Back

White Paper of the Committee of Experts on Data Protection Framework for India

Part II: Scope and Exemptions

This Part seeks to discuss the various issues vis-à-vis the scope of a data protection law for India with specific focus on: a) the territorial reach of the law; b) the contours of personal data; c) the application of the law to the private and the public sector; d) the entities regulated by the law; e) the activities regulated by the law; f) cross border flow of data; and g) data localisation.

Further, there are some activities, which are to be left out of the purview of a data protection law since strict regulation of such processing activities may be counter-productive. However, determining which activities may be exempt from the scope of a data protection law requires careful thought. This Part discusses the following potential exemptions: household purposes, journalistic and literary purposes and research,investigation and detection of crime, and national security.

View Part II of the report

Summary of the Chapter

The power of the State to prescribe and enforce laws is governed by the rules of jurisdiction in international law. Data protection laws challenge this traditional conception since a single act of processing could very easily occur across jurisdictions. In this context, it is necessary to determine the applicability of the proposed data protection law.

Questions

  • 1.What are your views on what the territorial scope and the extra-territorial application of a data protection law in India should be?
  • 2.To what extent should the law be applicable outside the territory of India in cases where data of Indian residents is processed by entities who do not have any presence in India?
  • 3.While providing such protection, what kind of link or parameters or business activities should be considered? Alternatives: a.Cover cases where processing wholly or partly happens in India irrespective of the status of the entity. b.Regulate entities which offer goods or services in India even though they may not have a presence in India (modelled on the EU GDPR). c.Regulate entities that carry on business in India (modelled on Australian law), business meaning consistent and regular activity with the aim of profit.
  • 4.What measures should be incorporated in the law to ensure effective compliance by foreign entities inter alia when adverse orders (civil or criminal) are issued against them?
  • 5.Are there any other views on the territorial scope and extra territorial application of a data protection law in India, other than the ones considered above?
;

Summary of the Chapter

There are three issues of scope other than territorial application. These relate to the applicability of the law to data relating to juristic persons such as companies, differential application of the law to the private and the public sector, and retrospective application of the law.

Questions

  • 1.What are your views on the issues relating to applicability of a data protection law in India in relation to (i) natural/juristic persons; (ii) public and private sector; and (iii) retrospective application of such law?
  • 2.Should the law seek to protect data relating to juristic persons in addition to protecting personal data relating to individuals? Alternatives: a.The law could regulate personal data of natural persons alone. b.The law could regulate data of natural persons and companies as in South Africa. However, this is rare as most data protection legislations protect data of natural persons alone.
  • 3.Should the law be applicable to government/public and private entities processing data equally? If not, should there be a separate law to regulate government/public entities collecting data? Alternatives: a.Have a common law imposing obligations on Government and private bodies as is the case in most jurisdictions. Legitimate interests of the State can be protected through relevant exemptions and other provisions. b.Have different laws defining obligations on the government and the private sector.
  • 4.Should the law provide protection retrospectively? If yes, what should be the extent of retrospective application? Should the law apply in respect of lawful and fair processing of data collected prior to the enactment of the law? Alternatives: a.The law should be applicable retrospectively in respect of all obligations. b.The law will apply to processes such as storing, sharing, etc. irrespective of when data was collected while some requirements such as grounds of processing may be relaxed for data collected in the past.
  • 5.Should the law provide for a time period within which all regulated entities will have to comply with the provisions of the data protection law?
  • 6.Are there any other views relating to the above concepts?
;

Summary of the Chapter

The definition of personal information or personal data is the critical element which determines the zone of informational privacy guaranteed by a data protection legislation. Thus, it is important to accurately define personal information or personal data which will trigger the application of the data protection law.

Questions

  • 1.What are your views on the contours of the definition of personal data or information?
  • 2.For the purpose of a draft data protection law, should the term ‘personal data’ or ‘personal information’ be used?? Alternatives: a.The SPDI Rules use the term sensitive personal information or data. b.Adopt one term, personal data as in the EU GDPR or personal information as in Australia, Canada or South Africa.
  • 3.What kind of data or information qualifies as personal data? Should it include any kind of information including facts, opinions or assessments irrespective of their accuracy?
  • 4.Should the definition of personal data focus on identifiability of an individual? If yes, should it be limited to an ‘identified’, ‘identifiable’ or ‘reasonably identifiable’ individual?
  • 5.Should anonymised or pseudonymised data be outside the purview of personal data? Should the law recommend either anonymisation or psuedonymisation, for instance as the EU GDPR does? [Anonymisation seeks to remove the identity of the individual from the data, while pseudonymisation seeks to disguise the identity of the individual from data. Anonymised data falls outside the scope of personal data in most data protection laws while psuedonymised data continues to be personal data. The EU GDPR actively recommends psuedonymisation of data.]
  • 6.Should there be a differentiated level of protection for data where an individual is identified when compared to data where an individual may be identifiable or reasonably identifiable? What would be the standards of determing whether a person may or may not be identified on the basis of certain data?
  • 7.Are there any other views on the scope of the terms ‘personal data’ and ‘personal information’, which have not been considered?
;

Summary of the Chapter

While personal data refers to all information related to a person’s identity, there may be certain intimate matters in which there is a higher expectation of privacy. Such a category widely called ‘sensitive personal data’ requires precise definition.

