(Draft) Personal Data Protection Bill 2018: Rights and entitlements - - PowerPoint PPT Presentation

draft personal data protection bill 2018 rights and
SMART_READER_LITE
LIVE PREVIEW

(Draft) Personal Data Protection Bill 2018: Rights and entitlements - - PowerPoint PPT Presentation

Jun 19, 2023 249 likes •566 views

(Draft) Personal Data Protection Bill 2018: Rights and entitlements Beni Chugh Research Associate, Dvara Research CUTS, Capacity Building Workshop on Raising Consumers Awareness Level On Data Protection And Privacy And Impact Of Personal

slide-1
SLIDE 1

(Draft) Personal Data Protection Bill 2018: Rights and entitlements

Beni Chugh Research Associate, Dvara Research

CUTS, Capacity Building Workshop on Raising Consumer’s Awareness Level On Data Protection And Privacy And Impact Of Personal Data Protection Bill On Them Jaipur, 18-19 July, 2019

slide-2
SLIDE 2

Our conversation today

1.Data protection: First-principles 2.Evolution of data protection regime in India 3.The (draft) Personal Data Protection Bill (PDP Bill), 2018 4.Users’ rights under the (draft) PDP Bill 5.Obligations under the (draft) PDP Bill 6.Grievance Redress under the (draft) PDP Bill 7.The proposed data protection authority 8.Some concerns

slide-3
SLIDE 3

Data protection: First-principles

slide-4
SLIDE 4
  • 1. Data protection: First-principles

What is personal data?

  • Se. 2(29) of the (draft) Bill 2018, defines personal data as:
slide-5
SLIDE 5
  • 1. Data protection: First-principles

Why protect personal data?

  • To uphold the fundamental right to privacy
  • To protect against the harms from the misuse of personal data
  • To protect competition in markets
slide-6
SLIDE 6

Right to Privacy: People care deeply about their personal data

6

Privacy on the Line, 2018

slide-7
SLIDE 7

The need to protect personal data: Harms

Harms from misuse of personal data:

  • Direct financial loss
  • Discrimination
  • Exclusion
  • Limiting Consumer Choice
  • Fraud

7

slide-8
SLIDE 8
  • 1. Data protection: First-principles

How to protect personal data?

Data protection legislations are being adopted by nations across the world. As in June 2018:

  • The European Union’s General Data Protection Regulation (GDPR) was implemented in May 2018.
  • 126 nations had an active data protection regulation
  • 34 nations were deliberating on a draft data protection bill

Ironically, India belongs to both groups.

slide-9
SLIDE 9
  • 1. Data protection: First-principles

How to protect personal data?

slide-10
SLIDE 10
  • 2. Evolution of data protection regime
slide-11
SLIDE 11

Nov 2017

I n f o r m a t i o n T e c h n o l o g y A c t

2000 2011 Jul 2017 Aug 2017

Re a s o n a b l e s e c u r i t y p ra c t i c e s a n d p r o c e d u r e s a n d s e n s i t i v e p e r s o n a l d a t a o r i n fo r m at i o n

C o n s t i t u t i o n o f a

C o m m i tte e o f

E x p e r t s t o d e l i b e r a t e

  • n a d a t a p r o t e c t i o n

r e g i m e i n I n d i a

  • 2. Data protection regime in India: Evolution

R i g h t t o p r i v a c y , f u r t h e r i m p e t u s t o d a t a

p r o te c t i o n

Aug 2018

W h i t e Pa p e r o f t h e C o m m i tt e e o f E x p e r t s o n a D a t a P ro t e c t i o n F ra m e w o r k fo r I n d i a ( D ra f t ) Pe r s o n a l D a t a P r o t e c t i o n B i l l , 2 0 1 8

slide-12
SLIDE 12
  • 3. (Draft) Personal Data Protection Bill, 2018
slide-13
SLIDE 13
  • 3. [Draft] Personal Data Protection Bill (PDP Bill) 2018: The

framework

The draft PDP Bill recognises four key stakeholders:

Data Fiduciary Data Principal Data Processor You and I Bank, GoogIe, Facebook Mu Sigma, Fractal Analytics Rights Chapter, VI Obligations, Chapter II Transparency & Accountability Measures, Chapter VII Data Protection Authority Law-making powers Chapter X, XI, XIII

slide-14
SLIDE 14

Data Principal You and I Rights Chapter, VI

  • 4. Rights of data principals
slide-15
SLIDE 15
  • 4. (Draft) PDP Bill: Rights of the data principals

The (draft) PDP Bill vests four rights in the data principal:

  • Right to confirmation and access
  • Right to correction
  • Right to data portability
  • Right to be forgotten
slide-16
SLIDE 16

4.1 The right to confirmation & access

It empowers the data principal to seek from the data fiduciary:

  • a confirmation if their data is being or has been processed
  • a brief summary of the personal data
  • a brief summary of the activities undertaken by the fiduciary

The fiduciary must provide this information in a clear, concise, easy-to- understand manner This right is important because

