Applicability & Data Principal
Taking forward our Series on the Indian PDPB2019, in this series of articles, we look at the applicability of this Bill and define some key stakeholders.
Applicability
While looking at the applicability of the Indian PDPB2019, we will consider,
-who all, whether individuals and companies, will fall under the provisions of this Bill,
-who will store, process, manage the data,
-what happens to my data later,
-what about the security of the data,
-will companies outside India, also come under its provisions, and
-whether there are some exemptions, where these provisions can be bypassed and by whom.
Key Definitions
In this Series VII and next series VIII, we look at some of the key stakeholders, as defined in the Indian PDPB2019.
The Indian PDPB 2019 defines a “Data Principal” as the natural person to whom the personal data relates. Please note that this uses the term relates and not belongs. Since the Indian PDPB2019 does not clearly state the ownership of data, the question whether personal data is the property of the data principal will be open for differing interpretation.
It must be kept in mind that the idea behind this Bill is to ensure autonomy and complete control over the processing cycle of data, and, as a result enable transparency and accountability. This, is the fundamental element, for creation of a secure and robust Data Protection Framework. Exercise of data principal rights is aimed at strengthening an individual’s informational privacy.
This definition is similar to the definition of a “Data Subject” used in GDPR which calls the Data Principal as the “Data Subject”.
In this series we will look into rights of Data Principal and mechanism for exercising them.
Rights of the Data Principal
-Right to Confirmation and Access
-means a principal has a right to obtain confirmation from the fiduciary that her personal data is being processed or has been processed, includes a summary of all actions performed
– identities of all data fiduciaries with whom personal data has been shared along with the categories of personal data provided.
-Right to Correction & Erasure
-meaning right to modify any/or part of data
-seek correction of inaccurate, incomplete, or out-of-date personal data
– restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn
-The Data Fiduciary (see Series VIII) can reject principal’s request by providing adequate justification in writing
The inclusion of erasure right under Indian PDPB 2019 is in line with evolving global jurisprudence that views an individual’s right to demand deletion of data as crucial to concept of informational privacy and to the control over personal data.
-Right to Data Portability
-receive the personal data in a structured, commonly used and machine-readable format
– have personal data transferred to any other data fiduciary in certain circumstances
-Right to Be Forgotten, wherever processing has taken place through automated means
-it is the Data Principal’s right to restrict or prevent continual disclosure of personal data by a fiduciary
-when consent has been withdrawn by the Data Principal
-not applicable in case of manual processing
It is still debatable as to why a principal would exercise right to be forgotten when it can opt for a right of erasure where the processing purposes have been achieved or where consent has already been withdrawn.
-General conditions for the exercise of rights in this Chapter
While India already has an IT Act that provides an individual with some minimum rights, but owing to the lack of awareness and compliance issues, the provisions are hardly ever used. The Indian PPDB 2019 aims at expanding the scope of data principal’s rights and consequently, ensure principal’s control and autonomy on how personal data is processed This will ensure organizations dealing with personal information to maintain secure and robust processes around retention, storage, process, retrieval, and access to all information. It is widely believed that the Right to Erasure and the Right to be Forgotten in this Bill would strengthen individual rights manifold.
The Bill governs the processing of personal data by:
In the upcoming series, we will look into Data Fiduciary and other issues of applicability of this Bill.
You can also read about the Anonymisation & Pseudonymisation of Data which we have discussed in detail in our previous blog.