Indian PDPB 2019: Applicability and data principal

Taking forward our Series on the Indian PDPB 2019, in this (Seventh Series) of articles, we look at the applicability of this Bill and define some key stakeholders.

Applicability

While looking at the applicability of the Indian PDPB 2019, we will consider,

• who all, whether individuals and companies, will fall under the provisions of this Bill,
• who will store, process, manage the data,
• what happens to my data later,
• what about the security of the data,
• will companies outside India, also come under its provisions, and
• whether there are some exemptions, where these provisions can be bypassed and by whom.

Key Definitions

In this Series VII and next series VIII, we look at some of the key stakeholders, as defined in the Indian PDPB 2019.

1. Data Principal,
2. Data Fiduciary,
3. Data Processor,
4. Social Media Intermediary
5. Consent Manager

The Indian PDPB 2019 defines a “Data Principal” as the natural person to whom the personal data relates. Please note that this uses the term relates and not belongs. Since the Indian PDPB 2019 does not clearly state the ownership of data, the question of whether personal data is the property of the data principal will be open for differing interpretations.

It must be kept in mind that the idea behind this Bill is to ensure autonomy and complete control over the processing cycle of data, and, as a result enable transparency and accountability. This, is the fundamental element, for the creation of a secure and robust Data Protection Framework. Exercise of data principal rights is aimed at strengthening an individual’s informational privacy.

This definition is similar to the definition of a “Data Subject” used in GDPR which calls the Data Principal as the “Data Subject”.

In this series (VII) we will look into the rights of Data Principal and mechanism for exercising them.

Rights of the Data Principal

Right to Confirmation and Access - means a principal has a right to obtain confirmation from the fiduciary (see Series VII) that her personal data is being processed or has been processed, includes a summary of all actions performed

-identities of all data fiduciaries with whom personal data has been shared along with the categories of personal data provided.

Right to Correction and Erasure

-meaning right to modify any/or part of data

-seek correction of inaccurate, incomplete, or out-of-date personal data

-restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn

-The Data Fiduciary (see Series VIII) can reject the principal’s request by providing adequate justification in writing

The inclusion of erasure right under Indian PDPB 2019 is in line with evolving global jurisprudence that views an individual’s right to demand the deletion of data as crucial to the concept of informational privacy and to the control over personal data.

Right to Data Portability

-receive the personal data in a structured, commonly used and machine-readable format

-have personal data transferred to any other data fiduciary in certain circumstances

-Right to Be Forgotten, wherever processing has taken place through automated means

-it is the Data Principal’s right to restrict or prevent continual disclosure of personal data by a fiduciary

-when consent has been withdrawn by the Data Principal

-not applicable in case of manual processing

It is still debatable as to why a principal would exercise right to be forgotten when it can opt for a right of erasure where the processing purposes have been achieved or where consent has already been withdrawn.

General conditions for the exercise of rights in this Chapter

While India already has an IT Act that provides an individual with some minimum rights, but owing to the lack of awareness and compliance issues, the provisions are hardly ever used. The Indian PPDB 2019 aims at expanding the scope of data principal’s rights and consequently, ensure principal’s control and autonomy on how personal data is processed This will ensure organizations dealing with personal information to maintain secure and robust processes around retention, storage, process, retrieval, and access to all information. It is widely believed that the Right to Erasure and the Right to be Forgotten in this Bill would strengthen individual rights manifold.

The Bill governs the processing of personal data by:

• government
• companies incorporated in India, and
• foreign companies dealing with personal data of individuals in India

In the upcoming series VIII, we will look into Data Fiduciary and other issues of applicability of this Bill.

By Sameer Mathur, Founder & CEO, SM Consulting

President, Delhi-NCR Chapter of the Foundation of Data Protection Professionals in India

With inputs from Mr Vijayashankar Nagaraj Rao