Personal Data Protection Bill, 2018: Is it a Right to be Forgotten if it's just being Archived?
The Personal Data Protection Bill, 2018 was framed as per the directions of the Supreme Court in Puttuswasmy[i] case, amidst rising data theft, breaches, and leaks to guarantee the right to privacy and to fortify people’s rights over personal data. This article shall discuss the scope and form of the Right to be Forgotten as provided in the proposed bill in comparison to the General Data Protection Directive enacted in Europe in May 2018.
The concept of ‘right to be forgotten’ or ‘right to erasure’ was introduced by the Court of Justice of the European Union (CJEU) in May, 2014 in the Google Spain[ii] case when they ruled in favour of Mario Costeja González, a Spanish man who was unhappy that searching his name on Google threw up a newspaper article from 1998. The right allows citizens of EU countries to remove links to webpages that are “inadequate, irrelevant or excessive” and contain personal data of citizens. The European Court asked Google to delete “inadequate, irrelevant or no longer relevant” data from its search results, when a member of the public requests so. The judgment popularised the term “the right to be forgotten” and this right has since then been covered in various data protection laws and regulations, including the EU’s General Data Protection Regulation (GDPR).
Right to Erasure in GDPR
GDPR’s Article 17 provides conditions when EU citizens can exercise their right to erasure of personal data. The Article gives EU citizens the right to get their personal data erased under conditions provided such as when the consent has been withdrawn or when the purpose for the data collection no longer exists etc. However, it is not an absolute right and has to be balanced with considerations such as right to freedom of expression or when it goes against the public interest for reasons such as scientific or historical research.
Right to be Forgotten under the Personal Data Protection Bill, 2018
The B.N. Srikrishna Committee report on data protection focussed a lot on the importance of obtaining informed consent of the data subject for collection of the personal data. The draft Personal Data Protection Bill, 2018 released by the committee has a section on the ‘right to be forgotten’. Section 27[iii] of the Bill lays out the right to be forgotten, in an approach that is analogous to a layman’s understanding of the term ‘right to be forgotten’. It is however, merely, a right to prevent or restrict the disclosure of certain data, as opposed to the right to erasure as provided under the General Data Protection Regulations (GDPR). Section 27 of the Personal Data Protection Bill, 2018 specifies that the data principal has the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure has served its purpose, or the data subject’s consent has been withdrawn or if the disclosure was made illegally.
The implementation of this right necessitates an authorisation by an Adjudicatory Officer stating that the data principal’s rights override the right to freedom of speech and the right to information of the general public. If the data subject wishes to review the restrictions given, then he/she can approach the Adjudicatory Officer. In this framework, the data subject has to approach the adjudicatory officer for any relief with regard to the right to be forgotten instead of the data fiduciary directly. Even as this can be looked at as a defect, the alternative would be to allow the data fiduciary to take the decision to remove the data, leading to self-regulation as the fiduciaries may take the easy exit of censoring data in an attempt to avoid penalties.
Shortcomings of the Rights Offered under the Bill with Regard to Right to be Forgotten
1. No Right to Erasure
When we take a look at the rights provided by PDP Bill; it becomes clear that there is no absolute right to erasure which ensures that the data fiduciary completely erases the data collected. The data storage limitation principle provided under Section 10[iv] which mandates deletion of data once the purpose of its collection is over, is the only provision that ensures the complete deletion of the personal data. However, even this provision can be avoided, by making vague claims of continuing need to retain the data for maintenance of records or for legal purposes. In comparison, the GDPR allows for the data subject to demand erasure of data collected under various circumstances such as withdrawal of consent, illegitimate grounds of processing, unlawful processing etc.[v]
A right to restrict processing is comprehensible, given that there may be certain instances where the data is not required to be processed but should still be kept in storage for example for legal purposes, and such a right is recognized under the GDPR as well. However, the complete absence of a right to erasure of the collected data by the data fiduciary is a major flaw in the proposed data protection framework. The data subject cannot be assured of the safety of the data collected, unless it can be shown that the data fiduciaries no longer have access to the said data.
