Summary: “DPDP Act, 2023, grants individuals the right to access personal data held by Data Fiduciaries. Through this piece, the authors explain the right to access, provide an analysis of what counts as personal data. They argue that the law in its current form has diminished accountability of Data Fiduciaries and does not enable Data Principals to effectively exercise their rights, vitiating their right to privacy and other allied rights under the Act.”
Background
The right to access is a significant tool in the Data protection regime globally as it enables an individual to know what information a Data Fiduciary (“DF”) has about them, and the reasons for possessing it. This right acts as a prerequisite for an individual to exercise their right to rectify, amend, or erase data, and to know if their rights are violated. Without knowing what data is processed, individuals cannot effectively invoke their right to correct, erase, update, and compile their data. They are enabled through the right to access to monitor compliance with data protection principles and obligations of a DF. By verifying if data is processed lawfully and by adhering to principles like purpose and storage limitation, they become active participants in data protection. This complements the role of data protection authorities to establish a participatory data protection regime. Strong access rights also act as a due process guarantee. Thus, right to access forms the cornerstone of other rights under DPDP Act, 2023 (“Act”).
Recently, personal data has been used as an input for decision-making like deciding an individual’s creditworthiness, showing targeted advertisements, etc. The right to access empowers individuals to understand and potentially contest these such decisions which are premised on their personal data. Exercising this right raises awareness about data processing practices within society, organizations, and politics, fostering a more informed public discourse on data protection.
The Scope of Personal Data under the DPDP Act
Section 11 of the Act governs the right to access, focusing on personal data. Therefore, the scope of this right is defined by the definition of “personal data” under Section 2(t) of the Act, making “personal data” the subject matter of the right to access. The definition of personal data itself is highly debated and an evolving concept. Personal data is defined under Section 2(t) of the Act as “any data about an individual who is identifiable by or in relation to such data.” The definition which has been adopted gives effect to a broad notion of personal data that goes beyond basic information like name and address, phone number, etc.
If the term personal data is read restrictively, it would narrow the scope of the right to access. For instance, even opinions and subjective assessments of the personal data that have the potential to identify the Data Principal (“DP”) should get covered through this definition. The right remains meaningful only if the information given is assessed in context to the effect it has on the DP rather than the nature of questions by the DF under which the information was sought originally. A library system might not only hold basic information about the user, but also other tabs of payment history, history of usage in terms of issued books, or after processing such information a profile of the user’s interest. Personal data includes all these components if the individual remains identifiable through such data even if held in a pseudo-anonymised format.
Limitations of the Current Framework
A Data Principal is an individual to whom the personal data relates under Section 2(j) of DPDP. Individuals whose personal data is published, suffer significant harm from the incorrect, incomplete, or unnecessary disclosure of their information. Inaccurate data can lead to misleading conclusions, while an oversimplified portrayal can negatively impact their personal and social lives. Additionally, improper processing of personal data increases the risk of individuals becoming targets of criminal activities, such as fraud or identity theft. Thus, in this piece, we highlight five critical limitations of the right to access under the DPDP Act.
First, section 11 of the Act stipulates that a DP can request access to their personal data only from a DF to whom they have explicitly given consent for processing. This means that a DP cannot approach any DF to verify if they possess or are processing their data unless prior consent has been provided. In contrast, the General Data Protection Regulation (“GDPR”), provides a broader right to access. Under the GDPR, once a data subject makes an access request, the DF must first verify whether the processing of the data subject’s personal information is taking place. If it is, the controller must (i) confirm the existence of processing; (ii) provide access to the personal data (iii) provide additional information (like purpose, source, etc) regarding personal data.
Second, under Section 11(1)(b) of the Act, a DF is required to provide a DP only with a list of other DFs and Data Processors, and a description of the personal data shared with them. This leads to the possibility of potential abuse as right to access cannot be exercised against such third party DFs. In contrast, Article 15 of GDPR vests this right in DPs against all DFs. Under the Act, the term “processing” includes sharing, transmitting, disseminating or otherwise making available personal data.
