Data Principal

From Justice Definitions Project

Introduction

The term Data Principal refers to the individual to whom the personal data relates. This concept is foundational in contemporary data protection frameworks, emphasized by modern statutes and regulations to acknowledge the rights and responsibilities of individuals regarding their personal data. It signifies empowerment in controlling how personal data is processed, shared, or utilized by data fiduciaries (organizations managing the data).

Official Definition of Data Principal

As Defined in Legislation(s)

Under the Digital Personal Data Protection Act, 2023 (India), Section 2(7) defines Data Principal as: “The individual to whom the personal data relates, and where such individual is a child, includes the parent or lawful guardian of the child.”[1]

As Defined in Government Reports

The Justice BN Srikrishna Committee identified the concept of Data Principal in in its 2018 report, emphasizing the importance of empowering individuals with control over their personal data and highlighted their role as stakeholders in India's data governance ecosystem. [2]

Legal Provisions Relating to Data Principal under DPDPA

1. Rights of the Data Principal

1.1 Right to Information (Section 9)

The Data Principal is entitled to:

  • Receive a notice from the Data Fiduciary detailing:
    • The categories of personal data being collected.
    • The purpose of processing.
    • The manner of processing.
    • Details of Data Fiduciaries and Data Processors involved.
    • Contact details of the Data Protection Officer (if applicable).
    • Rights available to the Data Principal under the Act.

1.2 Right to Access Personal Data (Section 10)

The Data Principal can request:

  • A summary of their personal data processed by the Data Fiduciary.
  • Processing activities undertaken by the Data Fiduciary.

1.3 Right to Correction and Erasure (Section 11)

The Data Principal has the right to:

  • Request correction of inaccurate or misleading data.
  • Complete incomplete data.
  • Request erasure of personal data that:
    • Is no longer needed for the intended purpose.
    • Was unlawfully processed.

Exceptions: Erasure cannot override legal or contractual obligations requiring data retention.

1.4 Right to Grievance Redressal (Section 12)

The Data Principal has the right to:

  • File grievances with the Data Fiduciary regarding data processing activities.
  • Escalate unresolved grievances to the Data Protection Board of India (DPBI) for adjudication.

1.5 Right to Nominate (Section 13)

The Data Principal can nominate another individual to exercise rights under the Act in the event of:

  • Death.
  • Incapacity.

1.6 Right to Consent and Withdrawal (Sections 5 and 6)

  • Consent must be informed, specific, and explicit.
  • Withdrawal of consent must be as easy as giving it.
  • The Data Fiduciary must honor withdrawal unless exceptions apply (e.g., legal obligations).

1.7 Right to Protection from Harm (Sections 5 and 15)

The Data Principal has the right to:

  • Protection against harm caused by data breaches, unauthorized access, or mishandling of personal data.

1.8 Right to Know Processing by Significant Data Fiduciaries (Section 9)

If a Data Fiduciary is classified as a Significant Data Fiduciary, the Data Principal must be informed of:

  • Periodic impact assessments conducted by the Data Fiduciary.

2. Obligations of the Data Principal

2.1 Duty to Provide Accurate Data (Section 14)

The Data Principal must:

  • Ensure that any personal data provided to a Data Fiduciary is accurate and up-to-date.

2.2 Prohibition Against Frivolous Complaints (Section 14)

The Data Principal must not:

  • File false or frivolous complaints with the Data Fiduciary or the DPBI.

Penalty for Violation: A fine of up to ₹10,000 may be imposed for frivolous complaints.

3. Liabilities of the Data Principal

3.1 Penalties for False Complaints (Section 14)

If the Data Principal is found to have:

  • Provided false information, or
  • Filed a frivolous complaint with malicious intent, they may face penalties.

4. Relationship with Data Fiduciaries

4.1 Consent Mechanism (Section 6)

  • Consent must be sought in plain and simple language.
  • Withdrawal of consent must be respected unless otherwise mandated.

4.2 Grievance Mechanism (Section 12)

  • The Data Fiduciary is obligated to resolve complaints within seven days.

5. Exceptions to Data Principal Rights

The rights of a Data Principal may be restricted in scenarios involving:

  • National security: Processing by government agencies for national security, sovereignty, and integrity.
  • Law enforcement: Prevention, detection, or investigation of crimes.
  • Public interest: Research, archival purposes, or public health emergencies.
  • Judicial purposes: Compliance with court orders or legal proceedings.

