Rights And Duties of the Data Principal Under the Digital Personal Data Protection Act, 2023

Introduction:

Following the landmark verdict by a 9-Judge bench of the Supreme Court in the case of K.S. Puttaswamy v. Union of India (2017) 10 SCC 1, which affirmed the right to privacy as an inherent Fundamental Right under Article 21 of the Indian Constitution, the central government has made several attempts since 2018 to enact a comprehensive data protection legislation. After undergoing 3 legislative drafts over the course of 6 years, the new Digital Personal Data Protection Bill of 2023 was successfully passed in the upper house of the Indian Parliament on August 9, 2023. The DPDPB 2023 was granted presidential approval on August 11, 2023, marking the inception of novel regulations governing the handling of digital personal data.

This Act consists of nine chapters and 44 Sections, with Chapter III extensively addressing the rights and responsibilities designated to the Data Principal.  In this article, we will delineate some of the important rights and duties of the Data Principal under the DPDPA, 2023.

Rights of the Data Principal:

According to Justice Sri Krishna Committee Report, in order to establish a strong data protection law, it is crucial to empower Data Principals to enforce their rights against the concerned data fiduciaries. These rights are founded on innovative principles such as self-determination, autonomy, transparency, and accountability. This approach aligns with the concept of Data Principals having sovereign control over their personal information.

Sections 11 to 14 of the Act provide several rights to the data principal. These include the Right to access information about personal data, the Right to correction and erasure of personal data, the Right of grievance redressal, and the Right to nominate. Therefore, the Act promotes transparency, accountability, and self-determination while ensuring that Data Principals can actively manage their personal information and address any concerns or issues that may arise during its processing. In the following sub-section, we will briefly discuss the rights of the data principals in the Act.

A. Right to Access Information:

According to Justice Sri Krishna Committee Report, this right has been derived from the Right to Freedom of Speech and Expression, as enshrined under Article 19(1)(a) and Article 21 of the Constitution. As per Section 11 of the Digital Personal Data Protection Act, the Data Principal can request the Data Fiduciary (in a manner to be prescribed later) for:

●      A summary of all the personal data being processed and the processing Activities related to this personal data conducted by the Data Fiduciary.

●      The identity of each data processor and Data Fiduciary with whom the personal data was shared, along with specific details about the personal data shared with each of them.

●      Any other information related to the personal data and its processing, as may be prescribed at a later stage.

However, if the original Data Fiduciary has shared the mentioned personal data with another Data Fiduciary who is legally authorized to obtain it, and this sharing is carried out for the purposes of preventing, investigating, detecting, or penalizing cyber incidents or prosecuting offenses, the rights stated in points (b) and (c) cannot be enforced by the data subjects.

B. Right to correction and erasure of personal data:

According to Section 12, the Data Fiduciary upon receiving the request from the Data Principal is obliged to

●      Correct the misleading or inaccurate personal data.

●      Update personal data.

●      Complete incomplete data.

●      Erase personal data (unless the data retention is mandated by any law).

C. Right to Grievance Redressal:

Section 13 of the Act grants Data Principals the right to accessible grievance redressal mechanisms provided by Data Fiduciaries or Consent Managers. These mechanisms address acts or omissions related to Data Fiduciaries’ or Consent Managers’ obligations concerning Data Principals’ personal data or their rights under the Act. Data Fiduciaries or Consent Managers are required to respond promptly to grievances within prescribed timeframes.

The Act further prescribed that before approaching higher authorities, Data Principals must exhaust the redressal opportunity provided under this section for resolution of any such grievances. Therefore, this section ensures an orderly procedure for grievance resolution, promoting effective handling of disputes related to personal data processing.

The DPDP Act also stipulates that if a data principal is dissatisfied with the grievance redressal mechanism offered by the Data Fiduciary or Consent Manager, they can turn to the Data Protection Board. Moreover, as per Section 29, if the Data Fiduciary is displeased with the board’s decision or direction, they can appeal to the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) within 60 days from receiving the order. This comprehensive approach promotes accountability and effective resolution in the dynamic landscape of data protection.

D. Right to nominate:

Key legal frameworks within the European Union, such as Chapter V, Sections 84 to 86 of the French Data Protection Act, provide data subjects with the option to establish guidelines for the handling of their data after their passing. In the absence of such guidelines, the heirs of a deceased person can exercise the rights of the deceased data subject as mandated under Title II of Section 85. Similarly, Section 2(n) of the Italian Data Protection Code outlines the rights and limitations regarding the personal data of deceased individuals, granting the deceased the authority to specify such rights. However, this authority is subject to the limitation that these directions or limitations do not infringe upon the rights of other individuals.

Unlike the European Union, Indian data protection law lacks detailed regulations concerning the data of deceased individuals. Nevertheless, a positive provision is found in the form of Section 14 of the Digital Personal Data Protection Act is included, which mandates that in case of death or incapacity (inability to exercise the Data Principal rights), the Data Principal is entitled to the right to nominate any other individual who shall exercise the rights of the data subjects in a manner specified by rules that shall be notified.

Duties of Data Principal:

Unlike other international data privacy laws, the Digital Personal Data Protection Act contains separate provisions for duties which have to be followed by the data subjects.

According to Section 15 of the said Act, there are five important duties to be followed by the data fiduciaries:

●      They should not impersonate another person while providing personal data.

●      They should not suppress any material information while submitting personal data for any unique identifier, for any document, for government-issued address or for identity proof.

●      They should not register false or inane complaints with the data protection board or to the Data Fiduciary and, by Section 28(12) of the Act, if the data protection board finds out that the said complaint is false or frivolous, the board may issue a warning to impose costs on the said complainant.

●      While exercising their right to correction or erasure, they should furnish information that is authentic and verifiable in nature.

●      While exercising the Data Principal rights, the same should comply with all the provisions of existing laws.

According to Schedule I of the Act, if the Data Principal has breached any of the duties mentioned under Section 15 then the board may issue a penalty of up to 10000 INR.

Conclusion:

The Digital Personal Data Protection Act, 2023 establishes important rights for Data Principals while assigning them certain responsibilities. It empowers individuals with rights like access to information, data correction, and erasure, as well as the ability to nominate someone to Act on their behalf. However, Data Principals also have duties, such as providing accurate information and refraining from false complaints. This balanced approach ensures data protection and privacy in the digital age, aligning with global standards.

We understand that grappling with the demands of the new law might present challenges. However, it’s important to note that our skilled Privacy Experts and Consultants can aid you in complying with its requirements.

If your organization requires expert assistance to understand these privacy regulations, remember that Tsaaro is here for you. Our Privacy experts provide the guidance you seek. You can contact us at info@tsaaro.com.