Skip to content

Tech Law Forum @ NALSAR

A student-run group at NALSAR University of Law

Menu
  • Home
  • Newsletter Archives
  • Blog Series
  • Editors’ Picks
  • Write for us!
  • About Us
Menu

Bare Text Comparison of the Personal Data Protection Bill 2018 with the General Data Protection Rules : Part I – Right to Data Portability

Posted on December 1, 2018November 12, 2019 by Prateek Surisetti

INTRODUCTION TO SERIES

The Personal Data Protection Bill has garnered a fair degree of attention in the last few weeks. For the uninitiated, a brief description of the Bill and its significance can be found here.

The purpose of this series is to analyze the bare text of the Data Principal Rights espoused in the Bill (Chapter VI), namely the Right to Confirmation and Access, Right to Correction, Right to Data Portability and the Right to be Forgotten, in light of the text used in the European legislations to espouse the same values. Each post will deal with each of the above-mentioned rights.

INTRODUCTION TO POST

Over the course of the ensuing section, I shall contrast the text of the Data Portability related provision of the (PDPB) Personal Data Protection Bill (India) (S. 26) with the corresponding provision of the (GDPR) General Data Protection Regulation (European Union) (Art. 20).

For convenience, I have reproduced the relevant provisions below (emphasis supplied) and readers would be benefited from constantly referring to the bare text whenever necessary.

Personal Data Protection Bill (India)

“26. Right to Data Portability. —

(1) The data principal shall have the right to—

(a) receive the following personal data related to the data principal in a structured, commonly used and machine-readable format—

(i) which such data principal has provided to the data fiduciary;
(ii) which has been generated in the course of provision of services or use of goods by the data fiduciary; or
(iii) which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained.

(b) have the personal data referred to in clause (a) transferred to any other data fiduciary in the format referred to in that clause.

(2) Sub-section (1) shall only apply where the processing has been carried out through automated means, and shall not apply where—

(a) processing is necessary for functions of the State undersection 13;
(b) processing is in compliance of law as referred to in section 14; or
(c) compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.
 ”

General Data Protection Regulation (European Union)

“Article 20

Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a)  the processing is based on consent pursuant to point (a) of Article 6(1) or point      (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(b)  the processing is carried out by automated means.

  1. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  2. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  3. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.”

ANALYSIS

Prior to analyzing the distinctions between the legislations, let us briefly understand the concept of data portability and its significance. Data portability requires entities that process data to provide collected personal data in a format that is interoperable across platforms. This prevents entities in control of personal data (e.g. Facebook) to hold one’s personal data hostage to a particular platform by way of avoiding to provide data in a format that can be used elsewhere (e.g. other social media websites).

Firstly, I submit that the exception of technical infeasibility (present in both the GDPR & PDPB) deserves criticism (refer double-underlined portion above). As Lawrence Lessig argued in Code 2.0, technological infeasibility shouldn’t be allowed to override a value system. In order to understand the argument further, let us (a) delve into the statute’s meaning and then (b) analyze the issues with technological infeasibility as an exception to the right.

Both the legislations conceptualize technological feasibility as an exception to the right. Conceptually, they place technology in a position that is conceptually superior to the right itself because the absence of technical feasibility would render the right nugatory. Now, let us move on to (b) analyzing the issues with technological infeasibility as an exception.

There exists a certain value system that our laws espouse. A value system, quite eponymously, is an aggregate of various values and ideals. Once a certain society decides to embrace a particular set of values and ideals i.e. a particular value system (whatever it may constitute), technology shouldn’t be allowed to hinder or steer the furtherance of the said value system. Allowing technological infeasibility to render a right redundant could lead to technological development being divorced from the embraced value system.

The question boils down to whether technology should be allowed to circumscribe the value system, or whether the value system should render the technology invalid? I argue, as did Lawrence Lessig, for the latter. Having the value system render technologies inconsistent with it invalid through law (e.g. by removing technical infeasibility as an exception) would force engineers to develop technologies that are consistent with the value system, which society has chosen. Therefore, such a model orients technological development in the direction of the value system that society has chosen for itself and cherishes, as opposed to a parallel value system. In other words, engineers should have the burden of structuring technology according to the ideals chosen by society, rather than the other way round where society adapts to the values and ideals furthered by the technology developed by engineers (a fraction of society).

Moving on, the EU legislation explicitly clarifies that the right doesn’t exist in abrogation of other’s rights and freedoms (refer underlined portion above). However, the Indian PDPB doesn’t provide any clarification regarding the enforcement of the “data portability” right of an individual vis-a-vis others’ rights and freedoms. Consequently, courts would have to make judgment calls as and when issues, involving a conflict between a “data principal’s” (natural person to whom the personal data relates to; the GDPR uses the term “data subject” instead) right to data portability and other’s rights or freedoms, arise.