6. Enforcement and Recourse

6.1 Grievance Redressal through DPBI

The Data Principal can escalate unresolved grievances to the Data Protection Board of India, which has adjudicatory powers to impose penalties on Data Fiduciaries.

6.2 Compensation for Harm

If the Data Fiduciary’s failure causes harm to the Data Principal, the latter can seek remedies through appropriate legal means.

Data Principal in Case Law(s)

KS Puttaswamy v. Union of India (2017)

This landmark judgement affirmed the right to privacy as a fundamental right guaranteed under Article 21 of the Indian Constitution.[3] The judgement underscored individuals’ rights over their personal data, laying the groundwork for recognizing the concept of Data Principals.[4]

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)

The verdict of this case was described in popular parlance as recognizing a “right to be forgotten,” although the court did not formally establish this right. Instead, it relied on the individual’s rights to privacy and data protection, as outlined in Art 7 (respect for private and family life) and Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union. Thus, the ruling emphasized protecting personal data and privacy rather than explicitly introducing a standalone right. [5]

Karthick Theodore v. Registrar General, Madras High Court (2024)[6]

This case involved an appeal by Karthick Theodore to redact his name and identifying details from a 2014 judgment in which he was acquitted of criminal charges. He argued that the continued online availability of his personal details caused significant harm, citing the right to privacy under Article 21 of the Indian Constitution and the emerging right to be forgotten under the DPDPA, 2023. The Madras High Court upheld his claim, balancing the privacy rights of the Data Principal with the principle of public access to judicial records. The court ordered the publication of a redacted judgment while ensuring the original remained in court records, demonstrating how Data Principals can assert their rights to restrict access to personal data in public records

Zulfiqar Ahman Khan v. M/S Quintillion Business Media Pvt. Ltd.

This case revolved around the misuse of an individual's personal information and the right to privacy. Zulfiqar Ahman Khan sought the removal of defamatory articles online, citing mental agony and reputational harm. Although predating the DPDPA, the case highlighted the tension between freedom of speech and the individual's right to privacy. The court recognized the necessity of safeguards against personal data misuse, which resonates with the provisions for data correction and erasure now codified in the DPDPA.[7]

Sri Xxxxx v. The Registrar General

The petitioner sought erasure of their personal details from a court judgment that was publicly available online. The case underscored the application of the DPDPA's provisions relating to the right to erasure and consent management. The court grappled with balancing the individual's privacy with the principle of open justice, reflecting the ongoing judicial efforts to adapt traditional transparency norms to the data privacy era.[8]

Zorawar Singh Mundy

This case, although not directly tied to the DPDPA, involved questions about data access and the misuse of personal information. Zorawar Singh Mundy challenged the sharing of his personal data by a financial institution without his explicit consent, citing harm caused by unauthorized profiling. The case emphasized the importance of Data Principals' consent, aligning with the DPDPA's explicit requirements for lawful data processing. [9]

International Experience

The concept of a Data Principal is recognized and incorporated in data protection laws worldwide, often under different terminologies such as "Data Subject" (GDPR) or other region-specific terms. While the term Data Principal specifically appears in India’s Digital Personal Data Protection Act (DPDPA), 2023, its recognition and rights find parallels in international frameworks like the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA) in the United States, and the Privacy Act in Australia.

General Data Protection Regulation (GDPR), European Union

The GDPR, effective since 2018, is one of the most comprehensive data protection laws globally, and it defines the “Data Subject” similarly to the Data Principal under India’s DPDPA. The regulation offers extensive rights to individuals regarding their personal data.[10] These include:

  • Right to Access: Data subjects can obtain confirmation as to whether personal data concerning them is being processed, and if so, access the data.
  • Right to Rectification: They can request correction of inaccurate or incomplete data.
  • Right to Erasure (Right to be Forgotten): Data subjects have the right to request the deletion of personal data under certain circumstances, such as when the data is no longer necessary for processing.
  • Right to Data Portability: This allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • Right to Object: Individuals can object to the processing of their personal data for certain purposes, such as direct marketing.

The GDPR places significant responsibility on organizations (Data Controllers and Processors) to ensure that these rights are respected. It also stipulates strict conditions for obtaining valid consent, especially in the context of processing sensitive data. Furthermore, any processing that impacts the rights of data subjects must be justified under one of the lawful grounds established by the regulation, such as necessity for the performance of a contract or compliance with a legal obligation.

