In the contemporary age, we find ourselves in a situation where a substantial amount of our personal data is readily accessible on the internet, potentially open to public scrutiny. Consequently, there exists an urgent imperative to institute robust measures for safeguarding this data, ensuring its protection from unauthorized access or misuse, for the benefit and security of all individuals.
The DPDP Act intends to provide individuals with specific rights, such as the right to have their personal data processed exclusively with their consent, and it also includes rules for data security measures. This comprehensive statute strives to strike a compromise between safeguarding individuals’ rights and addressing corporations’ data processing obligations. To explain its essence clearly, comprehensive infographics describing the Act’s fundamental ideas and provisions have been prepared.
The DPDP imposes far-reaching obligations, establishing purpose limitation obligations and their corollary – a duty to erase the data once the purpose is met, with seemingly no room left for secondary uses of personal data, and creating a set of rights for individuals whose personal data are collected and used, including rights to notice, access, and erasure. The law also establishes a supervisory entity, the Data Protection Board of India (Board), with the jurisdiction to investigate complaints and levy penalties but not to give recommendations or rules.
RIGHT TO CORRECTION
Section 12 of the DPDP act allows data principals to request that data fiduciaries correct, complete, and update any erroneous or misleading personal data that they process (for which the data principal has previously granted consent, or has freely submitted such data for a stated purpose). If specific circumstances are satisfied, state organizations may be excluded from this requirement (Sec. 17(4)).
RIGHT TO ERASURE
A data fiduciary shall remove the personal data of a data principal that is no longer necessary for the reason for which it was processed upon request under Section 12 of the DPDP Act unless the retention is required by law or the purpose for which it was processed has not expired. If specific circumstances are satisfied, state organizations may be excluded from this requirement (Sec. 17(4)).
It is not clear if this right to erasure includes a right to be forgotten, as it seems expressly conditional on the purpose of processing expiring.
DOES RIGHT TO ERASURE INCLUDE RIGHT TO BE FORGOTTEN
The DPDP Act only allows data principals the right to erasure unless retention is required for the indicated purpose or for compliance with the law. However, it is worth noting that the High Courts of several Indian states have taken opposing positions on the issue.
Several courts, notably the Delhi High Court, Karnataka High Court, and Orissa High Court, have recognized the right to be forgotten as part of an individual’s right to privacy. Courts such as the Gujarat High Court, the Madras High Court, and the Kerala High Court have similarly declined to enforce this privilege except in certain contexts such as court judgments, marriage conflicts, and so on.
According to Section 8 of the DPDP Act, a data fiduciary should store personal data only for as long as is reasonably required to meet the purpose for which it is processed. But there is no such provision that regulates the purpose for which the data is being collected and how it can be used, as long as the particular purpose is legitimate. Furthermore, it requires any data fiduciary to conduct periodic evaluations to evaluate whether it is required to keep the personal data in its possession. If a data fiduciary does not need to maintain personal data, such personal data shall be erased in the way indicated.
Thus, even though there is no such explicit right of “Right to forgotten” under the DPDP Act the data storage limitation under section 8 of the DPDP Act requires data fiduciaries to erase personal data on their own.
PENALTIES IN CASE OF NON-COMPLIANCE
Significant non-compliance attracts financial penalties as mentioned in the schedule based on an assessment of certain factors.
- Failure to implement security safeguards for preventing data breaches can amount penalty of up to Rs. 250 crore.
- Failure to notify the Board and affected principals of the data breach can amount penalty up to Rs. 200 crore.
- Non-compliance with obligations regarding children’s data can amount penalty of up to Rs. 200 crore.
- Breach of additional obligations by Significant Data Fiduciary can amount penalty of up to Rs. 150 crore.
- Any other non-compliance – Penalty can amount penalty up to Rs. 50 crore.
Disclaimer: The above article is based on the personal interpretation of the
related orders and laws. The readers are expected to take expert opinions before
relying upon the article. For more information, please contact us