white_paper_on_data_protection_in_india_171127_final_v2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>data</strong> protecti<strong>on</strong> laws across jurisdicti<strong>on</strong>s also shows that there are three rights which form the<br />
core of <strong>in</strong>dividual participati<strong>on</strong>. 562 They are as follows:<br />
a. The right to seek c<strong>on</strong>firmati<strong>on</strong> about whether <strong>on</strong>e‘s pers<strong>on</strong>al <strong>data</strong> is be<strong>in</strong>g processed.<br />
b. The right to access <strong>on</strong>e‘s pers<strong>on</strong>al <strong>data</strong>, <strong>in</strong>clud<strong>in</strong>g details such as 563 : The purpose of<br />
process<strong>in</strong>g; the categories of <strong>data</strong> be<strong>in</strong>g processed; the period of storage; the rights visa-vis<br />
the organisati<strong>on</strong>; the right to lodge a compla<strong>in</strong>t; the source from where the <strong>data</strong><br />
was collected, if it is not the <strong>in</strong>dividual; <strong>in</strong> case of automated decisi<strong>on</strong> mak<strong>in</strong>g, the logic<br />
<strong>in</strong>volved beh<strong>in</strong>d such decisi<strong>on</strong> and its c<strong>on</strong>sequences.<br />
c. The right to challenge the accuracy of <strong>on</strong>e‘s pers<strong>on</strong>al <strong>data</strong>, and to have it amended.<br />
Thus, the right of an <strong>in</strong>dividual to ga<strong>in</strong> access to their pers<strong>on</strong>al <strong>data</strong> has historically been a<br />
core requirement of <strong>data</strong> protecti<strong>on</strong> laws. This right allows an <strong>in</strong>dividual to determ<strong>in</strong>e if <strong>data</strong><br />
held about them is correct and is be<strong>in</strong>g handled lawfully. It also opens the door to exercise of<br />
further rights, such as gett<strong>in</strong>g <strong>in</strong>accurate <strong>data</strong> corrected. 564<br />
8.2 Issues<br />
(i)<br />
Costly implementati<strong>on</strong><br />
The implementati<strong>on</strong> of <strong>in</strong>dividual participati<strong>on</strong> rights are costly for <strong>data</strong> c<strong>on</strong>trollers. Some<br />
<strong>data</strong> protecti<strong>on</strong> laws 565 permit <strong>data</strong> c<strong>on</strong>trollers to impose a fee for resp<strong>on</strong>d<strong>in</strong>g to <strong>in</strong>dividual<br />
requests. However, these fees are negligible. It has been estimated that the cost for resp<strong>on</strong>d<strong>in</strong>g<br />
to <strong>in</strong>dividual requests varies anywhere between GBP 50-100 per request (though some<br />
stakeholders from the f<strong>in</strong>ancial sector have estimated the cost to range between GBP 550-650<br />
per request) <strong>in</strong> the UK. 566 Under the EU GDPR <strong>in</strong>dividual participati<strong>on</strong> rights are exercisable<br />
free of cost. There is c<strong>on</strong>cern that the aboliti<strong>on</strong> of fees will lead to an <strong>in</strong>crease <strong>in</strong> frivolous and<br />
561 OECD, ‗OECD Guidel<strong>in</strong>es <strong>on</strong> the Protecti<strong>on</strong> of Privacy and Transborder Flows of Pers<strong>on</strong>al Data‘ (2013),<br />
available<br />
at:<br />
http://www.oecd.org/sti/iec<strong>on</strong>omy/oecdguidel<strong>in</strong>es<strong>on</strong>theprotecti<strong>on</strong>ofprivacyandtransborderflowsofpers<strong>on</strong>al<strong>data</strong>.ht<br />
m (last accessed 31 October 2017). The relevant <strong>in</strong>dividual participati<strong>on</strong> rights c<strong>on</strong>ta<strong>in</strong>ed here<strong>in</strong> <strong>in</strong>clude:<br />
(a) to obta<strong>in</strong> from a <strong>data</strong> c<strong>on</strong>troller, or otherwise, c<strong>on</strong>firmati<strong>on</strong> of whether or not the <strong>data</strong> c<strong>on</strong>troller has <strong>data</strong><br />
relat<strong>in</strong>g to him;<br />
(b) to have communicated to him, <strong>data</strong> relat<strong>in</strong>g to him with<strong>in</strong> a reas<strong>on</strong>able time; at a charge, if any, that is not<br />
excessive; <strong>in</strong> a reas<strong>on</strong>able manner; and <strong>in</strong> a form that is readily <strong>in</strong>telligible to him;<br />
(c) to be given reas<strong>on</strong>s if a request made under subparagraphs(a) and (b) is denied, and to be able to<br />
challenge such denial; and<br />
(d) to challenge <strong>data</strong> relat<strong>in</strong>g to him and, if the challenge is successful to have the <strong>data</strong> erased, rectified,<br />
completed or amended.<br />
562 Sally Annereau, ‗An Introducti<strong>on</strong> to Subject Access Rights‘, Taylor Wess<strong>in</strong>g (November 2013), available at:<br />
https://united-k<strong>in</strong>gdom.taylorwess<strong>in</strong>g.com/global<strong>data</strong>hub/article_<strong>in</strong>tro_sar.html, (last accessed 22 October<br />
2017).<br />
563 Illustrative list from Secti<strong>on</strong> 7, UK DPA.<br />
564 Sally Annereau, ‗An Introducti<strong>on</strong> to Subject Access Rights‘, Taylor Wess<strong>in</strong>g (November 2013), available at:<br />
https://united-k<strong>in</strong>gdom.taylorwess<strong>in</strong>g.com/global<strong>data</strong>hub/article_<strong>in</strong>tro_sar.html, (last accessed 22 October<br />
2017).<br />
565 The UK DPA and The Dutch Pers<strong>on</strong>al Data Protecti<strong>on</strong> Act.<br />
566 M<strong>in</strong>istry of Justice, UK, ‗Impact Assessment of Proposal for an EU Data Protecti<strong>on</strong> Regulati<strong>on</strong>‘ (22<br />
November 2012), available at: https://c<strong>on</strong>sult.justice.gov.uk/digital-communicati<strong>on</strong>s/<strong>data</strong>-protecti<strong>on</strong>-proposalscfe/results/eu-<strong>data</strong>-protecti<strong>on</strong>-reg-impact-assessment.pdf<br />
, (last accessed 21 October 2017).<br />
123