United Kingdom - Data Protection Act 2018

Despite the UK's departure from the European Union, the country maintains a robust regulatory environment for personal data protection, ensuring continued alignment with global data protection norms. Post-Brexit, the UK’s Data Protection Act 2018 incorporates provisions similar to the GDPR, reflecting its adoption of EU-like standards for data protection.[11] The law defines “Data Subjects” (equivalent to Data Principals) and grants them rights such as:

  • Right to Access: Individuals can obtain copies of their personal data held by organizations.
  • Right to Erasure: The right to request the deletion of data under specific conditions.
  • Right to Object: Individuals can object to certain types of data processing, such as direct marketing.

European Union Charter

The European Union’s Charter of Fundamental Rights establishes data protection as a fundamental right for EU citizens. It explicitly recognizes privacy and data protection as fundamental rights, providing a robust foundation for the concept of a "data principal." Relevant provisions, such as Articles 7 and 8, affirm that everyone has the right to the protection of personal data and to access and rectify their data. The Charter stresses that data must be processed fairly and for specified purposes and that compliance with these rights is subject to independent oversight. It highlights the empowerment of individuals to access and control their data, while also recognizing their liability to exercise these rights responsibly, particularly in cases where their actions might impact others' privacy or the public interest.[12]

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA), which came into effect in 2020, recognizes the rights of California residents as "consumers" in relation to their personal data, aligning it with the Data Principal concept.[13] The CCPA provides several key rights, including:

  • Right to Know: Consumers can request detailed information about the personal data a business collects about them, including the categories and specific pieces of information.
  • Right to Delete: Consumers can request the deletion of personal data held by a business, subject to certain exceptions (such as for compliance with legal obligations).
  • Right to Opt-Out: Consumers can opt out of the sale of their personal data to third parties.
  • Right to Non-Discrimination: Consumers are protected from discrimination if they choose to exercise their privacy rights.

The CCPA is notable for granting rights similar to those found in the GDPR, but with certain differences. For instance, the CCPA applies primarily to businesses with specific thresholds (e.g., gross annual revenues exceeding $25 million), and it gives consumers a broader right to opt-out of the sale of their data without needing to assert a specific reason or context for doing so.

While not as comprehensive as the GDPR, the CCPA has been instrumental in shaping privacy rights in the U.S., especially influencing privacy law discussions in other states. However, there are challenges related to enforcement, particularly with regard to the complexity of the law's language and its implementation at the state level.

Privacy Act, Australia

Australia’s Privacy Act of 1988 has been a cornerstone of personal data protection in the country and aligns with the rights of Data Principals through its Australian Privacy Principles (APPs).[14][15] These principles govern how organizations should handle personal information, with specific rights for individuals.

Title Purpose
APP 1: Open and Transparent Management Requires APP entities to manage personal information in an open and transparent way, including maintaining a clearly expressed and up-to-date privacy policy.
APP 2: Anonymity and Pseudonymity Mandates that individuals be given the option of not identifying themselves or using a pseudonym, with limited exceptions.
APP 3: Collection of Solicited Information Specifies when APP entities can collect solicited personal information, with stricter standards for sensitive information.
APP 4: Unsolicited Personal Information Outlines how APP entities must handle unsolicited personal information.
APP 5: Notification of Collection Describes when and under what circumstances APP entities must inform individuals about the collection of their personal information.
APP 6: Use or Disclosure Defines the conditions under which APP entities may use or disclose personal information they hold.
APP 7: Direct Marketing Limits the use or disclosure of personal information for direct marketing purposes, requiring compliance with specific conditions.
APP 8: Cross-Border Disclosure Requires APP entities to take steps to protect personal information before disclosing it overseas.
APP 9: Government-Related Identifiers Specifies the limited conditions under which entities may adopt, use, or disclose government-related identifiers of individuals
APP 10: Quality of Information Obligates APP entities to ensure personal information collected, used, or disclosed is accurate, up-to-date, complete, and relevant to its purpose.
APP 11: Security of Information Requires APP entities to protect personal information from misuse, interference, loss, and unauthorized access, and to destroy or de-identify it when necessary.
APP 12: Access to Information Establishes obligations for APP entities to provide access to personal information upon request unless a specific exception applies.
APP 13: Correction of Information Mandates APP entities to correct inaccurate or incomplete personal information they hold.

