4

Is there any rule under the IT Act or any other regulation in India which provides the right to withdraw consent from providing your personal information?

I want to delete my personal information from a certain website where I have created an account.

UPDATE

As @ohwilleke pointed out I was specifically looking for "a legally enforceable right" and not something inherited in TnC since it can get pretty crazy [Ref: 7,500 Online Shoppers Unknowingly Sold Their Souls]

Thanks for your responses, I have done my own research with negative result, at least for India. While EU seems to be serious about "Right to be forgotten". As per this regulation, you do have option to opt-out. So it does mean somewebsite.com would destroy my personal information when i choose to withdraw my consent. Now,

what happens to other data retention laws that require data to be kept for specific amount of time?

Improve this question
3
  • Citizenship of the data subject (you) is not likely to be relevant. The locations of the servers and of the company's offices are more relevant, as may be your place of residence. If all of those are in India, then Indian law is probably the only law that matters, but if any of those are in another jurisdiction then other laws may be applicable.
    – phoog
    Commented Feb 28, 2018 at 21:14
  • The terms of service for the website will often have a choice of law provision as well.
    – ohwilleke
    Commented Mar 1, 2018 at 2:24
  • 2
    Of course, the question in the title "can you ask" can always be answered in the affirmative, but the body text makes clear that the real question is whether you have a legally enforceable right to demand this.
    – ohwilleke
    Commented May 30, 2018 at 21:06

1 Answer 1

Reset to default
4

At least as of 2011, when regulations under the Information Technology Act related to privacy and data security were issued (some of the relevant statute sections and regulations are linked in this answer at Law.SE), there was no non-contractual right to have your data destroyed, although a terms of service for a site could give you that right contractually.

Instead, usually, a term of service agreement will do exactly the opposite and give a site owner an irrevocable right to keep your data forever.

I am not aware of any subsequent statutory, regulatory or case law developments in India which have changed this situation, but that kind of tweak of IT Act regulations in India wouldn't necessary make headlines outside of the local IT industry press coverage in obscure trade journals.

The EU is the only place of which I am aware that has any individual right to have data destroyed or suppressed even if it doesn't violated copyright, wasn't obtained illegally and isn't fraudulent or defamatory. Even then, as I understand it, in the EU this is not a unilateral right that applies in all circumstances and is instead a specific remedy for certain situations that have a particularly intense privacy aspect to them.

Improve this answer
5
  • 1
    I'm not sure the "specific remedy" analysis is correct. Article 17 of the GDPR provides a right of erasure for data subjects without regard to the reason for the request. The right is not, as you note, applicable in all circumstances, for there are some justifications for data processing without a data subject's consent. Where an exception to the right is not triggered, however, there does not seem to be any need for a "particularly intense privacy aspect." This would apply here if the website in question is in the EU.
    – phoog
    Commented Dec 26, 2018 at 16:07
  • 1
    @phoog GDPR really relates more to the jurisdiction of the participant, I'd think, the locus of a website is pretty nebulous.
    – ohwilleke
    Commented Dec 26, 2018 at 18:11
  • 2
    It is correct that the location of the website is not relevant per se. I was using that as an imprecise way of denoting the location of the "controller" or "processor" as defined in the GDPR. Under Article 3(1), GDPR applies to data processed by controllers and processors in the EU without regard to the location of the data subject. So, as an example, if the site in question is run by a Dublin newspaper, GDPR would apply to everyone registering on that site regardless of their location (even if the site is actually hosted and administered outside the EU).
    – phoog
    Commented Dec 26, 2018 at 19:28
  • @phoog Yes. I was thinking about the undue importance often attached to where the physical server is located. Although, even if GDPR did apply, to a site run, for example, by a Dublin newspaper, I would think that you would have to vindicate that right in an Irish court and couldn't do so in a court in India.
    – ohwilleke
    Commented Dec 26, 2018 at 23:00
  • 1
    Yes, I doubt Indian courts would be likely to care much about the GDPR. But a person in India who wants to ask an Irish company to delete his or her data can certainly invoke the GDPR when making the request. As to the physical locations of servers, I gather that is frequently a concern in the EU, and it certainly does seem that an EU company that puts its data on a machine in, for example, the US has exposed that data to the US legal system to a greater degree than one that has not.
    – phoog
    Commented Dec 27, 2018 at 0:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .