White Paper of the Committee of Experts on Data Protection Framework for India

The Government of India has set up our Committee of Experts to study various issues relating to data protection in India, make specific suggestions on principles underlying a data protection bill and draft such a bill. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”

The issue of data protection is important both intrinsically and instrumentally. Intrinsically, a regime for data protection is synonymous with protection of informational privacy. As the Supreme Court observed in Puttaswamy,

Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.

Instrumentally, a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access.

A carefully formulated data protection law is necessary for fulfilling both these objectives. It is our Committee’s view that the law we draft must be cognisant of international and comparative practices in this regard. Doing otherwise in our increasingly interconnected world would be naïve. At the same time, the law must be acutely aware of the views of Indians, particularly the common man and woman, perhaps new to data but with clear views on right and wrong, benefit and harm.

To serve these two purposes, a White Paper has been drafted to solicit public comments on what shape a data protection law must take. The White Paper outlines the issues that a majority of the members of the Committee feel require incorporation in a law, relevant experiences from other countries and concerns regarding their incorporation, certain provisional views based on an evaluation of the issues vis-à-vis the objectives of the exercise, and specific questions for the public. On the basis of the responses received, we will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject.

Since the task of identifying key data protection issues, examining international best practices and recommending a draft bill is a task of considerable magnitude, this White Paper is necessarily lengthy. However, for the benefit of those who may not have either the time or the inclination to peruse the contents of the White Paper fully, a concise summary is provided in Part V, containing the key principles and questions for public consultation.

Drafting a data protection law for India is a complex exercise. But as the scriptures say:

वादे वादे जायते तत्त्वबोध:
[From each debate, there arises knowledge of the Ultimate Truth]

With your inputs and our collective aim of both protecting and empowering citizens, we are certain that the law that India drafts will not only serve our own, but will also be a model for the world to adopt.

Chairman
Justice B.N. Srikrishna

Members
Smt. Aruna Sundararajan, Dr. Ajay Bhushan Pandey
Dr. Ajay Kumar, Prof. Rajat Moona, Dr. Gulshan Rai
Prof. Rishikesha T Krishnan, Dr. Arghya Sengupta
Smt. Rama Vedashree

Submission through this Web Form is preferred.

The deadline for submission of responses is 31st January, 2018.

In case you wish to submit written comments/feedback, same may be sent to:
Shri Rakesh Maheshwari
Scientist G&Group Co-ordinator, Cyber laws
Ministry of Electronics and Information Technology (MeitY),
ElectronicsNiketan, 6, CGO Complex,
Lodhi Road, New Delhi- 110003.

Choose the ‘Part’ where you wish to submit inputs

Part II: Scope and Exemptions

This Part seeks to discuss the various issues vis-à-vis the scope of a data protection law for India with specific focus on: a) the territorial reach of the law; b) the contours of personal data; c) the application of the law to the private and the public sector; d) the entities regulated by the law; e) the activities regulated by the law; f) cross border flow of data; and g) data localisation.

Further, there are some activities, which are to be left out of the purview of a data protection law since strict regulation of such processing activities may be counter-productive. However, determining which activities may be exempt from the scope of a data protection law requires careful thought. This Part discusses the following potential exemptions: household purposes, journalistic and literary purposes and research,investigation and detection of crime, and national security.

Part III: Grounds of Processing, Obligation on Entities and Individual Rights

This Part discusses the importance of obtaining an individual’s consent prior to such processing, and examines the manner in which an entity can obtain valid and informed consent. It also examines the need to legally demarcate grounds other than consent on the basis of which personal data may be processed since obtaining consent may not be feasible or desirable in all circumstances. To allow individuals to exercise some degree of control over their personal data, a data protection law must guarantee certain rights to them. These rights are known as individual participation rights and the following rights are specifically discussed in this Part: (a) confirmation and access; (b) rectification; (c) objection to processing; (d) objection to automated decision making; (e) restriction of processing, (f) data portability and (g) right to be forgotten.

Part IV: Regulation and Enforcement

Part IV discusses various regulatory models including: (a) the ‘command-and-control’ approach; (b) the ‘self regulation’ approach; and (c) ‘co-regulation’ approach. Other regulatory tools such as codes of practice for data controllers and data breach notification obligations have also been discussed.

This Part examines the possibility of a data protection law setting out various subject matters on which these codes may be issued. The need for differentiated, or more stringent obligations on data controllers with significant processing activities has also been discussed. These obligations may include the requirement of registration with an appropriate authority, and compliance measures such as data audits and data protection impact assessments. Further, this Part also discusses the need for a separate and independent authority to oversee the implementation and enforcement of a data protection law, and the potential powers and functions that such an authority would have. Finally, the need for defining certain remedies in the form of penalties for a data processing entity for failure to comply with the obligations set out under a data protection law, and compensation to an individual whose personal data has not been processed lawfully has also been discussed.

General Comments

General inputs on “White Paper of the Committee of Experts on Data Protection Framework for India” (We would appreciate if you submit responses chapter wise. If you have general comments, you can provide them here)