Even if we are to assume that the right to be forgotten provided in the PDP Bill extends to a right of erasure, and after applying to the Adjudicating Officer, he/she determines that the personal data should be restricted from disclosure, the Bill provides that the Data Fiduciary should maintain a record of the data erased by it. Section 34 of the PDP Bill mandates that the data fiduciary shall maintain accurate and up-to-date records of the important operations in the data life-cycle including erasure of personal data. Such records are to be maintained in a form as prescribed by the Data Protection Authority later when the rules, regulations and codes of practice will be enacted. It is entirely possible that such rules or codes of practice may not mandate keeping of records in a way that it contains the exact details of the data erased, however, this is still an issue to be discussed by the Parliament and a suitable solution must be sought out.
2. Application to the Adjudicating Officer
The procedure to take action under Section 27 is also different from the procedure laid down in the GDPR. Unlike the GDPR, where the data subject can make an application to the data fiduciary, the Personal Data Protection Bill requires that the data principal must approach the Adjudicating Officer, which further bottlenecks the overall process. The power being given to Adjudicating Officer (appointed by Central Government) to carry out the ‘balancing test’ itself leads to conflict of interest in situations where a restriction is sought by a data principal on the processing and sharing of data by the state[vi]
3. Liability to Inform Third Party Controllers
The Personal Data Protection Bill, 2018 when analysed in comparison to the GDPR emphasizes that the data controllers are required to inform other controllers processing the same personal data that is to be erased about the erasure request. The PDP Bill does not impose any such obligation on the data controllers. In the today’s world, there may be multiples processors/ fiduciaries handling the same personal data through the original fiduciary who collected the data and it must be their responsibility to ensure that once an erasure request has been authorised by the Adjudicating Officer, the same be communicated to all the third-party processors.
During a period where companies across the world are under fire for data breaches and data security concerns, it is imperative that India enact a data protection regime that can balance the rights of freedom and expression, and the privacy rights. Justice Sanjay Kishan Kaul in his judgment in the Puttaswamy case has expressly recognized the principle of the right to be forgotten and goes on to say that any individual desirous of having his data removed from the system must be allowed to do so. Due to the extensiveness of the recommendations in the Report and the far-reaching consequences that the Draft Bill may potentially have especially on movements such as “Startup India” and “Make In India”, the Government has announced that it will be having a wide parliamentary consultation process on the Draft Bill before it is passed by Parliament and enacted into law. This parliamentary consultation process may bring in an absolute right to erasure, similar to that provided in the GDPR, before the Bill is approved and enacted as a law.
The Draft Bill when enacted will usher in a new data privacy regime requiring corporates to re-examine their privacy practices with respect to processing and storage of personal data in India. However, since many compliances will be coming from the Codes of Practice that will be released within a year of passing of the Bill, the full impact of the Draft Bill can only be assessed upon their release.
[i] Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors. AIR 2017 SC 4161.
[ii] Case C-131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD), Mario Costeja González, 2014 E.C.R. 317.
[iii] The Personal Data Protection Bill, 2018, Section 27.
[iv] The Personal Data Protection Bill, 2018, Section 10.
[v] Tech2. (2018). Data Protection Bill Series: A person’s right over data is compromised in the Bill- Technology News, Firstpost. [online] Available at: https://www.firstpost.com/tech/news-analysis/data-protection-bill-series-a-persons-right-over-data-is-compromised-in-the-bill-4910391.html [Accessed 25 Jan. 2019].
[vi] Privacy Bytes. (2018). Our Comments to the Draft Personal Data Protection Bill, 2018 to Meity. [online] Available at: https://privacy.sflc.in/our-comments-draft-data-protection-bill/#right-to-be-forgotten [Accessed 25 Jan. 2019].
By Sanjeev Jothi, 5th year student, Dr. Ram Manohar Lohiya National Law University, Lucknow