INTRODUCTION TO SERIES
The Personal Data Protection Bill has garnered a fair degree of attention in the last few weeks. For the uninitiated, a brief description of the Bill and its significance can be found here.
The purpose of this series is to analyze the bare text of the Data Principal Rights espoused in the Bill (Chapter VI), namely the Right to Confirmation and Access, Right to Correction, Right to Data Portability and the Right to be Forgotten, in light of the text used in the European legislations to espouse the same values. Each post will deal with each of the above rights.
Part I of the series can be accessed here.
INTRODUCTION TO POST
Over the course of the ensuing section, I shall contrast the text of the Confirmation and Access provisions of the (PDPB) Personal Data Protection Bill (India) (S. 24) with the corresponding provisions of the (GDPR) General Data Protection Regulation (European Union) (Art. 15).
For the purposes of convenience, I have reproduced the relevant provisions below. (Emphasis supplied)
Personal Data Protection Bill (India)
“24. Right to confirmation and access. —
(1) The data principal shall have the right to obtain from the data fiduciary—
(a) confirmation whether the data fiduciary is processing or has processed personal data of the data principal;
(b) a brief summary of the personal data of the data principal being processed or that has been processed by the data fiduciary;
(c) a brief summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal, including any information provided in the notice under section 8 in relation to such processing activities.
(2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.…
General Data Protection Regulation (European Union)
Right of access by the data subject
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
- The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
- The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
The right provides “data subjects”/ “data principals” (varying terms used by the GDPR and PDPB respectively for referring to natural persons to whom the data relates to) with the authority to demand from “controllers”/ “data fiduciaries” (varying terms used by the GDPR and PDPB respectively for referring to entities which determine the purpose and means of processing of data), dealing with the data subject’s personal data, certain information pertaining to the personal data. The right ensures that there exists lesser information asymmetry between those to whom the personal data pertains and those who are processing or controlling said data. Refer here for a summary.
At first glance, the Indian draft-legislation’s provision “Right to Confirmation and Access” (S. 24) might seem to be rather abstract and vague in comparison to its European counterpart, but closer inspection reveals that both are quite similar. While the GDPR provides guidelines within a mostly self-contained provision, the PDPB’s S. 24 cross-references S. 8, which contains the list of necessary information disclosure obligations placed on the “data fiduciary”.
Though there exists considerable degree of similarity, in text, between both the jurisdictions, certain distinctions in orientations are quite evident from the language of the provisions.
The Indian Bill, admirably, places explicit emphasis on the accessibility of disclosures. S. 24 (2) mandates that the disclosures be “easily comprehensible”. Wherever there exists a power imbalance, those with access to expertise and other resources are better placed to abuse the system through indulging in complex legalities. Such statutory protections reduce the likelihood of resource-rich (access to expertise & infrastructure) “fiduciaries” utilizing complexity to overwhelm citizens incapable of processing technical information.
Furthermore, the Indian draft-legislation requires a “brief summary” (necessarily disclosing the statutorily prescribed information), as opposed to its European counterpart, which doesn’t place any such requirement. The legislative intent behind the same seems to be consistent with the logic of accessibility (prevent provision of information that cannot be processed meaningfully) mentioned above.
Listing the specific data that needs to be disclosed could enable “fiduciaries” to utilize the provision as an avenue to avoid disclosure of other unlisted, but relevant information. I submit that an additional sub-section requiring disclosure of all relevant information over and above the statutorily mandated disclosures (a general overarching clause, in addition to the prescribed disclosure requirements) would have tilted the balance favourably towards data privacy.
Additionally, the Indian Bill doesn’t seem to be placing as much significance on profiling (processing of personal data for analyzing or predicting data subject’s behavior, characteristics, location, etc.; the GDPR’s Art. 4(4) and PDPB’s S 2 (33) define the term in varying detail but essentially, the definitions are of similar import) as its European counterpart. Though the PDPB refers to profiling and allied restrictions across the Bill, it lacks mention in Chapter VI (Data Principal Rights). Even upon analyzing the entirety of the documents, the EU legislation tends to be placing greater restrictions on profiling than PDPB. The Indian Bill, has instead, preferred allowing profiling subject to an assessment (S. 33: “Data Protection Impact Assessment”) carried out by the Data Protection Authority of India (established under Chapter X of the Bill).
Lastly, the European legislation (Art. 20(4)) clarifies that the request for information as a matter of right cannot be in abrogation of other’s “rights and freedoms”. Though S. 27(2) of the PDPB refers to balancing of rights in the context of “Right to Be Forgotten”, S. 24 doesn’t refer to any form of weighing of rights. Given that there could be numerous varied instances of legitimate conflicting rights, allowing the judiciary to decide on a case by case basis seems to point towards prudence.
Image taken from here.