lawful purposes. The law is intended to protect personal information for citizens in the world’s most populous country, and increase accountability for organizations that handle a lot of such data, including those with online operations and that run mobile apps. Like many data privacy laws around the world, the DPDP Act is extraterritorial, and so applies to organizations operating both inside and outside of India, if they are offering goods or services to Indian citizens, and in doing so processing personal data. The DPDP Act defines data, personal data and digital personal data. “Personal data” is defined broadly to mean any data about an individual who is identifiable by or in relation to such data, and “digital personal data” means personal data in digital form.
Key words – Digital Personal Data Protection Act, Rights. Duties, Data Principal, Data fiduciary
-
INTRODUCTION
Privacy in today’s time is considered to be a person’s Fundamental right. The scope of Art 21 of the Indian Constitution has been made so wide that it embraces even The Right to Privacy of a human being. Around the world, privacy has come to be seen as a fundamental human right; in India, it is officially recognised as such under Article 21 of the Indian Constitution. The right to privacy is intimately linked to data protection, which is more challenging to accomplish in today’s technologically advanced and international society. In many jurisdictions, privacy of an individual is of utmost importance and has data protection laws brought into existence to protect the same. The concept of privacy is multi-dimensional and has been defined differently by different scholars and jurists.
Westin defined privacy as:
“…claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.”
A person’s right to privacy entails that a person should have control over his or her personal information and should be able to conduct his or her personal affairs relatively free from unwanted intrusions.
The concept of data protection deals with 2 aspects namely data protection and data privacy. Data protection is the practice of safeguarding or protecting the information of the individuals whereas Data privacy is the process of ensuring when, how and on what basis the data of a person will be shared.
In 2017, the celebrated case of K.S. Puttaswamy v. Union of India (2018) pronounced the right to privacy a fundamental right safeguarded under Article 21. This is a time where our personal data and information is being collected and processed day in and out and it is essential for us to know our rights when it comes to data protection and privacy. Part 3 of the the Digital Personal Data Protection Act, 2023 provides light on the rights and duties of the data principal. Data principals are the individuals to whom the data relates to.
-
RIGHTS OF DATA PRINCIPAL
-
THE RIGHT TO INFORMATION
The Data Principals have the complete right to know the information of theirs which is being collected and is being processed by the Data Fiduciaries. Data Fiduciaries are defined as those individuals or in co-existence with others who access the information others. Section 11of the DPDP Act, 2023 mentions that the individuals shall have the right to obtain information which the Data fiduciary is accessing to whom they have previously given consent to.
The data principal has a right to know about his personal data which is in possession with a data fiduciary, hence Under the Right to Information Act, 2005 the individuals can go about to access the information with the Public authorities. The special data protection laws and the right to information laws protects the individual’s right to know the nature of information which is being stored about him in organisations. Data Fiduciaries must provide clear and concise information about the collection, usage and storage of the Data Principal’s personal data.
Individuals can also access information which is a matter of public concern and the concerned officer must provide the information to them within a prescribed time while at the same time the officer has a right to deny providing the information with a reasonable justification. They are entitled to know the identity and contact details of the Data Fiduciary which is responsible for handling their data.
In Manohar Singh v. National Thermal Power Corporation Ltd. the central information commission had decided that when a citizen seeks information about himself and as long as the information sought is not exempt in terms of other provisions of section 8 of the Right to Information Act, section 8(1)(j) of the Act cannot be applied to deny information. This right ensures transparency and control which the individuals can exercise over their personal data, allowing them to make informed decisions about their privacy and data usage.
-
RIGHT TO CORRECTION AND ERASURE OF PERSONAL DATA
Section 12 of the DPDP Act states that the Data Principal has the right to correcting the data, updating or even the erasure of the personal data for which they have given previously given consent to. The organisation when they receive any request for correction or completion of the incomplete data along with updating the personal data must be done and upon receiving any request on erasure of the data by the data principal the same must be made unless the retention of the same is required for some specific purpose.
The right to be forgotten has been recognized by the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018. The GDPR provides individuals with the right to request the erasure of their personal information from any platforms or search engines. It is based on the idea that individuals should have control over their personal data and the right to have their personal information deleted or removed from online platforms or search engines if it is no longer relevant or necessary. Subsequently, In V. v. High Court of Karnataka, the Karnataka High Court recognised right to be forgotten. The purpose of this case was to remove the name of the petitioner’s daughter from the cause title since it was easily accessible and defame her reputation, the court held in favour of the petitioner and ordered that the name of the petitioner’s daughter to be removed from the cause title and the orders. The court held that “this would be consistent with the trend in western countries, where the ‘right to be forgotten’ is applied as a rule in sensitive cases concerning women in general, as well as particularly sensitive cases involving rape or harming the modesty and reputation of the individual concerned”. Noticeably, the right to be forgotten has now been perceived as a basic face of the right to privacy. Furthermore, in the landmark case of K.S. Puttaswamy v. Union of India, the Supreme Court recognised the right to be forgotten as part of the right to life under Article 21.
