The Ministry of Electronics and Information Technology, based on the recommendations of Justice B.N.Srikrishna, recently, tabled the Personal Data Protection Bill, 2018 for public review and comments.
By Saurabh Bindal
The Ministry of Electronics and Information Technology, based on the recommendations of Justice B.N.Srikrishna, recently, tabled the Personal Data Protection Bill, 2018 for public review and comments. The Bill introduced by the Ministry gains limelight because of the careful and well-crafted minority view of Justice Chandrachud in the AADHAR judgment. The Bill casts a monumental step towards recognition and protection of rights of a person to his personal data.
Privacy as a Fundamental Right
Privacy has been well recognized as a fundamental right by the Indian Supreme Court and the Bill endorses the same by placing importance on right of an individual over her personal data. Drawing its major influence from the General Data Protection Regulation of the European Union, amongst others, the Bill provides for rights that a holder of a personal data have over her personal data. These rights include right to confirmation and access, right to correction, right to portability and right to be forgotten.
Right to be forgotten
Right to be forgotten is an essential right given to the Data Principal i.e. the person who shares her personal data, for it to restrict or prevent continuous disclosure of personal data by the Data Fiduciary i.e. the person who determines the means and purpose of processing of personal data. Right to be forgotten implies right to be erased. Clearly, this right is of importance to the Data Principal whose personal data is being shared with the Data Fiduciary. The Bill, however, makes the right to be forgotten as the only right which has been made subject to determination by an Adjudicating Officer of whether such restrictions or preventive measures are necessary. This implies that a Data Principal under the Bill has no absolute right to be forgotten.
Moreover, the clause on right to be forgotten does not at all talk about erasure of personal data or being forgotten-it merely casts an obligation on the Data Fiduciary to restrict, if at all, on the directions of the Adjudicating Officer, the disclosure of personal data. The Bill, therefore, can be said to be silent on once right to be forgotten or erased.
Going one step ahead, the Bill suffers from another anomaly.
Data Fiduciary and Personal Data: Legal implications for common man
If suppose, the Adjudicating Officer under the Bill determines that the personal data should be restricted from disclosure, and as the marginal heading indicates, the personal data of the Data Principal is erased by the Data Fiduciary, then the personal data should not be maintained by the Fiduciary. However, the Bill provides that the Data Fiduciary should maintain a record of the data erased by it. Now, if the personal data is to be forgotten or erased-the question is how the Data Fiduciary is going to maintain a record of it. This implies that the personal data can never be erased by the Data Fiduciary. That is to say, your right to be forgotten has been made redundant under the Bill. As an eyewash, a Data Principal, in essence, has no right to be forgotten.
As the Bill is still under consideration and recommendations are being sought over the Bill-it is imperative that this particular aspect is covered by the drafters of the Bill so as to amend the Bill as this might lead to huge ramifications.
My right to be forgotten has essentially been subjected to the discretion of an Adjudicating Officer without even making sure that in essence I am never being forgotten by the Data Fiduciary.
Saurabh Bindal is an Advocate by profession and has a deep interest in the information technology sector. Views expressed are the author’s own.