The Personal Data Protection Bill 2019 ("2019 Bill") provides for a right to erasure of personal data, a right which was not provided for in the preceding draft of the 2019 Bill, namely the Personal Data Protection Bill 2018 ("2018 Bill"). This note examines the right of erasure under the 2019 Bill and analyses how it differs from the right to be forgotten under Clause 20 of the 2019 Bill and the restriction on retention of personal data under Clause 9 of the 2019 Bill.
Right to Erasure
Clause 18 of the 2019 Bill provides the following rights of correction and erasure, namely the right to (i) get corrected inaccurate or misleading personal data, (ii) get completed any incomplete personal data, (iii) get updated personal data that is out-of-date, and (iv) get erased personal data which is no longer necessary for the purpose for which it was processed.
The first three rights, namely the right to have inaccurate or misleading or incomplete or out-of-date personal data corrected, or completed or updated was provided for in the 2018 Bill, but the right to seek erasure of personal data belonging to the data principal held by the data fiduciary if it is no longer necessary for the purpose for which it was processed, is making its debut appearance. After erasing personal data on a data principal's request, the data fiduciary has to take all necessary steps to notify such erasure to all relevant entities or individuals to whom such data has been disclosed wherein it could impact the data principal's rights in any manner.
When can it be said that personal data held by a data fiduciary is no longer necessary for the purpose for which it was processed? If the data fiduciary is a bank which holds a customer's KYC details as required by the Prevention of Money Laundering Act, 2002 ("PMLA"), such customer cannot seek erasure of his/her personal data even if his/her account is closed, until expiry of the period prescribed under PMLA for retention of such personal data.
Where the data fiduciary receives a request from a data principal to correct or complete or update or erase personal data relating to such data principal, and the data fiduciary is of the view that such correction or completion or updation or erasure is not warranted, the data fiduciary shall provide the data principal with adequate justification in writing for rejecting the application. If the data principal is not satisfied with the justification provided by the data fiduciary for rejecting the data principal's request, the data principal may require that the data fiduciary take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed.
Penalty for failure to comply with request without an explanation:
Clause 58 of the 2019 Bill provides that if the data fiduciary fails to, inter alia, comply with a request for erasure made by a data principal, without providing any reasonable explanation to such data principal, the data fiduciary shall be liable to pay a penalty of up to Rs. 5,000 (Rupees Five Thousand Only) for each day during which such default continues, subject to a maximum of Rs. 10,00,000 (Rupees Ten Lakh Only) in case of significant data fiduciaries and Rs. 5,00,000 (Rupees Five Lakh Only) in other cases.
Right of appeal against data fiduciary's decision:
Clause 18 of the 2019 Bill does not provide the data principal the right to appeal from a data fiduciary's decision to reject such data principal's request to correct or complete or update or erase personal data relating to the data principal. However, Clause 53 of the 2019 Bill gives a general right to file a complaint with the Data Protection Authority of India ("Authority") against any data fiduciary if inter alia, such data fiduciary has contravened the provisions of the personal data protection act. Pursuant to such a complaint, if the Authority has reasonable grounds to believe that the data fiduciary has contravened provisions under law or those of the Authority, it shall appoint an Inquiry Officer to inquire into the affairs of the data fiduciary and prepare a report of its findings. Based on the report of such Inquiry Officer, the Authority shall, after hearing the data fiduciary in relation to the report, make a written order giving appropriate directions to the data fiduciary in accordance with Clause 54. Through its order, the Authority can, inter alia, require the data fiduciary to take any such action in respect of any matter arising out of the report as the Authority may deem fit. If the data principal is aggrieved by the Authority's order, Clause 72 of the 2019 Bill provides for an appeal to the Appellate Tribunal against such order.
Comparison with the right to be forgotten:
The right to erasure provided for in Clause 18 of the 2019 Bill needs to be distinguished from the right to be forgotten, provided for in Clause 20 of the 2019 Bill. As per the aforementioned Clause 20, every data principal shall have the right to restrict or prevent continuing disclosure of personal data (relating to such data principal) by any data fiduciary if such disclosure meets 1 (one) of the following 3 (three) conditions, namely the disclosure of personal data: (i) has served the purpose for which it was collected or is no longer necessary; or (ii) was made on the basis of the data principal's consent and such consent has since been withdrawn; or (iii) was made contrary to the provisions of the personal data protection act or any other law in force.
Thus, unlike the right to erasure, a data principal's right to be forgotten can only be enforced by an order of the Adjudicating Officer.
Do note that, despite the usage of the word 'forgotten', there is no right of erasure under Clause 20. Instead, it merely restricts or prevents continuing disclosure of personal data. To avail of the aforementioned right, an application has to be made, in such form and manner as may be prescribed, to an Adjudicating Officer, and such Adjudicating Officer should have reached the conclusion that the disclosure of personal data: (i) has served the purpose for which it was made or is no longer necessary; or (ii) was made on the basis of the data principal's consent and such consent has since been withdrawn; or (iii) was made contrary to the provisions of the personal data protection act or any other law in force. Further, the data principal needs to convince the Adjudicating Officer that his right or interest in preventing or restricting the continued disclosure of his personal data overrides the right to freedom of speech and expression and the right to information of any other citizen. In determining whether the rights and interests of the data principal in preventing or restricting the continued disclosure of personal data override the right to freedom of speech and expression and the right to information of any citizen or not, the Adjudicating Officer is required to have regard to factors such as: (a) the sensitivity of the personal data; (b) the scale of disclosure and the degree of accessibility sought to be restricted or prevented; (c) the role of the data principal in public life; (d) the relevance of the personal data to the public; and (e) the nature of the disclosure and of the activities of the data fiduciary, particularly whether the data fiduciary systematically facilitates access to personal data and whether the activities would be significantly impeded if disclosures of the relevant nature were to be restricted or prevented.
Where any person finds that personal data, the disclosure of which has been restricted or prevented by an order of the Adjudicating Officer, does not satisfy the conditions required for the restriction or prevention of disclosure any longer, such person may apply to the Adjudicating Officer for a review of that order in the prescribed manner, following which the Adjudicating Officer shall review his/her order. Any person aggrieved by an order made under this Clause by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal.
Comparison with the restriction on retention of personal data:
The right to erasure provided for in Clause 18 of the 2019 Bill needs to be distinguished from the restriction on retention of personal data, provided for by Clause 9 of the 2019 Bill.
Clause 9 of the 2019 Bill requires data fiduciaries to not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and to delete the personal data at the end of the processing. The only exception to this rule is that, if explicitly consented to by the data principal, or if necessary, to comply with any obligation under any law for the time being in force, personal data may be retained for a longer period.
Data fiduciaries are required to undertake periodic reviews to determine whether it is necessary to retain the personal data in their possession.
Unlike in the case of the right to erasure, Clause 9 of the 2019 Bill does not give data principals the right to question if any personal data is being retained beyond the period necessary to satisfy the purpose for which it is processed or to demand deletion of personal data at the end of the processing. However, as mentioned earlier, the data principal has a general right under Clauses 53 and 54 to file a complaint with the Authority if it feels the actions of the data fiduciary to be unjust and also appeal against the Authority's order under Clause 72, to the Appellate Tribunal.
In the 2018 Bill, restriction on retention of personal data was contained in Clause 10 which allowed data fiduciaries to retain personal data for as long as may be reasonably necessary to satisfy the purpose for which it was processed. The test of reasonableness has been done away within the 2019 Bill which provides in clear terms that data fiduciaries shall not retain any personal data beyond periods necessary to satisfy the purpose for which it is being processed and shall delete the personal data at the end of the processing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.