Year-in-review lists and data access rights
Come December each year, most apps are ready with stylised, vibrant, year-end reviews, mapping everything from the music and podcasts that filled your (y)ears to whom you spoke with frequently.
Most of us enjoy these lists because they may tell us something about ourselves (e.g., my step-count is abysmal; I need to spend more time running in 2026). These pithy year-end summaries could, however, shed some light on the bigger picture: what personal data can an individual access on request, and is responding to an access request as straightforward as it sounds?
Most data protection laws contain a right to access. Some, like the EU’s General Data Protection Regulation, enable access to the personal data itself and related information. India’s new data protection law, the Digital Personal Data Protection Act, 2023 (DPDPA), which will take effect in 17 months, approaches this right to access a little differently.
Here’s a listicle that unpacks some of its elements, and the questions that the law leaves open for now.
What’s covered?: Data principals can request data fiduciaries to: (a) provide a summary of personal data that is being processed (e.g., stored) and how it is being processed (e.g., analysed); and (b) specify whom (whether fiduciaries or processors) their personal data has been shared with, and what personal data has been shared. This list can be expanded through delegated legislation.
While the DPDPA requirement appears less onerous than its global counterparts (Article 15, GDPR requires, for example, the disclosure of third-party sources of information), addressing access requests is unlikely to be entirely straightforward.
Some questions that will likely arise, include:
What counts as ‘personal data’? The DPDPA’s definition is, of course, broad: any information about an individual who is identifiable by or in relation to it will be covered. This breadth raises a fundamental question: will the DPDPA summary relate to all personal data ever processed about the requesting data principal? Or, can data fiduciaries who process large volumes of personal data customise the summary provided by clarifying what the data principal is seeking? Similarly, how will mixed data sets (where personal data is inextricably linked with non-personal data) be treated in this summary?
What will be sufficient as a summary and how must it be provided? The DPDPA does not clarify the level of detail that will suffice. For example, will specifying categories of personal data be enough, and how will inferred data be factored into such summaries? The new law does not similarly explain how this information must be provided. For instance, will time-limited, view-only remote access to the requisite information suffice?
When and how can the right to access be availed, and by whom?
When? This access right is only available when personal data is voluntarily provided for a specified purpose, or processed on the basis of consent. The term ‘only’ is, however, largely superfluous in a consent-driven regime like the DPDPA – meaning that data fiduciaries must be prepared to respond to such requests in most cases.
How? Data fiduciaries can design the procedure for exercise of access rights, and specify the ‘particulars’ that must be provided. The DPDPA doesn’t clarify what this may entail, suggesting the processes may differ across fiduciaries. One thing that will likely remain a constant: the implementation of some guardrails (e.g., identity confirmation through a registered account) to prevent personal data breaches.
By whom? Data principals can only exercise access rights in respect of their own personal data (except when acting on behalf of children, persons with a disability, or data principals who have nominated them to do so). It is unclear how this limitation will work in the context of multi-party personal data, or identity theft under the DPDPA. As the EDPB reasons in a GDPR context: in the case of identity theft, personal data may relate to a bad actor’s fraudulent activity, but as such activity is recorded against the identity of the data subject, it must be provided in response to a data subject’s access request. It remains to be seen if India will adopt a similar approach.
What’s excluded? Right to access requests under the DPDPA do not cover:
any sharing of personal data between data fiduciaries authorised by the law for certain purposes (e.g., prevention or detection of offences or cyber incidents).
access to the personal data itself (unlike the GDPR), although, data portability (through the consent management framework) cannot be ruled out.
Navigating the intricacies of the DPDPA’s – at first glance, simple – right to access will likely require some considered thought and preparation – from identifying how to summarise vast volumes of evolving personal data to determining the best way to communicate it to a requesting data principal.
With thematic, micro-level year-end data lists becoming the norm, though, perhaps each New Year has enabled some of the initial leg work.
