Exploring Right to Refuse Personal Data in Digital Age

Data is required for any gainful activity, whether it is for research work or to develop any new product for economic pursuit. Data function as input which when processed can be of economic value creating economic ventures. Businesses collect data on consumers which can be primary in nature, beyond which the personal data can be used to identify the behaviour of consumers that is used to market particular product or service which consumers may or may not require and further can be subjected to discriminatory prices where different consumers are quoted different prices for the same product or service.[1] Such preferential pricing in general opinion are not acceptable but another facet can be looked into is that it serves low-end consumers who would be otherwise left unattended and businesses can increase their sales. Price discrimination can occur on digital platforms where a user buying products or services from Apple’s IOS devices are charged higher prices as against the Android user.[2] Personal information can further be used for personalised advertising which target specific consumers based on their online activities and behaviour.

The capabilities to collect, process, analyze and exploit data require considerable amount of technology infrastructure, data analysis tools and expertise. This is only possible when an entity has huge economic power which leads to abuse of dominance. Whereas, small and medium sized businesses and new entrant do not have such economic power and market share to employ these techniques to analyze data of consumer even to put such use of data under principle of proportionality.

In future, entity or corporation that controls data (Data-Monopoly) will be a dominant player. Especially online platforms are modeling their businesses towards monetization of consumer data.[3] Such platforms are operating on multi-sided model where they cater to the needs of various consumer and seller groups in which data from one group is shared with other for monetization as done by Google. The success of these platforms is also based on network effect where the value of such platforms increases as the number of its users increases. Data as such is not available easily and also has to be valid to be effectively monetized, thus businesses now requires to invest huge capital enough to generate such services on their platforms where users are not charged per se, but is compensated by sharing their data, giving a notional aspect that the data is currency in modern times. Therefore, digital data holds huge importance in 21st century economy.


Businesses relies on data of consumers to understand their needs to improve on quality of products or services, to further enhance their presence, stay relevant in the market, sustain their business, retain their consumers, find new customers and improve profits. Data can also help in reducing errors and predicting market trends. All this can assist in better decision making of an entity. Data collection can be done by various methods via feedback, survey, interview, and social media.[4]


Data is further analyzed to study the behaviour of consumers. Large amount of data is used for analyzing the behaviour of consumers, from how the user interacts with the software to how user utilizes peripheral devices (printer, mouse etc.). The use of artificial intelligence and big data analytics to study the trend, pattern, anomalies and other uses of consumers are done in behaviour analytics. These techniques are used in various industries like healthcare, e-commerce and cybersecurity.[5] Interaction of user with software or website like uploading content, downloading data, selection of a product are stored in the servers of the corporations with date and time recorded for further analysis.


Businesses today collect plethora of data by various means, implement sophisticated software, and large capital also involving third party data collection where large data is analyzed by means of deduction.


Businesses employ techniques where it can keep a watch on the use of system by employees by studying what they are downloading, use of printers, time spends of company devices. These techniques are used to detect suspicious activities of employees such as large amount of data downloads and untimely downloads of files, unauthorized access which indicated malice and fraud as security measure. In online platform market, aggregators which has multi-sided market approach, collect data on entities in vertical or upstream market.


Today most of the websites use cookies which identities the computer source under prefix of better user experience but are vulnerability to individual’s privacy.[6] Such cookies are used to record the user’s behaviour on website. Cookies can also be used to track user activities on other websites as they also track browser history.


Biometric data identifies the individual by physical or biological characteristics which can range from DNA sequencing, facial characteristics, handprints, eye-retina pattern, and voice modulations even electrocardiograms (ECG), these are also known as biometric identifier.[7] This data is collected via Internet of Things (IoT) devices such as smart phones which provide features like unlocking the device by facial recognition or fingerprints, smarts watches can track physiological data such as heart beats, physical workouts and other physical activities. Geolocation is that data which can be traced by companies from the devices of user (ex. Mobile phones, Laptops, Tablets, etc.).

