Data Protection Bill: How the draft law has circumvented undesirable private regulation by data fiduciaries
Editor’s Note: This is the second of a two-part series on the rebuttals to the supposed misrepresentation of the draft Data Protection Bill, 2018, on social media. In part I, the authors take a look at the fine print pertaining to the Right to Privacy, functions of the State and surveillance reforms.
In our earlier piece, we attempted to address three concerns raised after the release of the Srikrishna Committee recommendations. In this piece, we address two other apprehensions on the adequacy of protection given to the data principal. We argue that the draft law has circumvented undesirable private regulation by data fiduciaries in both situations.
Notifying Data Breaches
Commentators have drawn attention to the limited notification obligation imposed on data fiduciaries. When there is a data breach, fiduciaries have to notify data principals only when required by the Data Protection Authority (DPA). A data breach could occur due a number of reasons- sometimes inadvertently, despite the best efforts of the data fiduciary. This may compromise the integrity of personal data and result in harm to the data principal, such as unauthorised disclosure, alteration, or loss of personal data.
It becomes imperative for the data fiduciary to improve their security practices, and for the data principal to shield herself from possible harm. All data breaches are certainly not equal. For instance, compare an unauthorised hack of account holders’ personal data held by a bank, to the accidental deletion of the names of members of an alumni association. Most would agree that these two scenarios do not warrant the same level of action. It is arguable that continually notifying data principals of minor breaches could generate systemic mistrust and rouse a panic contagion for veritably trivial issues.
The draft law strikes a balance by allowing the DPA to decide which breaches warrant notification to the data principal. The draft law suggests that the DPA could independently assess the gravity of the breach and whether it is necessary to notify the data principal and require the data fiduciary to take some remedial action. The role of the DPA is to act as an intermediary between the fiduciary and the principal. If the fiduciary comes forward with information regarding a breach, then the DPA assists in mitigating the damage and potential harm to the principal. This is better than the alternative of leaving it to the data fiduciary to choose the appropriate course of action based on the severity of the breach.
To foster transparency regarding breaches, data fiduciaries are required to make such incidents public by posting details of the breach on their websites. This will be an incentive to the fiduciary to improve security practices for fear of tarnishing their reputation. The data principal can then ascertain which fiduciaries to trust. For example, this could enable a data principal to assess whether one messaging app is more trustworthy than its competitor. Besides, failure to incorporate appropriate security safeguards and notify the DPA of breaches would result in heavy penalties to the data fiduciary.
The Right to be Forgotten
The draft law equips data principals with a right to be forgotten. It has been criticised for not including the right to erasure. Here, erasure refers to the permanent deletion of personal data from its source. As the report highlights, the relevant distinction to be drawn is between a restriction on disclosure (like delinking from a search engine) and permanent removal from the fiduciary’s storage.
The meaning and scope attached to the right to erasure and the right to be forgotten continues to be nebulous. In the oft-quoted Google Spain case, the European Court limited the interpretation of the right to be forgotten only to delinking of search engine results. This case dealt with a dual request to Google to remove freely available web-links linking to announcements for a real-estate auction connected with attachment proceedings for the recovery of debts, and to the newspaper which had published these announcements, as this information was no longer relevant. The Court rejected the request to remove the announcement from the newspaper, however, it noted the robust role of search engines in disseminating information to the public. Ease of access of information on the Internet and inclusion of personal data in search results posed a greater intrusion to the right to protection of private life and protection of personal data, than publication in a newspaper. Therefore, the European Court did not extend the right to be forgotten to erasure from the source of the personal data (in this case, the announcement in the newspaper).
The Srikrishna Committee’s draft law attempts to reconceptualise the right to be forgotten to bring more clarity. It curtails the continuing disclosure of personal data by the data fiduciary when it is no longer necessary, when consent to process such data is withdrawn, or when such disclosure is made contrary to law. This right pivots on the determination of whether the interests of the data principal in seeking to limit disclosure overrides the broader rights to freedom of speech and information of citizens.
Expanding the ambit of the right to be forgotten can create information voids. The data principal’s deletion of the personal data at the source (including backup systems and live systems), would not merely restrict the accessibility of such information. It could also lead to information sources being deleted or modified, and allowing individuals to rewrite past actions if data fiduciaries choose to accept such requests and support censorship. Moreover, the Srikrishna Committee’s present formulation is consistent with Justice Kaul’s opinion in Puttaswamy.
The determination of whether the right to be forgotten should apply to a given fact situation and the extent of such application is a constitutionally charged exercise. Under the EU GDPR, this is done by the data controller (data fiduciary as per the draft law). This could breed self-censorship as the controller has an incentive to avoid legal consequences by choosing to accept the delisting requests.
The procedure to implement the right to be forgotten in the draft law has been alleged to be fraught by unnecessary bureaucratic burdens. The Srikrishna Committee framework attempts to prevent the privatisation of regulation by entrusting the Adjudicating Officer of the DPA, a body better placed to carry out an objective assessment. Factors like the sensitivity of the personal data in question, the degree of accessibility sought to be restricted and the role of the data principal in public life will be accounted for.
In this manner, the draft law on data breach notification and the right to be forgotten attempts to not only afford sufficient protection to the data principal and her personal data, but also avert regulatory privatisation.
The authors are Research Fellows at Vidhi Centre for Legal Policy. They are part of the team which assisted the Justice Srikrishna Committee by providing research and drafting inputs for the Committee Report and the Personal Data Protection Bill, 2018.