Towards an Indian Data Protection Regime…

Extracts from the issues raised for discussion by the expert committee appointed to create a draft data protection bill for India

Towards an Indian Data Protection Regime…
On 24 August 2017, in a historic judgment, a nine-judge bench of the Supreme Court ruled that right to privacy is a fundamental right, while hearing a case on the legality of Aadhar. 
 
“We are in an information age.  With the growth and development of technology, more information is now easily available. The information explosion has manifold advantages but also some disadvantages. The access to information, which an individual may not want to give, needs the protection of privacy. The right to privacy is claimed qua the State and non-State actors. Recognition and enforcement of claims qua non-state actors may require legislative intervention by the State,” Justice Sanjay KishanKaul, one of the judges, said in his judgment.
 
“There is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used   by non-state actors. There is also a need for protection of such information from the State,” he noted. 
 
“We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state,” noted Justice DY Chandrachud’s judgment, delivered on behalf of four judges including then then CJI Jagdish Singh Khehar. 
 
By that time, the government had already appointed a committee to look into the issues regarding enacting such a legislation, under the chairmanship of Justice B N Srikrishna, former Judge of the Supreme Court. Their brief was identify key data protection issues and recommend methods for addressing them and ultimately come out with a draft data protection bill. The other members of the committee are Ajay Bhushan CEO, Unique Identification Authority of India; Ajay Kumar, Additional Secretary, MeitY; ArghyaSengupta, Research Director, Vidhi Centre for Legal Policy; Aruna Sundararajan, Secretary, Department of Telecom; Gulshan Rai, National Cyber Security Coordinator; RajatMoona, Director, lIT, Raipur; Rama Vedashree, CEO, Data Security Council of India; and Rishikesha T Krishnan, Director, IIM, Indore 
 
Four months after it was formed, on 27 November, the committee released a detailed white paper outlining all the issues that they found to be relevant, seeking responses from the public on these questions. 
 
The document goes into various issues, discusses how other such legislation such as EU’s GDPR have handled it and has listed its views on those issues while raising explicit questions. The last date for submission for the responses is 31 December, unless it is extended. 
 
The white paper starts by noting that a data protection framework in India must be based on the following seven principles: 
 
1. Technology agnosticism- The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance. 

2. Holistic application- The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims. 
3. Informed consent- Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria. 
4. Data minimisation- Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject. 
5. Controller accountability- The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing. 
6. Structured enforcement- Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.
7. Deterrent penalties- Penalties on wrongful processing must be adequate to ensure deterrence. 

 
When enacted, it is the businesses—data controllers and data processors as they are called—will have to comply with them. And it is a no-brainer that it is the CISOs and CIOs who will have a major role to play in that compliance; in most companies, they will lead the roll out. 
 
For their benefit, we have gone into the 233-page document and have extracted the most relevant questions that have a direct bearing on compliance, though it is recommended that they read the entire document, which is available at http://www.cioandleader.com/dataprotectionwp
 
We have selected only close-ended questions, that are most relevant. Questions about nuanced of legal approach too are avoided. To help you directly go to questions that interest you and the corresponding discussion that precedes them, we have provided the chapter no, chapter name, question number and the page number alongwith each question. Here are the selected questions: 
 

Should the law be applicable to government/public and private entities processing data equally? If not, should there be a separate law to regulate government/public entities collecting data? Alternatives:

a. Have a common law imposing obligations on Government and private bodies as is the case in most jurisdictions. Legitimate interests of the State can be protected through relevant exemptions and other provisions. 


b. Have different laws defining obligations on the government and the private sector. [Part II/Ch. 2 (Other Issues of Scope)/Q3/Pg. 33]

What kind of data or information qualifies as personal data? Should it include any kind of information including facts, opinions or assessments irrespective of their accuracy? 
[Part II/Ch.3 (What is personal data)/Q3/Pg.40]

Should the definition of personal data focus on identifiability of an individual? If yes, should it be limited to an ‘identified’, ‘identifiable’ or ‘reasonably identifiable’ individual?
 [Part II/Ch. 3 (What is personal data)/Q4/Pg. 40]

Should anonymised or pseudonymised data be outside the purview of personal data? Should the law recommend either anonymisation or psuedonymisation, for instance as the EU GDPR does? [Part II/Ch.3 (What is personal data)/Q5/Pg.40]


[Anonymisation seeks to remove the identity of the individual from the data, while pseudonymisation seeks to disguise the identity of the individual from data. Anonymised data falls outside the scope of personal data in most data protection laws while psuedonymised data continues to be personal data. The EU GDPR actively recommends psuedonymisation of data.]