Further, there is requirement of differentiation between private data and personal data. Private data may be termed and associated with, as confidential data of organizations which is only shared peer-to-peer when authorized, on the other hand personal data is defined as ‘any data about an individual who is identifiable by or in relation to such data’.[8] In most jurisdictions personal data is defines as data from which a natural person can be identified whether such data is valid or not. The above data collection methods require use of sophisticated technology and software. Businesses have always relied on the technology for their economic prospect and will continue to do so. But employing such technology can only be done by those businesses which have economic power and this creates a rift or disparity between businesses having such economic power and those which does not have such resources to collect data on consumers. Nevertheless, collection of private data, its use and its disclosure without the consent of consumer is illegal. Use of technology as a back-end approach to gain private data of consumers and to further use such data is not a level playing field where an entity by use of technology not only gains dominance but can also sustain it, leading to abuse of dominance which the competition law prohibits.


Before delving into existing legal framework concerning Data Protection, it is to be ascertained the nature of data. To be more relevant, can data be considered as property and if so, can data be dematerialized where it is separate entity from the human?[9] Conception of data as property was never perceived until the possibility of it being treated as corporate asset to create value was discovered, but nonetheless, data is commodified or commercialized were it is exploited as economic resource. But again data has an ‘Affective Control’[10] where data can influence the human thinking and life. Intellectual property rights in some way has treated data as property but there are conditions prominently that of such data should be novel and after certain time it falls in public domain. Data as object of property is yet to develop, meanwhile, data is already commodified and converted into useful information and is further traded, so as evident in platform marketplaces. It is further used to study the behaviour of consumers.


Notion of information as property from the philosophical view can be found in the works of John Locke Labour Reward Theory. In his Two Treatises of Government, stated: “Whatsoever then he removes out of the State that Nature hath provided, and left it in, he hath mixed his Labor with, and joined to it something that is his own, and thereby makes it his Property.” This rational can be applied in the context of sharing data. Any data associated with an individual, is the fruit of his own labour which can be as meager as visiting any place or making any purchase  and thus, that individual should have right over this data. John Locke states in his theory that at minimum an individual owns himself, thus, is free and equal in state of nature and therefore, he shall also own his labour. Applying John Locke theory, data when originates from any human i.e. related to a particular individual, that individual must the owner of this data and at his will be subject to its use further imposing duty on state to protect such property.

There the gist of the argument can be as such[11]

 (1) Every Individual has a right over himself.

(2) Every individual has a right to own his/her labour.

 (3) Every individual has a right to own that which he has mixed his labour.

According to Locke, every man has right to preserve, “his property, that is, his wife, liberty and estate.” Conceptualizing data as property in traditional sense may have its perils as it would make the data more exposed to exploitation and can harm privacy as the bundle of rights which are associated with property taken in traditional notion, data does not have that characteristics. As of now, it can be presumed that data falls somewhere peripheral of property, having characteristic of quasi-property.

In Justice K.S Puttaswami v. Union of India,[12] Honourable Supreme Court has observed that the ‘Informational Privacy’ forms the part of right to privacy and that the individual has right to control over the circulation or publication of such information personal to him. Also, it is recognized the individual’s right to control such dissemination of personal information for limited purpose.

A well accepted and widely understood notion, that the personal data of a person belongs to him and has complete ownership over such data, is also enshrines in statute and rules such as Information Technology act, 2000, Indian Penal Code and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011,


  • Under General Data Protection Regulations, Chapter 3 provides for various rights to Europeans regarding the personal data which are Right to information, Access, Rectification, Erasure, Restriction of Processing, Data portability, to avoid automated decision making and to object.[13]
  • The California Privacy Act, 2018, provides for Right to know, to delete personal information, to opt-out of the sales or sharing and to correct use of personal data.[14]
  • The Digital Personal Data Protection Bill, 2022, provides for Right to information about personal data, correction and erasure of personal data, to grievance Redressal and right to nominate.[15]            


‘Consent’ as defined is freely given, informed, unambiguous and specific providing clear expression of processing of personal             data. In addition to obtaining consent of individuals, organization are required to maintain documents which demonstrated free consent, the clarity of consent requests and withdrawal of consent. It is evident that according to regulations, unless valid consent is obtained, there cannot be processing of data.