Lastly, a difference can be noticed in the manner in which the scope of the right has been framed in either legislation (refer portion in bold above). The PDPB entitles subjects to receive and transfer their personal data solely where the data processing is “automated” (PDPB’s S. 2(7) defines “automated means” as “equipment capable of operation automatically in response to instructions given for the purpose of processing data”). Further narrowing the right’s scope, the PDPB provides exceptions, such as for protection of trade secrets, technical infeasibility, for being in compliance with another law and for furtherance of essential State functions. On the other hand, the GDPR provides the right in instances apart from automated processing, in addition to where the processing is based on consent (Art. 6(1)(a); “consent” defined under Art. 4(11)) and pre-contract obligations (Art. 6(1)(b); means according to a contract). Also, the GDPR provides a slightly different set of exceptions, namely, for technical infeasibility, public interest and exercise of the authority vested in the controller. Additionally, the GDPR provides that the right of data portability cannot prejudice the right to be forgotten (Art. 17). Therefore, it’s quite clear that the legislations are substantially different in demarcating the scope of the data portability right, but an analysis of greater rigour is required for ascertaining the actual ambit of the provisions.

 

Image taken from here.

1 thought on “Bare Text Comparison of the Personal Data Protection Bill 2018 with the General Data Protection Rules : Part I – Right to Data Portability”

  1. Pingback: Bare Text Comparison of the Personal Data Protection Bill 2018 with the General Data Protection Rules : Part II - Right to Confirmation and Access - Tech Law Forum @ NALSAR

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe

Recent Posts

  • Lawtomation: ChatGPT and the Legal Industry (Part II)
  • Lawtomation: ChatGPT and the Legal Industry (Part I)
  • “Free Speech is not Free Reach”: A Foray into Shadow-Banning
  • The Digital Personal Data Protection Bill: A Move Towards an Orwellian State?
  • IT AMENDMENT RULES 2022: An Analysis of What’s Changed
  • The Telecommunications Reforms: A Step towards a Surveillance State (Part II)
  • The Telecommunications Reforms: A Step towards a Surveillance State (Part I)
  • Subdermal Chipping – A Plain Sailing Task?
  • A Comparative Analysis of Adtech Regulations in India Vis-a-Vis Adtech Laws in the UK
  • CERT-In Directions on Cybersecurity, 2022: For the Better or Worse?

Categories

  • 101s
  • 3D Printing
  • Aadhar
  • Account Aggregators
  • Antitrust
  • Artificial Intelligence
  • Bitcoins
  • Blockchain
  • Blog Series
  • Bots
  • Broadcasting
  • Censorship
  • Collaboration with r – TLP
  • Convergence
  • Copyright
  • Criminal Law
  • Cryptocurrency
  • Data Protection
  • Digital Piracy
  • E-Commerce
  • Editors' Picks
  • Evidence
  • Feminist Perspectives
  • Finance
  • Freedom of Speech
  • GDPR
  • Insurance
  • Intellectual Property
  • Intermediary Liability
  • Internet Broadcasting
  • Internet Freedoms
  • Internet Governance
  • Internet Jurisdiction
  • Internet of Things
  • Internet Security
  • Internet Shutdowns
  • Labour
  • Licensing
  • Media Law
  • Medical Research
  • Network Neutrality
  • Newsletter
  • Open Access
  • Open Source
  • Others
  • OTT
  • Personal Data Protection Bill
  • Press Notes
  • Privacy
  • Recent News
  • Regulation
  • Right to be Forgotten
  • Right to Privacy
  • Right to Privacy
  • Social Media
  • Surveillance
  • Taxation
  • Technology
  • TLF Ed Board Test 2018-2019
  • TLF Editorial Board Test 2016
  • TLF Editorial Board Test 2019-2020
  • TLF Editorial Board Test 2020-2021
  • TLF Editorial Board Test 2021-2022
  • TLF Explainers
  • TLF Updates
  • Uncategorized
  • Virtual Reality

Tags

AI Amazon Antitrust Artificial Intelligence Chilling Effect Comparative Competition Copyright copyright act Criminal Law Cryptocurrency data data protection Data Retention e-commerce European Union Facebook facial recognition financial information Freedom of Speech Google India Intellectual Property Intermediaries Intermediary Liability internet Internet Regulation Internet Rights IPR Media Law News Newsletter OTT Privacy RBI Regulation Right to Privacy Social Media Surveillance technology The Future of Tech TRAI Twitter Uber WhatsApp

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
best online casino in india
© 2023 Tech Law Forum @ NALSAR | Powered by Minimalist Blog WordPress Theme