The Voluntary Undertaking Provision: A Flawed Endeavor

This post is authored by Tejaswita Kharel*

In order to ease the enforcement process for data protection laws, various jurisdictions such as Singapore and Australia have incorporated voluntary undertaking provisions. Such a provision encourages organisations to self regulate and adopt accountable practices. It is also believed that the incorporation of such a provision in data protection compliance frameworks will help build a collaborative relationship between data protection boards and data fiduciaries.

India has recently also taken a step in this direction. Clause 24 of the Digital Personal Data Protection Bill, 2022 [“Bill”] provides that the Data Protection Board [“Board”] may accept voluntary undertaking at any stage and that the acceptance of such undertaking by the Board would constitute a bar to proceedings. 

However, while voluntary undertaking provisions may work elsewhere, Clause 24 should be removed from the Bill for the following reasons: 

1] Excessive Scope of Voluntary Undertaking Provision

The voluntary undertaking regime in Singapore clearly provides that the request to invoke a voluntary undertaking process must be made “soon after the [breach] incident is known”. But the voluntary undertaking provision in the Bill states that the undertaking can be given at “any stage” including before a breach has even taken place. This will allow data fiduciaries to delay their compliance with the provisions of the Bill and postpone the implementation of important provisions of the Bill. 

For example Clause 9(4) of the Bill provides that “Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.” A fiduciary could offer a voluntary undertaking stating that it will comply with this clause after a period of six months, during which time multiple breaches can occur. The scope of the voluntary undertaking clause in the Bill is thus massive and is likely to give too much leeway to data fiduciaries to circumvent the law and violate the rights of the Data Principals. 

2] Lack of Regulatory Standards for Voluntary Undertaking

Additionally, there is no set standard for what a voluntary undertaking offer is supposed to contain. While Clause 24 states that a voluntary undertaking may include “undertaking to take specified action within a specified time, an undertaking to refrain from taking specified action, and an undertaking to publicise the voluntary undertaking”, the requirements are not specific enough to ensure that fiduciaries will adequately comply with  the provisions of the Bill. Data fiduciaries have no requirement to provide for an in-depth remediation plan unlike in Singapore. 

3] Excessive Discretion of the Board 

Clause 24 merely says that the Board “may” accept voluntary undertakings. While it is clear that the Board has the discretion to decide whether it is appropriate to accept an undertaking or not, it is necessary to have standards for acceptance or rejection of such undertakings in order to reduce possibilities of arbitrariness and misuse of the voluntary undertaking regime.

Hence, while it is important to ensure that the compliance burden on data fiduciaries is not too heavy in order to achieve effective implementation of the Bill, the current voluntary undertaking provision acts as a loophole which will allow fiduciaries to circumvent formal proceedings and exempt themselves from liability under the Bill.

Conclusion

The voluntary undertaking provision in the Bill should be removed. It provides too much leeway to fiduciaries to submit voluntary undertakings that will exempt them from application of key provisions of the Bill. Moreover, it fails to constrain the Board from accepting such offers. 

In addition, several clauses of the Bill adequately provide for flexibility in case of non-compliance. Clause 25(2) ensures that data fiduciaries are not penalised excessively and Clause 21(11) ensures that they are not punished for non-significant non-compliance. 

The benefit of a voluntary undertaking system is that data fiduciaries will aid the Board in understanding the technological difficulties and processes involved in the regulation of data protection. However, this understanding is something that can be achieved through regular and active discussions with stakeholders. This is the direction that countries like the United Kingdom are also moving towards. 

*Tejaswita is a Research Analyst at the Centre for Communication Governance.

Censoring the Critics: The Need to Balance the Right to Erasure and Freedom of Speech

Clause 13(2)(d) of the Digital Data Protection Bill, 2022 (“DPDP Bill”) provides for the right to erasure of personal data i.e. “…any data about an individual who is identifiable by or in relation to such data”. The said clause states that a data principal has the right to erasure of personal data as per applicable laws and as prescribed. The clause further provides that such erasure of personal data shall take place after the data fiduciary receives a request for erasure. The precondition for erasure is that the personal data must no longer be necessary for the purpose for which it was processed and that it must not be necessary for any legal purpose either. 