Akin to grant and withdrawal of consent, a data subject or data principal can refuse his or her personal data to be shared for processing when not in terms with such processing or when not satisfied with the disclosures of processing methods. Following John Locke theory, personal data is generated by labour of individual or by mixing his/her labour and thus, has right over it. Data, as of now, may not fall under the domain of property but can affect individuals and society at large. A well defined and understood principle, from whom the data originates, has its ownership has being upheld and also has element morality. Without a person there is no personal data and there is no processing of such data by organizations. It also stands true that individuals benefit from data processing without which there may not much other perks and economic ventures. Sharing and processing of data go hand in hand, but, there is primacy of personal data just like there is no law without property.

[1] Hutchinson, C. S., & Treščáková, D. (2021). The challenges of personalized pricing to competition and Personal Data Protection Law. European Competition Journal, 18(1), 105–128. https://doi.org/10.1080/17441056.2021.1936400

[2] Ibid.

[3]  Srivastava, A., & Kumar, D. (2022). Digital economy, data, and dominance: An Indian perspective. Competition Commission of India Journal on Competition Law and Policy, 97–120. https://doi.org/10.54425/ccijoclp.v2.43

[4] Sharma, R. (2023, January 24). What is data collection? why is it important for your business. Emeritus Online Courses. Retrieved April 21, 2023, from https://emeritus.org/blog/data-analytics-what-data-collection/

[5] What is behavioral analysis and how to use behavioral data?: Micro Focus. What is Behavioral Analysis and How to Use Behavioral Data? | Micro Focus. (n.d.). Retrieved April 21, 2023, from https://www.microfocus.com/en-us/what-is/behavioral-analytics (4:32 pm, IST).

[6] Kaspersky. (2022, May 11). What are cookies? http://www.kaspersky.com., from https://www.kaspersky.com/resource-center/definitions/cookies  accessed on April 21, 2023, (8:32 pm, IST).

[7] Erin Jane Illman, (WINTER 2017-2018), Data Privacy Laws Targeting Biometric and Geolocation Technologies, The Business Lawyer, Vol. 73, No. 1 pp. 191-198.

[8] The Digital Personal Data Protection Bill, 2022, Clause 2(13), https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf.

[9] Home. Harvard International Law Journal. (n.d.). Retrieved April 23, 2023, from https://harvardilj.org/2020/04/the-materiality-of-data-as property/#:~:text=When%20data%20is%20treated%20as,to%20a%20non%2Dproperty%20state.

[10] Home. Harvard International Law Journal. (n.d.). Retrieved April 23, 2023, from https://harvardilj.org/2020/04/the-materiality-of-data-as property/#:~:text=When%20data%20is%20treated%20as,to%20a%20non%2Dproperty%20state.

[11] Day, J. P. (1966). Locke on Property. The Philosophical Quarterly (1950-), 16(64), 207–220. https://doi.org/10.2307/2218464

[12] The DNA Technology (Use and Application) Regulation Bill, 2019 and its Effectiveness in Upholding the Principles of Privacy, 1.1 VSLR (2019) 114

[13] Rights of the individual. European Data Protection Supervisor. (n.d.). Retrieved April 23, 2023, from https://edps.europa.eu/data-protection/our-work/subjects/rights-


[14] California Consumer Privacy Act (CCPA). State of California – Department of Justice – Office of the Attorney General. (2023, February 15). Retrieved April 23, 2023, from https://oag.ca.gov/privacy/ccpa#:~:text=The%20right%20to%20delete%20personal,for%20exercising%20their%20CCPA%20rights.

[15] The Digital Personal Data Protection bill, 2022 Chapter 1: Preliminary … (n.d.). Retrieved April 23, 2023, from https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf

Author: Ketan Mahendra Vakil

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s