-
RIGHT TO RECEIVE GRIEVANCE REDRESSAL
Under section 13 of the DPDP Act, an individual has the right to receive means of grievance redressal which should be provided by the organisation if there is any commission or omission of the Data Fiduciary when it comes to its duties and obligations with respect to the personal data of the data principal. At the same time the data principal shall approach the Data Protection Board only if he has exhausted the opportunity of redressing their grievance. If an individual is aggrieved by the data fiduciary they can appeal to the Telecom Disputes Settlement and Appellate Tribunal. The same must be made within 6 months and can further be appealed before the Supreme Court of India. The appeals once made to the tribunal must be addressed within 60 days. Any delay due to any unavoidable circumstance must be explained by the Appellate Tribunal in writing. Any order given by the Tribunal will be treated as an official order with a force of law. These orders can further be appealed to the Supreme Court of India. The Data Protection Board has the powers to handle grievances, investigate breaches, impose penalties and to also ensure compliance with the Act, this too is asked to be responded by the Data Fiduciaries within a reasonable time. The same Board also has the right to impose fines on entities that do not comply with the redressal requirements or violate any data protection provisions.
-
RIGHT TO NOMINATE
Section 14 of The Digital Personal Data Protection Act, 2023 states that an individual has a right to nominate another who will take over in the event of death or ‘incapacity’ of the Data Principal. There are various times in life when due to certain unavoidable circumstances the data principal may not be able to exercise his rights as he should be doing and by that the DPDP has used the term ‘incapacity’ which means the inability of the exercising of his rights due to unsoundness of mind or the infirmity of the body.
A Data Principal has the right to nominate a person who can exercise their rights on his behalf and the nominated person may on behalf of the former exercise rights such as accessing, correcting or erasing personal data and filing complaints for redressal. He at the same time must also comply with the requests or directions from the nominated persons regarding the Data Principal’s data, ensuring that the data of the data principal is protected irrespective of any challenging circumstances. This not only ensures that the data principal has a voice even beyond their lifetime but also looks out that at the fact that the data principal is able to nominate someone trustworthy who can control and is responsible for his data in the future. The nomination can be done for the same by the individual through a legal process in the form of writing or through an online platform. Furthermore, the Nominee has the rights which a data principal has while regulating the data, where he has a right to access the data, even rectify it when needed and also has a right to erase the data. This provision ensures that the personal data continues to be protected and managed in line with the rights of the Data Principal. The right to Nominate under the DPDP Act ensures that the data is in safe hands even after the data principal is not present to be able to control his data himself. It also shapes the destiny of the personal data of the individuals.
-
DUTIES OF A DATA PRINCIPAL
While the data principal is being given various rights under the act, there are certain duties which are expected to be performed by them. Section 15 states the various duties which the data principal is supposed to perform,
-
When a data principal is exercising his rights under the provisions of the Digital Personal Data Protection Act, he is supposed to ensure that he is complying with all, especially in situations where additional information is needed for processing or verifying the individual’s identity and also must abide with the provisions of the laws which is in force at that time and not violating any other rights or breaking any other laws,
-
Whenever the data is being expected to be provided by a data principal he must ensure that he does not impersonate another person in any situation or for any purpose and must ensure that the personal data which they provide to the fiduciaries is accurate and up to date which helps in avoiding any errors in managing the data,
-
He is supposed to ensure that he does not supress any information while he is providing his personal data for any document, for identification purpose or for the proof of address which is issued by the State or any of its instrumentalities,
-
His duty also comprises of him not registering any false or frivolous information or even complaint with the Data Protection Board or the Data Fiduciary. When one files complaints in bad faith or without any basis they attract penalties under the Act,
-
He is expected to furnish only such information which is reliable and authentic.
-
CONCLUSION
India is a country where there are transactions be it cross border or within the territorial boundary transactions taking place every minute. The data of individuals is used by data fiduciaries and at times there can be misuse of the same which can take place. The Digital Personal Data Protection Act, 2023 empowers individuals with all the essential rights and even duties to abide by. While ensuring the data accuracy, complying with any lawful requests, avoiding any complaints and even using services responsibly, individuals contribute to a balanced and effective data protection framework. This balance of rights and duties fosters mutual accountability between Data Principals and Data Fiduciaries, promoting a secure and transparent data environment. While Europe has the General Data Protection Regulations which came into effect in 2018, China has China’s Personal Information Protection Law which will took effect in 2021, the United States has The California Privacy Rights Act, which will take effect in 2023. India passed its Digital personal Data Protection Act in 2023 to protect those individuals who’s data is being processed by the data fiduciaries. The rights of the people in the country not only provides them with any grievance for the violation of the same but also decides the fate of the data which is out there. The primary purpose of the Act is to regulate the processing of personal data and respect individuals’ right to protect their data while recognising the necessity of processing and using the same for various purposes.