“Data is the new oil”! is a rather common phrase today. Companies have been compiling large data sets, over last many decades. AI and other evolving technologies have enabled new data to be created every minute. All this data is used by companies for their own goals and business interest – such as to develop new products & services, and even to share with third parties for commercial gain.
But for how long can companies retain and use this data? Remember – the data / oil belongs to someone else, i.e., the individual providing the data to the company. Interest of such individuals is an afterthought at best and little consideration is given by companies to these individuals whilst developing new products and services. Would the individual want her data to be used for financial gains of the company? What if the wishes of the individual conflict with the ideology / goals of a company? What happens when an individual does not want a company to use her data anymore?
These questions, though often previously ignored, are now staring profusely at companies in light of the new Digital Personal Data Protection Act, 2023 (DPDP Act). As India Inc. braces for impact, introspection into how the fundamental right to privacy of an individual can be upheld is required.
Right to erasure / deletion
Privacy is a gauntlet of rights. One such right is the right to erasure / deletion of personal data. This article identifies when this right can be exercised by an individual, what the companies ought to do and issues that companies must consider today to avoid pitfalls.
When can an individual ask for deletion of her data?
Anytime, and the request needs to be respected.
If consent of individuals forms the foundational basis for a company to process personal data, then the DPDP Act compulsorily requires such company to delete personal data, should the individuals choose so. Except in very limited circumstances, the data fiduciary is under an obligation to delete data requested by the individual. The wishes of individuals have been placed on a higher pedestal than ever before.
Is that it? My customers never request for deletion of their data. Am I exempt?
Even if customers do not request to delete their personal data, data deletion requirements still apply.
Companies must delete data of individuals when: –
- A customer withdraws a previously given consent – Customers have an option to withdraw their consent. If consent is withdrawn, their data cannot be processed any further and needs to be deleted within a ‘reasonable’ time.
Withdrawal of consent can be express or even implied. While there is no ambiguity when the withdrawal is express, companies need to devise mechanisms to identify any implied withdrawal of consent.
One only needs to see the illustrations under the DPDP Act, which suggest that withdrawal can be implied. The illustration corresponding to Section 6(6) requires companies to delete personal data used to send bills over emails if customers have opted to receive bills on the mobile app. In this illustration, customers did not ask to delete their data for the purpose of sending emails. Rather, there seems to be an implied duty on the companies to delete such data (used for sending invoice over email), emanating from customer choice to receive the bills on the app.
- The purpose for which personal data was collected is served, i.e., the data is no longer required – Companies collect data for a pre-identified purpose. When this purpose is achieved, the data needs to be deleted.
Take example of a streaming service provider who collects address to determine location and provide video content basis such location. When a customer changes her address, the old address may need to be deleted. The question to ask is – if the old address is retained, what purpose is it serving?
The DPDP Act empowers the Government to identify some time periods. If during this time period – an individual neither contacts the company for the purpose for which she gave her data nor exercises her rights under the DPDP Act, the underlying personal data needs to be deleted.
Take the above example where the video streaming service provider also provides a complimentary music streaming service. If a customer provides some data to use the music streaming service and then does not use such service for a period of time (as identified by the Government), such data may also need to be deleted. Only the personal data provided to use the video streaming service may be retained.
Are there any exceptions?
Just the one – where law requires data to be retained for a longer duration.
Certain laws require data retention for a period of time. As examples, the Companies Act, 2013 requires books of accounts and associated vouchers to be retained for 8 years. The Income-tax Act, 1961 empowers assessing officers to reassess income tax returns for up to 10 years. These retention requirements have led companies to take a position that the data should be retained for 8 years or 10 years, if not in perpetuity.
Now, with a specific requirement to delete personal data after it has served its purpose, companies need to re-think if they need to retain all personal data for 8 or 10 years. Do they need a customer’s address to create their own books of accounts? Do they need her phone number for income tax returns? If not, they are duty bound to delete such data, and these periods of 8 and 10 years may not come to their rescue.
Companies need to re-examine their data retention schedules to honour the right to erasure, guaranteed under the DPDP Act.
So what else should the companies consider?
- Which all systems store personal data? – Companies, particularly larger ones, may have multiple systems which collect and process personal data. Data may reside in structured and unstructured forms. Companies need to identify which system has what personal data. Inability to delete personal data because it exists at multiple places and forms may not be an excuse.
- Has personal data been shared with other service providers? – If yes, then even the service providers need to delete personal data. Contracts executed with data processors and service providers must be updated to reflect such an obligation.
- What happens to existing personal data that companies already have? – Companies need to re-assess what data they have already collected. If any particular data set is not required for its business, it may need to be deleted. Companies need to give individuals notice of what personal data they already have and what such data is used for. Where individuals withdraw their consent, the personal data needs to be deleted.
- Do companies need additional technologies? – Potentially yes, to identify instances such as – implied withdrawal of consent, or where the underlying purpose has been served, or time period prescribed by the Government has passed and the individual has not contacted the company for the services.
It is undeniable that excessive data collection and retention practices are things of the past. The DPDP Act seeks to bring balance to the unequal position of companies and individuals. While companies continue to have the need to grow and monetize the personal data they collect, individuals now have a say and can demand that their personal data not be used.
The DPDP Act describes individuals as data principals and companies as data fiduciaries. Usage of phrases ‘principal’ and ‘fiduciary’ suggests that an element of trust exists between these two stakeholders. In turn, this implies that companies while setting their own policies and goals, respect the choice of individuals (such as data deletion). Remember – “With great power comes great responsibility”.