Digital Rights and Legal Literacy
You have more legal protection than most platforms want you to know about.
The Request They Ignored
After her data appeared in a breach notification, Nisha sent the platform a formal written request for a copy of all personal data they held on her. She wanted to know what they had, what they had shared, and with whom.
Thirty days passed. No response.
She did not know she had the legal right to that data. She did not know the platform's silence was itself a breach. She did not know there was a regulator she could file a formal complaint with - for free - and that the company could be fined.
She sent the request again and waited another month.
The Rights Most People Never Use
14%
of EU residents have ever exercised their GDPR rights.
These rights have existed since 2018. Most people who have them have never used them.
Source: European Commission Eurobarometer, 2025DPDP Act 2023: A First in Indian Law
India's DPDP Act 2023 gives citizens the right to know what data companies hold on them for the first time. Citizens can access, correct, and erase personal data - and withdraw consent at any time.
ICO Fined Organisations £100M in 2024
The ICO issued £100 million in fines for data protection violations in 2024. Ignoring a Subject Access Request is itself a violation - filing a complaint has real consequences for companies.
3x Higher Recovery With Formal Reports
Consumer fraud victims who formally report to regulators recover money at 3x the rate of those who do not. Filing a complaint is not just about justice - it improves practical outcomes.
Requests Are Free and Time-Limited
Under both GDPR and DPDP Act, companies must respond to data requests within 30 days at no charge. Failure to respond is not a grey area - it is a violation you can report immediately.
India: DPDP Act 2023
India's Digital Personal Data Protection Act 2023 is the country's first comprehensive data protection law. Key rights:
- Right to access - know what personal data a company holds about you
- Right to correction - require inaccurate data to be corrected
- Right to erasure - request deletion of your data when it is no longer needed
- Right to withdraw consent - remove permission for processing at any time
- Right to grievance redressal - raise a complaint with the Data Protection Board of India
How to exercise: Send a written request to the company's Data Protection Officer (DPO). Companies must respond within 30 days. If they do not, file with the Data Protection Board of India once it is fully operational. For immediate digital crime issues, use cybercrime.gov.in or call 1930.
Europe: GDPR Rights
GDPR gives EU and UK residents (under UK GDPR) significant rights over personal data:
- Article 15 - Right of access: receive a copy of all data held on you
- Article 17 - Right to erasure ("right to be forgotten")
- Article 20 - Data portability: receive your data in a usable format
- Article 21 - Right to object to processing
File with: Your national Data Protection Authority (DPA). In Ireland: DPC. In France: CNIL. In Germany: relevant state DPA. Companies can be fined up to 4% of global annual revenue for serious violations.
Making a Subject Access Request
A Subject Access Request (SAR) is a formal demand for all personal data a company holds on you. It is free and legally enforceable.
How to do it:
- Find the company's Data Protection Officer email (usually in their privacy policy)
- Send an email headed "Subject Access Request" or "Data Access Request"
- State your full name and any account identifiers they might have
- Ask for: all personal data held, the purposes it is processed for, who it has been shared with, and how long they will retain it
- Note the date you sent it
Deadline: 30 days under GDPR. 30 days under India's DPDP Act. If they do not respond, you have grounds to complain to the regulator immediately.
Consumer Protection: Country by Country
| Country | For Fraud Loss | For Data Misuse |
|---|---|---|
| India | RBI Banking Ombudsman, Consumer Protection Act 2019, National Consumer Helpline 1800-11-4000 | Data Protection Board of India, cybercrime.gov.in |
| UK | Financial Ombudsman Service, APP fraud reimbursement rights (from Oct 2024, up to £415,000) | ICO (ico.org.uk) |
| US | FTC (ReportFraud.ftc.gov), CFPB, FBI IC3, state Attorney General | FTC, state AG (California CCPA for CA residents) |
| Australia | AFCA (afca.org.au), Scamwatch (accc.gov.au) | OAIC (oaic.gov.au) |
The Right to Be Forgotten: Reality Check
The "right to be forgotten" is more limited than the name suggests.
What it covers:
- Search engine results linking to outdated or irrelevant content
- Platform data no longer needed for the original purpose
- Data processed on the basis of consent you have now withdrawn
What it does NOT cover:
- Newspaper articles and journalism in the public interest
- Court records and legal proceedings
- Data required by law to be retained (tax, regulatory records)
- Content that is part of another person's free expression
Practical outcome: You can ask Google to de-index specific URLs. You can ask platforms to delete your account data. You cannot erase factual records from public archives or court systems.
Filing Formal Complaints With Regulators
| Regulator | Country | Website |
|---|---|---|
| Data Protection Board | India | (in development; interim: cybercrime.gov.in) |
| ICO | UK | ico.org.uk/make-a-complaint |
| FTC | US | ReportFraud.ftc.gov |
| OAIC | Australia | oaic.gov.au/privacy/privacy-complaints |
| National DPA | EU | edpb.europa.eu/about-edpb/board/members |
Complaints are free. Most regulators acknowledge within 2 weeks and investigate within 3 months. You do not need a lawyer to file a complaint.
When to Get a Lawyer
Consider involving a lawyer if:
- The financial loss exceeds Rs 1 lakh / £1,000 / $1,000 / AUD 1,500
- A platform has refused a valid data request and the regulator investigation is taking too long
- Your identity has been used criminally - not just for fraud but in connection with criminal activities
- You are facing defamation or image-based abuse with identifiable harm
Finding affordable legal help:
- India: District Legal Services Authority (free for eligible individuals), cybercrime.gov.in
- UK: Citizens Advice free legal guidance, Legal Aid for qualifying cases, free initial consultations with solicitors
- US: State bar lawyer referral services, legal aid organisations, many attorneys offer 30-minute free consultations
- Australia: Community Legal Centres (communitylegalcentres.org.au)
Try It: Know Your Rights Navigator
Select your country and issue type to see your specific legal right, which regulator to contact, and what to expect from the process.
What That Just Showed You
1. The regulator route is faster and cheaper than court. For most data rights issues, a complaint to the relevant regulator is the correct first step - not a lawsuit. Regulators investigate for free and have enforcement powers companies take seriously.
2. Different issues need different bodies. Data misuse goes to the data protection regulator. Fraud loss goes to the financial ombudsman or consumer protection body. Knowing which body handles your issue saves time.
3. Your rights vary significantly by country. EU and UK residents have strong statutory rights under GDPR. US residents have weaker federal protection but significant state-level rights in California. India's protections are strengthening under DPDP 2023. Where you are affects what you can demand.
Three Things Worth Doing
1. Find your platform's Data Protection Officer email. Look in the privacy policy of the three services you use most. Note it somewhere. You will have it when you need it.
2. Check whether you are covered by GDPR. If you are in the EU, UK, or are a European citizen, GDPR applies to you regardless of where the company is headquartered. Many people do not know they have these rights.
3. If you have had data misused and have not complained formally, do it today. Regulators investigate complaints they receive. They cannot investigate problems they are not told about. Your complaint may protect others with the same issue.
One Question Before You Continue
You ask a company to delete all personal data they hold on you. They do not respond after 30 days. What is your next step?