Summary: “DPDP Act, 2023, grants individuals the right to access personal data held by Data Fiduciaries. Through this piece, the authors explain the right to access, provide an analysis of what counts as personal data. They argue that the law in its current form has diminished accountability of Data Fiduciaries and does not enable Data Principals to effectively exercise their rights, vitiating their right to privacy and other allied rights under the Act.”

In the first part of this article, we explored the concept of the right to access under the DPDP Act, 2023, and highlighted its importance as a critical tool for individuals. We examined the definition of personal data, and highlighted five key limitations of the current framework focusing on restrictions that a Data Principal (“DP”) faces in accessing their personal data and the limited scope of accountability for Data Fiduciaries.

In this second part, we discuss how the DPDP Act can ensure more meaningful access to personal data and the reforms required to address its shortcomings.

Form of sharing: Making Access Meaningful

The 2018 and 2019 Draft Bills provided that a Data Fiduciary (“DF”) has to provide information in a clear and concise manner that is “easily comprehensible to a reasonable person”. This obligation mirrored Article 12(1) of the GDPR and the earlier drafts of the legislation were in line with Recital 38 of the GDPR. However, this obligation has been removed from the final legislation. There is no explicit obligation under the DPDP Act on the DF to now share the data in a specified manner.

This requirement is extremely significant as providing incomprehensible raw or complex data is  employed by DFs as a measure to evade access requests. This is due to the fact that the format in which the data often is provided might be unintelligible to an average user. The loophole leads to an absence of any safeguard against such practices of DFs which in essence renders the provision hollow. This acts as a hindrance to the exercise of the DP’s rights and is detrimental to the Right to Access. It is a question of accountability and DFs must provide information in an easily comprehensible manner.

The Way Ahead – How to Provide Access

The right of access under the DPDP Act holds immense potential for individual control over handling of personal data. However, its limited scope, and reduced accountability need to be addressed so as to exercise the right meaningfully. Without urgent reform, the right of access risks becoming a mere formality, leaving individuals vulnerable to unchecked misuse of their data.

Section 15 of the GDPR provides that a DP has the right to access their personal data that has been processed from any DF. It is necessary to incorporate a similar provision under the DPDP Act so that all DFs and not only the ones to whom the DP has given their direct consent to process their data or information could be held accountable. A DF’s response to an access request should be a clear breakdown of how the organization handles personal data. This includes the categories of data processed, the reasons for processing, how the data was collected, and with whom it has been shared and what has been shared in case the DF has shared such personal data.

Providing only a summary and not complete data restricts the scope of the right. Unless specified, a request must be seen as referring to all personal data in relation to the DP. All personal data which the DF is in possession of must be reproduced, similar to data protection laws abroad.

Treatment of publicly available personal data should be debated further. Even the GDPR provision (u/s 9(2)(e)) is said to be formulated without any question or debate.

Further, the DPDP Act lacks a mandated response timeframe. Without a timely response obligation DFs can provide responses at their whim, frustrating the DP’s attempts to exercise their rights. An effective right to access warrants the incorporation of this requirement so the DF is obligated to respond in a reasonable timeframe. A timeframe of 4 weeks, similar to the GDPR, may be incorporated.

Lastly, there is also a need to raise awareness and initiate discourse among citizens about their right to access personal data, considering that this right is rarely exercised even by citizens in established data protection regimes.

Ed note: This article has been written by Akshay and Urvashi from NLUD. The article has been edited & coordinated by Hamza Khan and posted by Abhishek Sanjay from our Student Editorial Team.