May 02, 2024

India: Digital Personal Data Protection Act, 2023 part four – data subject rights

Part one of this series on India’s Digital Personal Data Protection Act, 2023 (the Act) looked into the Act’s scope and application, and part two delved into consent and legitimate uses. Part three discussed the provisions applicable to the transfer of digital personal data under the Act in India.

In part four of this series, Rachit Bahl, Rohan Bagai, and Navdeep Baidwan delve into the rights and duties of data subjects under the Act, emphasizing the pivotal role individuals play in safeguarding their personal data in the digital era.

Introduction

The Act received the President’s assent and was published in the official gazette of India on August 11, 2023, after several years of consultations, debates, and deferments over various iterations of the legislation. The Act will come into force with effect from such date that the government of India may notify. Once the provisions of the Act come into force, the Act will replace the current data protection law encapsulated under Section 43A of the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011.

The Act introduces a novel concept of a fiduciary relationship between data subjects/data principals (individuals to whom the personal data relates) and data controllers (persons who determine the purpose and method of processing personal data), categorizing them as ‘data principals’ and ‘data fiduciaries’ respectively.

Understanding data principal’s rights under the Act

The Act marks a significant shift in the way individuals or data principals will have control over their personal data in this digital age. The Act empowers data principals with several essential rights regarding how organizations, data fiduciaries, handle their personal data, while uniquely also imposing upon such data principals certain duties, for the responsible exercise of their rights. These rights include:

Right to withdraw consent: Data principals will have the right to withdraw the consent given by them to a data fiduciary for processing their personal data, at any time. Consequently, the data fiduciary must ensure that the data processor, if any, ceases processing personal data of the data principal.

Right to access personal data: Data principals will have the right to inquire about the personal data that a data fiduciary possesses, the purpose for which their personal data has been collected, stored, used, or processed by the data fiduciary, and the entities (both data fiduciaries and data processors) with whom their personal data is shared along with the description of what personal data has been shared.

Data principals will however not have this right when a data fiduciary shares their personal data with another data fiduciary, who is authorized by law to obtain their personal data and where such sharing is pursuant to a request made in writing for prevention or detection or investigation of offenses or cyber incidents, or prosecution or punishment of offenses. Thus, when a law enforcement agency seeks the personal data of a data principal, they will not have the right to inquire about the identity of such law enforcement agency and the purpose for which their personal data has been shared with such law enforcement agency.

Right to correction and erasure: Factual inaccuracies or incompleteness in the data principal’s personal data will need to be rectified/updated by the data fiduciaries with whom their personal data has been shared. Additionally, data principals can request the erasure of their personal data once the purpose of processing (for which they shared their personal data in the first place) is fulfilled, except where retention of their personal data is necessary for compliance with the law.

Right to grievance redressal: The data fiduciary or the data principal’s consent manager must provide the data principal with the right to have readily available means of grievance redressal for any action or inaction regarding their personal data. The timeline for responding to the data principal’s grievance will be prescribed under the rules, which are yet to be framed.

Right to nominate: The data principal may designate any individual to exercise the rights available to them under the Act, in the event of their death or incapacitation.

Exercising data principal’s rights

Certain duties have been cast on data principals for the responsible exercise of their rights. These include:

  • the duty to not impersonate another person while providing their personal data;
  • the duty to not suppress any material information while providing their personal data for any document, unique identifier, proof of identity, proof of address, etc.;
  • the duty to not register any false or frivolous grievance or compliant with the data fiduciary;
  • the duty to furnish only such information which is verifiably authentic; and
  • the duly to ensure compliance with applicable laws while exercising the rights available under the Act.

Failure to adhere to these duties could lead to the imposition of a monetary penalty of up to INR 10,000 (approx. $120).

Conclusion

The Act serves as a pivotal legislation in safeguarding the rights of data principals in the digital era. By entrusting these rights, the Act empowers individuals to participate actively in the data ecosystem, fostering greater transparency and control over their digital footprint.

AUTHORS & CONTRIBUTORS

TAGS

SHARE

DISCLAIMER

These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.