DPDPA Rules: Management of Data Principal’s Rights

The draft rules currently under discussion regarding the management of Data Principal’s Rights tries to provide clarity to Sections 11, 12, 13 and 14 of DPDPA 2023.

It is noted that the rules does not make any reference to Section 15 on the duties of the data principal which is a condition precedent to the exercise of Rights and should have been mentioned.

While refering to the requirements, the clause starts with the words,

“(1)For enabling data principals to exercise their rights under Chapter III of the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on her website or app or both, as the case may be,-“

I would like to again point out that the rules refer to the Data Fiduciary or Consent Manager in terms of “her website” as if the Data Fiduciary or the Consent Manager is an “individual”. While the “Data Fiduciary” can be an “individual”, it is not practically feasible for the Consent Manager to be an “Individual” or rather it should not be from the regulatory requirement of business continuity. In fact another rule (yet to be discussed by us) categorically mentions that the Consent Manager shall be a Company.

Hence the use of the word “her” in this context is incorrect and this obsession needs to be avoided. It may lead to un necessary legal issues at some point of time in future. There is a need to go through the entire document and ensure that all references to a Data Fiduciary or Consent Manager shall be changed to “it”or “their” instead of “she” or “her”.

While most of the rules under this clause are a paraphrasing of the Act the lack of reference to the Duties is glaring. The “Rights” guaranteed under the Act is intrinsically linked to the “Duties” both because of the Secton 15 of the Act as well as the Article 19(2) of the constitution restricting the “Right to Privacy” in certain specific contexts.

It is most important to note that under Section 15 of the Act, a Data Principal shall ” comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;”

This has to be highlighted so that no irresponsible attack is mounted on a data fiduciary by motivated data principals who may be encouraged by the competitors or anti nationals.

Similarly, the “Right for Erasure” has to be effectively tempered with the need to ensure through appropriate documentation that there is no need to reain the data because of any other reasons. “Electronic Data” is an evidence for many civil claims and criminal prosecution and irresponsible erasure could become an offence under Section 65 of ITA 200 and also under IPC/IEA.

Compliance officers are unlikely to have adequate appreciation of the laws related to retention of data under other statutes and hence they have to be warned while they try to meet the requirements of the “Right to Erasure”.

Some of these corrections are required in the next draft.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.