  • You cannot protect until you know what is happening to your data
  • You cannot withdraw consent, seek redress etc.
  • It lays the foundation for exercising other rights and examining
  • bligations
slide-17
SLIDE 17

4.2 The right to correction

Under this right:

  • Data principal can dispute the quality of their personal data
  • They can get it (i) corrected, (ii) completed and (iii) updated
  • Data fiduciary must reject correction requests in writing
  • Data principal can appeal against rejection
  • Data fiduciary must get it corrected across entities

This right is important because:

  • Quality of data impacts the decision made using the data
  • It can affect if you get your ration, a loan etc
  • The case of Sani Tutti
  • The case of Judy Thomas and Judith Upton.
slide-18
SLIDE 18

The case of Sanni Tuti

slide-19
SLIDE 19

4.3 The right to data portability

Under this right, the data principal:

  • must receive the data they shared with a data fiduciary in

a structured, machine-readable format

  • can instruct a data fiduciary to transfer data to another

fiduciary

  • subject to three exceptions
  • Data offers competitive advantages
  • Having access to big data can encourage monopolistic practices

and abuse of dominant position

  • This decreases consumer surplus and potentially consumer

welfare

Google gle Your ur ba bank nk

slide-20
SLIDE 20

4.4 The right to be forgotten

The data principal can restrict or stop sharing their personal data with a data fiduciary, if:

  • the data has served its purpose
  • consent for sharing data is being withdrawn
  • is in contravention of the law

An Adjudicating Officer determines if the right can be exercised

  • It upholds data principal’s autonomy and control of

their personal data

  • It obliges organisations to fulfil their obligations

Stop!

slide-21
SLIDE 21

Data Fiduciary Data Processor Bank, GoogIe, Facebook Mu Sigma, Fractal Analytics Obligations, Chapter II Transparency & Accountability Measures, Chapter VII

  • 5. Obligations: Data fiduciaries and data processors
slide-22
SLIDE 22

5.1 (Draft) PDP Bill: Obligations of data fiduciaries, data processors

The draft Bill places 8 obligations on the data fiduciaries and data processors: 1. Fair & Reasonable Processing 2. Purpose Limitation 3. Collection Limitation 4. Lawful Processing 5. Notice 6. Data Quality 7. Storage Limitation 8. Accountability

slide-23
SLIDE 23

5.2 (Draft) PDP Bill: Transparency and accountability mechanisms

Additionally, the draft Bill places 11 accountability and transparency processes: 1. Privacy by design 2. Transparency 3. Security Safeguards 4. Personal Data Breach 5. Data Protection Impact Assessment 6. Record-Keeping 7. Data- Audits 8. Data Protection Officer 9. Processing by entities other than data fiduciaries

  • 10. Classification of data fiduciaries into significant data fiduciaries
  • 11. Grievance redress
slide-24
SLIDE 24
  • 6. Grievance Redress
slide-25
SLIDE 25

6.1 “Harm” under the PDP Bill 2018

25

“Harm” includes— i. bodily or mental injury; ii. loss, distortion or theft of identity; iii. financial loss or loss of property, iv. loss of reputation, or humiliation; v. loss of employment; vi. any discriminatory treatment; vii. any subjection to blackmail or extortion;

  • viii. any denial or withdrawal of a service, benefit or good resulting from an

evaluative decision about the data principal; ix. any restriction placed or suffered directly or indirectly on speech, movement

  • r any other action arising out of a fear of being observed or surveilled; or

x. any observation or surveillance that is not reasonably expected by the data principal.

slide-26
SLIDE 26

6.2 Grievance redress: Trigger and process

  • Every data fiduciary must have a grievance redress

mechanism in place

  • Grievance can be raised if there is a violation that may

cause harm to the user

  • Data fiduciary must resolve complaints within 30 days
  • The data principal can escalate the matter to the Data

Protection Authority

slide-27
SLIDE 27

Data Protection Authority Law-making powers Chapter X, XI, XIII

  • 7. Data Protection Authority
slide-28
SLIDE 28

28

Data Protection Authority

Monitoring & Enforcement Legal Affairs, Policy & Standard Setting Research & Awareness Inquiries & Grievance

Adjudication Wing

  • Appeals against orders of

the appellate tribunal will be to the Supreme Court of India.

Appellate Tribunal

The proposed Data Protection Authority

slide-29
SLIDE 29

Some concerns

1. The aspiration for a “data fiduciary” paradigm falls short in application 2. Data principals are afforded a limited set of rights 3. The draft PDP Bill creates high barriers to exercise the rights by data principals 4. The grievance redress framework is burdensome and limited for users 5. The definition and usage of “harm” in the draft Bill limits user protections and rights 6. The draft Bill disincentivises and penalises withdrawal of consent

slide-30
SLIDE 30

Thank you.

Beni Chugh Research Associate, Dvara Research

CUTS, Capacity Building Workshop on Raising Consumer’s Awareness Level On Data Protection And Privacy And Impact Of Personal Data Protection Bill On Them Jaipur, 18-19 July, 2019