The Digital Personal Data Protection Act, 2023 bestows essential rights upon Data Principals, promoting transparency and accountability. Sections 11-14, underline the rights of the Data Principals and thus represent a pivotal part of this legislation in India’s evolving data privacy landscape. The following rights are guaranteed to Data Principals under this Act-
A. Right to Access Information
The Right to Access Information allows Data Principals to request specific details about their personal data processing, including:
- A summary of all personal data being processed and related processing activities.
- The identity of data processors and Data Fiduciaries with whom personal data was shared.
- Any other prescribed information related to personal data processing.
However, if data is shared with another authorized data fiduciary for cyber incident prevention or prosecution, certain rights may not be enforceable.
B. Right to Correction and Erasure of Personal Data
Section 12 mandates Data Fiduciaries to take specific actions upon receiving requests from Data Principals, including:
- Correcting misleading or inaccurate personal data.
- Updating personal data.
- Completing incomplete data.
- Erasing personal data (unless mandated by law).
C. Right to Grievance Redressal
Section 13 provides Data Principals with accessible grievance redressal mechanisms through Data Fiduciaries or consent managers, ensuring prompt responses within prescribed timeframes. Before seeking higher authorities, Data Principals must exhaust this redressal opportunity, promoting effective dispute resolution.
If dissatisfied with the redressal mechanism, Data Principals can turn to the Data Protection Board. Data Fiduciaries can also appeal Board decisions to the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) within 60 days, promoting accountability and resolution.
D. Right to Nominate
Section 14 allows Data Principals to nominate individuals to exercise their rights in case of death or incapacity. Rules specifying the nomination process will be notified.
Duties of Data Principals
The Digital Personal Data Protection Act also outlines duties that Data Principals must follow, setting them apart from other international data privacy laws.
A. Duties of Data Principals
Section 15 defines five essential duties for Data Principals:
- No impersonation while providing personal data.
- No suppression of material information when submitting personal data for unique identifiers, documents, addresses, or identity proof.
- No registration of false or frivolous complaints; the Board may issue warnings or impose costs for false complaints.
- Providing authentic and verifiable information when exercising the right to correction or erasure.
- Complying with all provisions of existing laws when exercising Data Principal rights.
Penalties for Breach
Schedule I of the Act outlines penalties for breaches of duties mentioned under Section 15, allowing the Board to impose fines of up to 10,000 INR.
In summary, the Digital Personal Data Protection Act, 2023 empowers Data Principals with rights such as access to information, correction, erasure, and grievance redressal. It also grants them the ability to nominate representatives in case of incapacity or death. Additionally, the Act imposes duties on Data Principals to maintain transparency and authenticity in their interactions with Data Fiduciaries.
Major Privacy Updates of the Week
Member of European Parliament challenges the EU-US Data Privacy Framework before EU Court
Member of European Parliament, Philippe Latombe is launching legal challenges against the new transatlantic data transfer agreement between the EU and the US, known as the EU-US Data Privacy Framework. According to this legal challenge, the agreement violates fundamental rights and the General Data Protection Regulation (GDPR) due to insufficient privacy guarantees.
Latombe has filed two challenges before the EU’s General Court, one to suspend the agreement immediately and another concerning its content. Moreover, the challenge also raises concerns about the agreement not being published in the EU’s Official Journal and being communicated solely in English. Read More.
Lawsuit accuses AI tech companies of illegal data scraping
OpenAI and Microsoft are facing a second class-action lawsuit in San Francisco federal court, accused of violating privacy laws during the development of ChatGPT and other AI systems. Two unnamed software engineers filed the complaint, alleging that the companies used stolen personal information from millions of internet users to train their AI technology. The lawsuit was brought on by Morgan & Morgan, the personal injury law firm, which closely resembles a previous lawsuit filed in June by Clarkson Law Firm. Read More.
Data of 2.6 Million Duolingo Users Leaked on Hacking Forum
The security of Duolingo had been compromised as data from 2.6 million users has surfaced on a hacking forum. This data encompasses authentic names, login credentials, email addresses, and internal service-related particulars. Initially presented for sale at $1500, the leaked data’s alarming inclusion of private email addresses could potentially lead to targeted phishing endeavors. While Duolingo has confirmed that the data originated from publicly accessible profiles, questions persist about the security of users’ private information.
The breach reportedly stemmed from an exposed API in March 2023, enabling unauthorized email retrieval. Duolingo’s handling of the situation, including API accessibility post-abuse, has been severely criticized for negligence. Read More.
Facebook owner Meta Facing legal action in Norway for GDPR Violations
Meta Platforms is facing legal action in Norway for violating European data privacy regulations, resulting in a daily fine of one million crowns ($94,145) since August 14. This penalty stems from the company’s breach of user privacy through data harvesting for targeted advertising, a practice common among Big Tech firms.
Seeking a temporary injunction against the fine, Meta is accused of disregarding the European General Data Protection Regulation (GDPR). While Meta had claimed before the Court that is had already committed to asking for User Consent, the Norwegian Data Protection Authority, Datatilsynet, highlighted the uncertainty surrounding Meta’s commitment to user consent resulting in the Fine. Read More.
French Employment Agency Breach Results in potential exposure of Sensitive Data of 10 Million Individuals
The French employment agency, Pôle emploi, has fallen victim to a cyber-attack potentially exposing sensitive data of around 10 million individuals. This breach is believed to be connected to the Clop ransomware gang’s MOVEit campaign, which has affected numerous organizations and millions of people.
The compromised information includes names, employment statuses, and social security numbers of six million recent registrants and four million individuals off the register for less than a year. Investigations are ongoing, and Pôle emploi has reported the incident to data protection authorities while assuring the security of its systems and the continuity of welfare payments. Read More.
Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay
WEEKLY PRIVACY NEWSLETTER
Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!
*By clicking on subscribe, I agree to receive communications from Tsaaro