White Paper of the committee of experts on a data protection framework for India

The borderless nature of the Internet raises several jurisdictional issues in data protection. A single act of processing of personal data could very easily occur across multiple jurisdictions. Traditional principles of sovereignty and territorial jurisdiction have evolved in circumstances where such cross-border actions were uncommon. As such, it is not easy to determine the kind of application clause in which a data protection legislation is a must have.

1. Context-Setting: Several jurisdictions have deliberated on the applicability of a data protection law to individuals as well as corporate entities/juristic persons. For instance, the EU General Data Protection Regulation (GDPR) applies to ‘natural persons’, as the definition of ‘personal data’ is specifically linked to individuals and not legal/juristic persons. Data related to juristic persons such as confidential business information and corporate strategies should be protected against various types of processing activities on such data. Further, such data should be subject to data security safeguards in order to ensure that the legitimate interests of juristic persons are protected.

Most key principles of data protection such as lawful processing and individual participation are intrinsically derived from the object of protecting the autonomy and dignity of the individual. It would be difficult to extend these principles to data relating to a juristic entity.

2. Nature of Personal data: This distinction between data and information in its ordinary usage is perhaps not determinative in data protection. As the object of the law is to demarcate the sphere of information relevant to the protection of the identity of an individual, the choice of the term “data” or “information” may not matter as these terms would not be used in their ordinary sense. The definition will have to cover both data and information if it bears a connection to the identity of the individual.

This is reflected in international practice as well. It further deals with identified or identifiable individual, pseudonymisation and anonymisation, personal data and new technologies.

3. Several Exemptions: There are some activities which cannot be brought under the purview of a data protection law. In other words, a data controller can be exempted from certain obligations of a data protection law based on the nature and purpose of the processing activity. For instance, if a law enforcement officer wants to collect or use personal information for the purpose of an investigation, seeking the consent of the data subjects or allowing them to access or rectify their data would delay the process and may even defeat its purpose. Specific exemptions include personal or household purpose, journalistic/artistic/literary purposes, research/historical and statistical purposes, investigation and detection of crime, national security or security of State and other similar grounds.

4. Cross-Border Flow of Data: With the advent of the Internet, huge quantities of personal data relating to employees and customers are being transferred internationally. Such data transfers often occur between and among units of the same corporate enterprise that are located in different countries as many of these global enterprises have customer databases and storage facilities in a number of regional locations. Cross-border flow of data is vital to accessing valuable digital services.

There are two tests identified for the formation of laws related to cross-border data flow – the adequacy test and the comparable level of protection test, for personal data. In order to implement the adequacy test, there needs to be clarity as to which countries provide for an adequate level of protection for personal data. The data protection authority should be given the power to determine this. The adequacy test is particularly beneficial because it will ensure a smooth two-way flow of information, critical to a digital economy.

5. Data Localization & related Issues: Data localization requires companies to store and process data on servers physically located within national borders. Governments across the globe driven by concerns over privacy, security, surveillance and law enforcement have been enacting legislation that necessitates localization of data. A nation has the prerogative to take measures to protect its interests and its sovereignty, but it must carefully evaluate the advantages and dangers of locally storing data before taking a firm decision on an issue that has the potential to cause a major ripple effect across a number of industries. Issues such as protecting rights of data subjects, preventing foreign surveillance, easy access of data in support of law enforcement and national security, IT-BPO/BPM industrial growth, digitisation of product and service offerings, India as a capital of analytics services, cloud services brokerage, global in-house centers (GICs), etc. have been dealt with in the report.

6. Grounds of Processing, Obligation on Entities and Individual Rights (Informational Privacy): The report deals with grounds of processing, the obligation on entities and individual rights. Consent forms the foundation of data protection law in many jurisdictions. There is great value in using consent as a validating mechanism for data processing. It satisfies two needs. First, consent is intuitively considered the most appropriate method to ensure the protection of an individual’s autonomy. Allowing an individual to have autonomy over her personal information allows her to enjoy “informational privacy”. Informational privacy may be broadly understood as the individual’s ability to exercise control over the manner in which her information may be collected and used. Second, consent provides a “morally transformative” value as it justifies conduct, which might otherwise be considered wrongful.

 The report also deals with the concept of ‘Child consent’.

7. Consent: The report further throws light on the idea of ‘consent’ as is operationalised through the mechanism of “notice and choice”. The underlying philosophy is that consent through notice puts the individual in charge of the collection and subsequent use of her personal information. Notice purports to respect the basic autonomy of the individual by arming her with relevant information and placing in her hands the ultimate decision of whether or not her personal information is to be used.

8. Other grounds of Processing: Lawfulness of processing is a core principle under data protection law. The Organisation for Economic Cooperation and Development (OECD) Guidelines recognise lawfulness of processing under the collection limitation principle, which provides that collection of personal data must be limited, and any such collection should be done only by lawful and fair means, and where appropriate, with the consent of the concerned individual. Issues such as ‘requirement to have additional grounds of processing, along with consent’ and ‘lack of clarity with respect to certain grounds of processing, such as “public interest”, “vital interest” and “legitimate interest” have been dealt with.

9. Purpose specification and Use Limitation: An entire chapter deals with the Purpose Specification and Use Limitation. Purpose Specification is an essential first step in applying data protection laws and designing safeguards for the collection, use and disclosure of personal data.

10. Sensitive Personal Data: Definitions of “sensitive data”  is as per the Sensitive Personal Data Rules, 2011. The need to further examine the rationale behind certain categories of personal data, difficulty in determining the context of use which could make data sensitive, have been covered in the report.

11. Individual Participation rights: Two specific chapter deals with individual participation rights such as right to confirmation, right to access, and right to rectification, right to object to processing, right to object to processing for purpose of direct marketing, right to not be subject to a decision based solely on automated processing, right to data portability, and, right to restrict processing. Following these two, there is another chapter that deals entirely with ‘right to be forgotten’.

12. Enforcement Models: Part IV of the work deals with enforcement models. The enforcement of data protection norms is complicated primarily by two factors: first, the application of the norms across different fields, sectors, industries and contexts and, second, the rapid pace of development and change in data processing technologies. These factors produce unique enforcement problems not found in other regulatory fields. Model types such as command and control regulation, self-regulation, co-regulation are explained in brief.

13. Data Protection: Central to accountability are the concepts of ‘privacy by design’ and ‘privacy by default’ which oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the life cycle of the relevant data processing. In this sense, accountability does not redefine data protection, nor does it replace existing law or regulation, since accountable organisations must comply with existing applicable law. Instead, accountability shifts the focus of privacy governance to an organisation’s ability to demonstrate its capacity to achieve specified privacy objectives.

14. The last part of the report throws light on Personal Data Breach notification, categorisation of data-controllers, Data Protection Authority.

15. Penalties: The last chapter deals with the provision of penalties. In the context of a data protection law, civil penalties may be calculated in a manner to ensure that the quantum of civil penalty imposed not only acts as a sanction but also acts as a deterrence to data controllers, which have violated their obligations under a data protection law.

Join the discussion

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.