Should there be a differentiated level of protection for data where an individual is identified when compared to data where an individual may be identifiable or reasonably identifiable? What would be the standards of determining whether a person may or may not be identified on the basis of certain data? 
[Part II/Ch.3 (What is personal data)/Q6/Pg.40]

Should the law define a set of information as sensitive data? If yes, what category of data should be included in it? Eg. Financial Information / Health Information / Caste / Religion / Sexual Orientation. Should any other category be included?
[Part II/Ch.4 (Sensitive personal data)/Q2/Pg.43]

Should the law only define ‘data controller’or should it additionally define ‘data processor' ? Alternatives

a. Do not use the concept of data controller/processor; all entities falling within the ambit of the law are equally accountable. 


b. Use the concept of ̳data controller‘ (entity that determines the purpose of collection of information) and attribute primary responsibility for privacy to it. 


c. Use the two concepts of ̳data controller‘ and ̳data processor‘ (entity that receives information) to distribute primary and secondary responsibility for privacy.
 [Part II/Ch.6 (Entities to be defined in the law: data controllers and processors)/Q2/Pg. 51]

How should responsibility among different entities involved in the processing of data be distributed? 


Alternatives: 


a.  Making data controllers key owners and making them accountable.

b.  Clear bifurcation of roles and associated expectations from various entities.

c.  Defining liability conditions for primary and secondary owners of personal data.

d.  Dictating terms/clauses for data protection in the contracts signed between them.

e.  Use of contractual law for providing protection to data subject from data 
processor. 
[Part II/Ch.6 (Entities to be defined in the law: data controllers and processors)/Q3/Pg. 51]

What are the categories of exemptions that can be incorporated in the data protection law? 
(Part II/Ch.7 (Exemptions for household purpose, journalistic and literary purposes and research) to be defined in the law: data controllers and processors)/Q1/Pg. 59]

What are the basic security safeguards/organisational measures which should be prescribed when processing is carried out on an exempted ground, if any? 
(Part II/Ch.7 (Exemptions for household purpose, journalistic and literary purposes and research) to be defined in the law: data controllers and processors)/Q2/Pg. 59]

Should the data protection law have specific provisions facilitating cross border transfer of data? If yes, what should the adequacy standard be the threshold test for transfer of data? 
(Part II/Ch.8 (Cross-border flow of data)/Q2/Pg. 68]

Should certain types of sensitive personal information be prohibited from being transferred outside India even if it fulfils the test for transfer? 
(Part II/Ch.8 (Cross-border flow of data)/Q3/Pg. 68]

Should there be a data localisation requirement for the storage of personal data within the jurisdiction of India? 
(Part II/Ch.9 (Data Localization)/Q2/Pg. 75]

If yes, what should be the scope of the localisation mandate? Should it include all personal information or only sensitive personal information? 
[Part II/Ch.9 (Data Localization)/Q3/Pg. 75]

If the data protection law calls for localisation, what would be impact on industry and other sectors?
[Part II/Ch.9 (Data Localization)/Q4/Pg. 75]

On whom should the primary onus of ensuring accuracy of data lie especially when consent is the basis of collection? 


Alternatives:

a. The individual 


b. The entity collecting the data 
[Part III/Ch.7 (Storage limitation and data quality)/Q2/Pg.121]

How long should an organisation be permitted to store personal data? What happens upon completion of such time period? 


Alternatives:

a. Data should be completely erased 


b. Data may be retained in anonymised form 
[Part III/Ch.7 (Storage limitation and data quality)/Q3/Pg.121]

Should there be a restriction on the categories of information that an individual should be entitled to when exercising their right to access?
[Part III/Ch.8 (Individual Participation Rights-1)/Q2/Pg.128]

What should be the scope of the right to rectification? Should it only extend to having inaccurate date rectified or should it include the right to move court to get an order to rectify, block, erase or destroy inaccurate data as is the case with the UK?[Part III/Ch.8 (Individual Participation Rights-1)/Q3/Pg.128]

Should there be a fee imposed on exercising the right to access and rectify one‘s personal data?

Alternatives:

a. There should be no fee imposed. 


b. The data controller should be allowed to impose a reasonable fee. 


c. The data protection authority/sectoral regulators may prescribe a reasonable fee. 
[Part III/Ch.8 (Individual Participation Rights-1)/Q4/Pg.128]

Should there be a fixed time period within which organisations must respond to such requests? If so, what should these be? 
[Part III/Ch.8 (Individual Participation Rights-1)/Q5/Pg.128]

Is guaranteeing a right to access the logic behind automated decisions technically feasible? How should India approach this issue given the challenges associated with it?[Part III/Ch.8 (Individual Participation Rights-1)/Q6/Pg.128]

What should be the exceptions to individual participation rights? 


[For instance, in the UK, a right to access can be refused if compliance with such a request will be impossible or involve a disproportionate effort. In case of South Africa and Australia, the exceptions vary depending on whether the organisation is a private body or a public body.] 
[Part III/Ch.8 (Individual Participation Rights-1)/Q7/Pg.128]

The EU GDPR introduces the right to restrict processing and the right to data portability. If India were to adopt these rights, what should be their scope? 
[Part III/Ch.9 (Individual Participation Rights-2)/Q2/Pg.136]

Should there be a prohibition on evaluative decisions taken on the basis of automated decisions?