This is in many ways a salutary provision. Data principals should have control over their data which includes the right to correct and erase data. This is especially important since it protects individuals from the negative impacts of the widespread availability of personal data on the internet. In today’s digital age, it is easier than ever for personal data to be collected, shared, and used in ways that are harmful or damaging to individuals. The right to erasure aids in countering these negative impacts by giving individuals the power to control their own personal information, and to have it removed from the internet if they choose to do so.

However, this provision can negatively impact several other fundamental rights such as the freedom of speech and right to information, especially when it is abused by powerful figures to silence criticism. For example, if an investigative journalist were to write an article in which they bring to light a government official’s corrupt deeds, the said official would be able to request the data fiduciary to erase such data since they are identifiable by it or are related to it. 

This article will seek to address such concerns in two ways. First, it will delve into the safeguards that can be included in the text of Clause 13(2)(d) to ensure that there is an appropriate balance between free speech and privacy. Second, it will recommend that the arbiter of this balance should be an independent authority and not data fiduciaries. 

(1) Safeguards 

Clause 13(2)(d) is heavily tilted in favor of the privacy interests of the data principal. It does not require data fiduciaries to take into account any other considerations that might have a bearing on the data principal’s erasure request. In order to prevent privacy interests from undermining other rights, the clause should be amended to include various safeguards. 

In particular, the clause should require data fiduciaries to consider the free speech rights of other individuals who might be affected by an erasure request. As indicated earlier, journalists may find it difficult to publish critical commentary on powerful public figures if their work is subject to easy erasure. There are also artistic, literary and research purposes for which personal data might be used by other individuals. These are valid uses of personal data that should not be negated simply because of an erasure request. 

Data fiduciaries can also be made to consider the following factors through subordinate legislation to harmonize free speech and privacy: (a) the role of the data principal in public life, (b) the sensitivity of the personal data sought to be erased, (c) purpose of processing, (d) public nature of data and (e) relevance of the personal data to the public. Incorporating such safeguards will help ensure that data fiduciaries appropriately balance the right to privacy and the right to speech when they receive erasure requests.

Further, a clearly laid out process for grievance redressal should also be codified. Currently, Clause 13(2)(d) does not provide for an appeal mechanism for erasure requests that have been rejected by data fiduciaries. The clause should explicitly provide that in case the data principal wants to contest the rejection of their erasure request, they can file a complaint with the Data Protection Board (DPB). 

(2) Independent Authority 

In addition to lacking sufficient safeguards, Clause 13(2)(d) puts the onus on data fiduciaries to decide the validity of erasure requests. Various jurisdictions including the United Kingdom and Spain along with other states from the European Union use this framework. However, giving decision making power directly to Data Fiduciaries will have a chilling effect on speech.

This is because they will tend to mechanically comply with erasure requests in order to escape liability for non-compliance. Data fiduciaries lack the bandwidth needed to properly assess the validity of erasure claims. They are for the most part private businesses with no obligation or commitment to uphold the rights and freedoms of citizens, especially if doing so will entail the expenditure of significant resources.

Consequently, there is a need for a different framework. Clause 13(2)(d) should be amended to provide for the creation of an independent authority which will decide the validity of erasure requests. Such a body should be staffed with free speech and privacy experts who have the incentive and the capability to balance competing privacy and speech considerations. 

Conclusion 

We can see from the discussion above that the right to erasure provision of the Digital Data Protection Bill, 2022 has failed to strike a sound balance between privacy and free speech. To achieve such a balance, Clause 13(2)(d) should be amended to incorporate various safeguards. Furthermore, an independent authority should be deciding the validity of erasure requests, not data fiduciaries.