The Privacy Act also extends protections around data collection, use, and disclosure, making it essential for businesses to handle personal data in an accountable, transparent, and judicious manner. However, like many other jurisdictions, the law is currently under review to expand its scope and strengthen protections in line with global developments, particularly concerning the increased use of digital platforms and emerging technologies.

Singapore Personal Data Protection Act 2012

The Singaporean Data Protection laws include rights for the Data Principal, such as the right to access personal data held by organizations, the right to request corrections to inaccurate or incomplete data, and the right to withdraw consent for the collection, use, or disclosure of their personal data. Data principals also have the right to data portability, allowing them to request the transfer of their data to another organization in a machine-readable format, as well as the right to request the deletion of their data when it is no longer necessary. Additionally, they have the right to object to the use of their data for marketing purposes. While the PDPA primarily imposes obligations on organizations to safeguard personal data, data principals also bear certain responsibilities. They are required to ensure the accuracy of the information they provide and notify organizations of any changes to their data. Furthermore, data principals must exercise their rights in good faith and follow the correct procedures when making requests, as organizations may refuse to comply with requests that are manifestly unfounded or excessive.[16]

Brazil General Data Protection Law (LGPD)

Brazil’s LGPD, adopted in 2020, shares many similarities with the GDPR, particularly in recognizing the rights of Data Principals in relation to their personal data.[17] These rights include:

  • Right to Access: Individuals can request access to their personal data held by data controllers.
  • Right to Rectification and Deletion: Data Principals have the right to rectify inaccurate data and request the deletion of data that is no longer needed.
  • Right to Data Portability: Brazilian citizens can transfer their data to other service providers, enhancing consumer choice.
  • Right to Consent: Similar to the GDPR, the LGPD requires clear and informed consent for processing personal data, with provisions for withdrawal of consent at any time.

The LGPD also created the National Data Protection Authority (ANPD) to oversee compliance and enforce penalties for non-compliance. This further strengthens the data rights of Data Principals in Brazil, aligning them with global standards set by the GDPR.

OECD Guidelines

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) were among the first international efforts to establish a framework for safeguarding personal data while allowing its free flow across borders.[18] These guidelines have formed the basis for privacy laws globally and have been periodically updated to reflect evolving standards. The key principles outlined in the guidelines include the Collection Limitation Principle, which mandates that personal data should be collected only for specified purposes and not in excess; the Data Quality Principle, ensuring that personal data is accurate, complete, and up-to-date; the Purpose Specification Principle, which requires that the purpose of data collection be clearly defined and the data not used for other incompatible purposes; and the Use Limitation Principle, which restricts the use of data for any purpose other than the one for which it was collected, unless consent is given or required by law. The Security Safeguards Principle mandates reasonable security measures to protect personal data from unauthorized access or misuse, while the Openness Principle promotes transparency in data practices, ensuring that individuals can access information about how their data is being handled. The Individual Participation Principle gives individuals the right to access their personal data and request corrections, and the Accountability Principle holds data controllers responsible for adhering to these privacy standards.

CCG-UNDP Data Privacy Guide

The CCG-UNDP Data Privacy Guide is a framework created collaboratively by the Centre for Communication Governance (CCG) and the United Nations Development Programme (UNDP) to provide practical guidelines for data privacy and protection.[19] While it does not explicitly use the term "Data Principal," it emphasizes the role of individuals in data governance systems and underscores their rights and associated responsibilities.

The Guide recognizes individuals as the central stakeholders in data privacy systems, similar to the concept of "Data Principals". It underscores the importance of informed consent, ensuring that individuals are provided with clear and accessible information to make informed decisions about their data. The Guide also advocates for active participation in data governance, encouraging mechanisms that allow individuals to have a say in how their data is used, which aligns with broader human rights objectives. Additionally, it stresses the need for transparency, with organizations being required to openly disclose their data processing activities to empower individuals.

Furthermore, the Guide provides a comprehensive framework to safeguard individuals’ rights. It grants individuals the right to access their data and understand its usage, as well as the right to rectify or delete data when it is inaccurate or no longer necessary. It promotes data portability, enabling individuals to transfer their data between service providers. Additionally, it ensures that individuals have the right to challenge decisions, especially those made through automated processes or profiling.