Alternatives

a. There should be a right to object to automated decisions as is the case with the UK. 


b. There should a prohibition on evaluative decisions based on automated decision making.
 [Part III/Ch.9 (Individual Participation Rights-2)/Q3/Pg.136]

Given the concerns related to automated decision making, including the feasibility of the right envisioned under the EU GDPR, how should India approach this issue in the law? 
[Part III/Ch.9 (Individual Participation Rights-2)/Q4/Pg.136]

Should direct marketing be a discrete privacy principle, or should it be addressed via sector specific regulations? 
[Part III/Ch.9 (Individual Participation Rights-2)/Q5/Pg.136]

What are your views on the right to be forgotten having a place in India‘s data protection law?[Part III/Ch10 (Individual Participation Rights-3)/Q1/Pg.141]


Should the right to be forgotten be restricted to personal data that individuals have given out themselves? 
[Part III/Ch10 (Individual Participation Rights-3)/Q2/Pg.141

Does a right to be forgotten add any additional protection to data subjects not already available in other individual participation rights? 
[Part III/Ch10 (Individual Participation Rights-3)/Q3/Pg.141]

Does a right to be forgotten entail prohibition on display/dissemination or the erasure of the information from the controller‘s possession? 
[Part III/Ch10 (Individual Participation Rights-3)/Q4/Pg.141]

Does co-regulation seem an appropriate approach for a data protection enforcement mechanism in India?
[Part IV/Ch. 1 (Regulation and enforcement)/Q2/Pg.146]

What are the specific obligations/areas which may be envisaged under a data protection law in India for a (i) command and control‘ approach; (ii) self-regulation approach (if any); and (iii) co-regulation approach? 
[Part IV/Ch. 1 (Regulation and enforcement)/Q3/Pg.146]

What are the organisational measures that should be adopted and implemented in order to demonstrate accountability? Who will determine the standards which such measures have to meet? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q2/Pg.155]

Should the lack of organisational measures be linked to liability for harm resulting from processing of personal data?
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q3/Pg.155]

Should all data controllers who were involved in the processing that ultimately caused harm to the individual be accountable jointly and severally or should they be allowed mechanisms of indemnity and contractual affixation of liability inter se?
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.155]

Should there be strict liability on the data controller, either generally, or in any specific categories of processing, when well-defined harms are caused as a result of data processing?[Part IV/Ch. 2 (Accountability and enforcement tools)/Q5/Pg.155]

Should the data controllers be required by law to take out insurance policies to meet their liability on account of any processing which results in harm to data subjects? Should this be limited to certain data controllers or certain kinds of processing? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q6/Pg.156]

If the data protection law calls for accountability as a mechanism for protection of privacy, what would be impact on industry and other sector?
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q7/Pg.156]

What are the subject matters for which codes of practice or conduct may be prepared?[Part IV/Ch. 2 (Accountability and enforcement tools)/Q2/Pg.160]

What is the process by which such codes of conduct or practice may be prepared? Specifically, which stakeholders should be mandatorily consulted for issuing such a code of practice? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q3/Pg.160]

Who should issue such codes of conduct or practice?
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.160]

How should such codes of conduct or practice be enforced? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q5/Pg.160]

What should be the consequences for violation of a code of conduct or practice? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.160]

How should a personal data breach be defined? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q2/Pg.166]

When should personal data breach be notified to the authority and to the affected individuals?[Part IV/Ch. 2 (Accountability and enforcement tools)/Q3/Pg.166]


What are the circumstances in which data breaches must be informed to individuals?
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.166]

What details should a breach notification addressed to an individual contain?[Part IV/Ch. 2 (Accountability and enforcement tools)/Q5/Pg.166]

Should a general classification of data controllers be made for the purposes of certain additional obligations facilitating compliance while mitigating risk? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q2/Pg.172]

Should data controllers be classified on the basis of the harm that they are likely to cause individuals through their data processing activities? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q3/Pg.172]

What are the factors on the basis of which such data controllers may be categorised? 
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.172]

What are the circumstances when Data Protection Impact Assessments (DPIA) should be made mandatory?
[Part IV/Ch. 2 (Accountability and enforcement tools: Data Protection Impact Assessment)/Q2/Pg.173]

Who should conduct the DPIA? In which circumstances should a DPIA be done (i) internally by the data controller; (ii) by an external professional qualified to do so; and (iii) by a data protection authority? 
[Part IV/Ch. 2 (Accountability and enforcement tools: Data Protection Impact Assessment)/Q3/Pg.173]

What are the circumstances in which a DPIA report should be made public? 
[Part IV/Ch. 2 (Accountability and enforcement tools: Data Protection Impact Assessment)/Q4/Pg.173]

Is there a need to make data protection audits mandatory for certain types of data controllers?[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection Audit)/Q2/Pg.173]

Should data audits be undertaken internally by the data controller, by a third party (external person/agency), or by a data protection authority? 
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection Audit)/Q4/Pg.173]

Should independent external auditors be registered / empanelled with a data protection authority to maintain oversight of their independence?
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection Audit)/Q5/Pg.173]

Should it be mandatory for certain categories of data controllers to designate particular officers as DPOs for the facilitation of compliance and coordination under a data protection legal framework? 
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection officer)/Q2/Pg.174]

What should be the qualifications and expertise of such a DPO? 
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection officer)/Q3/Pg.174]

What should be the functions and duties of a DPO?[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection officer)/Q4/Pg.174]

 


Add new comment