For instance, banking institutions may share a DP’s spending patterns and location data with marketing firms, enabling targeted advertising campaigns without their knowledge. A DP may not be able to find out the uses of their data under the existing scope of the right; instead, they may only be informed about other DFs and a description of what has been shared. It is hard to confirm whether the processing is legal or serves the original purpose for which consent was given because of this lack of recourse to such information. Even though the Act requires for a DP’s consent for processing, it is notable that, often consent fatigue triggers in and contracts employ “take-it-or-leave-it” terms making it difficult to engage and actively consent to such clauses. The authors acknowledge the disregard that notice and consent mechanisms in general have regarding human psychology but when coupled with the issues under the Act it adversely impacts a DP’s rights.
Third, the aim of data protection regulations is also “to enhance public accountability and offer DPs an opportunity to correct inaccuracies in data.” However, the Act undermines this objective by allowing a DP to obtain only a summary of the data or processing activities involved. This creates room for incomplete responses while being compliant with the law. Consequently, DPs may lack the necessary information to assess the completeness of the response, evaluate the legality of the data processing practices, and effectively exercise their rights.[1] A paradox lies as determining the adequacy of a response hinges on the very knowledge that data subjects seek through their access requests. Building a complete understanding often requires comparing responses from multiple requests or relying on others with specialized knowledge. Thus, DPDP Act goes against transparency and accountability principles as the DP will only get a summary of the data that the DF is processing at that point in time when they have sent their request. In contrast, GDPR mandates that DPs must be provided with a copy of their personal data, and the Dutch Data Protection Authority required a complete reproduction of this personal data. A copy under GDPR is full and faithful reproduction of a DP’s personal data, which enables a DP to exercise their rights.
Fourth, the DPDP Act excludes a DP from accessing data being processed for legitimate uses outlined in Sections 7(b) to 7(i) of the Act. It creates a blind spot for potential misuse considering the vagueness, and overbreadth of the provision. This makes it difficult to ensure that the DP’s data is processed only for Section 7 purposes and not for unauthorized use. For instance, under Section 7(h), a law enforcement agency may collect/process personal data during a protest under pretext of ensuring safety or maintaining public order. The DP has no way to know (i) the identity of this agency, and (ii) whether their data isn’t being used for political surveillance or profiling beyond crowd control.
Fifth, personal data that is publicly available is not covered under the DPDP Act. Such data could be made available by the DP themselves or any other person pursuant to the law. The key difference between the GDPR and the DPDP Act concerning publicly available personal data is that the GDPR allows a limited exception for processing special categories of data that have been manifestly made public by the data subject by reading section 9(1) with 9(2)(e) of the GDPR. In contrast, section 3(c)(ii) of the DPDP Act completely excludes publicly available personal data from its scope. This raises some serious problems as: (i) the Act doesn’t define the criterion of ‘public’. Public can mean either what is defined by a community’s setting or accessible by anyone. (ii) There is a distinction between simply agreeing to or being aware of the publication of information and actively sharing it oneself, [2] such as by blogging about one’s political opinions. It may also be challenging to prove that someone intentionally made information public if, for instance, they posted on social media for family and friends, but the default privacy settings made the post visible to the public. (iii) a DP cannot restrict downstream uses of their data as one would by withdrawing their consent. It also completely prohibits them from correcting information, and exercising their right to be forgotten. Even if the information is taken down it does not guarantee that further processing would cease. Hence, a DP maybe left without a meaningful legal recourse altogether in case of “publicly available data”.
In the next part, we will explore how access can be made more meaningful and the steps needed to improve the current framework.
Ed note: This article has been written by Akshay Dhekane and Urvashi Singh from NLUD. The article has been edited & coordinated by Hamza Khan and posted by Abhishek Sanjay from our Student Editorial Team.
Part II of this series can be accessed here.
[1] Dexia case, Hoge Road (Supreme Court), no. R06/045HR, LJN: AZ4663, 29 June 2007
[2] Dr Schiff, ‘Article 9 GDPR’ in Ehmann, Selmayr, ‘Datenschutz-Grundverordnung’ (C.H. Beck, 2nd Edition 2018)