While the Guide primarily focuses on institutional accountability, it also acknowledges the responsibilities of individuals. This includes the expectation that individuals provide accurate information to reduce potential misuse of data and engage with available privacy tools and rights mechanisms to ensure compliance from data controllers.

The Guide highlights the accountability of organizations and institutions in protecting individuals’ data rights, stressing the importance of robust data governance frameworks to safeguard these rights. It also advocates for accessible and fair remedial mechanisms, allowing individuals to lodge complaints and seek remedies for any breaches or misuse.

In addition, the Guide uniquely prioritizes the protection of vulnerable populations, such as marginalized communities, who may be at risk of discrimination due to data collection practices. It also places special emphasis on protecting the privacy of children and individuals with limited capacity to consent. By positioning individuals at the heart of data privacy efforts, the CCG-UNDP Guide ensures that data privacy is not only a human right but also a tool for promoting equitable development.[20][21]

APEC (Asia-Pacific Economic Cooperation) / Global CBPR (Cross-Border Privacy Rules) System

The APEC/ Global CBPR System is a framework designed to facilitate the free flow of data across borders while ensuring that personal data is protected according to privacy standards. The system is primarily aimed at businesses that operate across multiple jurisdictions, allowing them to demonstrate compliance with privacy laws while streamlining international data transfers. It emphasizes privacy accountability in cross-border data flows, supporting the rights of individuals (data principal) and ensuring compliance among participating organizations. The individuals' rights to transparency, access, and dispute resolution, with protections are ensured through third-party certifications and enforceable commitments by organizations. The system enables individuals to inquire about the use of their data and file complaints regarding misuse or breaches. While the system underscores organizational accountability, it recognizes individuals' role in reporting misuse without imposing direct obligations on them.[22][23]

Challenges

  1. Awareness and Accessibility: Limited public understanding of the rights of the Data Principal.
  2. Operational Barriers: Enforcement of consent withdrawal and data deletion rights faces technological challenges.
  3. Regulatory Complexity: Balancing Data Principal’s rights with the operational needs of Data Fiduciaries.
  4. Exemptions: Broad exemption for state agencies could undermine accountability.

Way Ahead

  1. Awareness Campaigns: Public initiatives to educate citizens about their rights as Data Principals.
  2. Technology Solutions: Adoption of robust systems to facilitate seamless grievance redress and consent management.
  3. Strengthened Oversight: Empowering the Data Protection Board to address Data Principal grievances efficiently.
  1. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
  2. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  3. https://legislative.gov.in/constitution-of-india/
  4. https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf
  5. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131
  6. https://indiankanoon.org/doc/189278808/
  7. https://globalfreedomofexpression.columbia.edu/cases/khan-v-quintillion-business-media/
  8. https://indiankanoon.org/doc/167881092/
  9. https://www.livelaw.in/pdf_upload/16186364774292021-393948.pdf
  10. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02016R0679-20160504
  11. https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
  12. https://www.europarl.europa.eu/charter/pdf/text_en.pdf
  13. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
  14. https://www.legislation.gov.au/C2004A03712/latest/versions
  15. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference
  16. https://sso.agc.gov.sg/Act/PDPA2012
  17. https://iapp.org/media/pdf/resource_center/Brazilian_General_Data_Protection_Law.pdf
  18. https://bja.ojp.gov/sites/g/files/xyckuh186/files/media/document/oecd_fips.pdf
  19. https://www.undp.org/sites/g/files/zskgke326/files/2023-04/UNDP%20Drafting%20Data%20Protection%20Legislation%20March%202023.pdf
  20. https://view.officeapps.live.com/op/embed.aspx?src=https://popp.undp.org/sites/g/files/zskgke421/files/2024-08/ICT_UNDP%20Personal%20Data%20Privacy%20Policy.docx
  21. https://unstats.un.org/legal-identity-agenda/documents/Paper/data_protecton_%20and_privacy.pdf
  22. https://cbprs.org/wp-content/uploads/2019/11/4.-CBPR-Policies-Rules-and-Guidelines-Revised-For-Posting-3-16-updated-1709-2019.pdf
  23. https://www.apec.org/docs/default-source/Groups/ECSG/CBPR/CBPR-ProgramRequirements.pdf
Retrieved from "https://jdc-definitions.wikibase.wiki/w/index.php?title=Data_Principal&oldid=4417"