Questions

  • 1.What are your views on sensitive personal data?
  • 2.Should the law define a set of information as sensitive data? If yes, what category of data should be included in it? Eg. Financial Information / Health Information / Caste / Religion / Sexual Orientation. Should any other category be included? [For instance, the EU GDPR incorporates racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.]
  • 3.Are there any other views on sensitive personal data which have not been considered above?
;

Summary of the Chapter

Data protection laws across jurisdictions have defined the term ‘processing’ in various ways. It is important to formulate an inclusive definition of processing to identify all operations, which may be performed on personal data, and consequently be subject to the data protection law.

Questions

  • 1.What are your views on the nature and scope of data processing activities?
  • 2.Should the definition of processing list only main operations of processing i.e. collection, use and disclosure of data, and inclusively cover all possible operations on data?
  • 3.Should the scope of the law include both automated and manual processing? Should the law apply to manual processing only when such data is intended to be stored in a filing system or in some similar structured format? Alternatives: a.All personal data processed must be included, howsoever it may be processed. b.If data is collected manually, only filing systems should be covered as the risk of profiling is lower in other cases. c.Limit the scope to automated or digital records only.
  • 4.Are there any other issues relating to the processing of personal data which have not been considered?
;

Summary of the Chapter

The obligations on entities in the data ecosystem must be clearly delineated. To this end a clear conceptual understanding of the accountability of different entities which control and process personal data must be evolved.

Questions

  • 1.What are your views on the obligations to be placed on various entities within the data ecosystem?
  • 2.Should the law only define ‘data controller’ or should it additionally define ‘data processor’? Alternatives: a.Do not use the concept of data controller/processor; all entities falling within the ambit of the law are equally accountable. b.Use the concept of ‘data controller’ (entity that determines the purpose of collection of information) and attribute primary responsibility for privacy to it. c.Use the two concepts of ‘data controller’ and ‘data processor’ (entity that receives information) to distribute primary and secondary responsibility for privacy.
  • 3.How should responsibility among different entities involved in the processing of data be distributed? Alternatives: a.Making data controllers key owners and making them accountable. b.Clear bifurcation of roles and associated expectations from various entities. c.Defining liability conditions for primary and secondary owners of personal data. d.Dictating terms/clauses for data protection in the contracts signed between them. e.Use of contractual law for providing protection to data subject from data processor.
  • 4.Are there any other views on data controllers and processors which have not been considered above?
;

Summary of the Chapter

A data controller may be exempted from certain obligations of a data protection law based on the nature and purpose of the processing activity eg. certain legitimate aims of the state. The scope of such exemptions, also recognised by the Supreme Court in Puttaswamy needs to be carefully formulated.

Questions

  • 1.What are the categories of exemptions that can be incorporated in the data protection law?
  • 2.What are the basic security safeguards/organisational measures which should be prescribed when processing is carried out on an exempted ground, if any?
  • Domestic /Household Processing

    1.What are your views on including domestic/household processing as an exemption?
  • 2.What are the scope of activities that will be included under this exemption?
  • 3.Can terms such as ‘domestic’ or ‘household purpose’ be defined?
  • 4.Are there any other views on this exemption?
  • Journalistic/Artistic/ Literary Purpose

    1.What are your views on including journalistic/artistic/literary purpose as an exemption?
  • 2.Should exemptions for journalistic purpose be included? If so, what should be their scope?
  • 3.Can terms such as ‘journalist’ and ‘journalistic purpose’ be defined?
  • 4.Would these activities also include publishing of information by non-media organisations?
  • 5.What would be the scope of activities included for ‘literary’ or ‘artistic’ purpose? Should the terms be defined broadly?
  • 6.Are there any other views on this exemption?
  • Research/Historical/Statistical Purpose

    1.What are your views on including research/historical/statistical purpose as an exemption?
  • 2.Can there be measures incorporated in the law to exclude activities under this head which are not being conducted for a bonafide purpose?
  • 3.Will the exemption fail to operate if the research conducted in these areas is subsequently published/ or used for a commercial purpose?
  • 4.Are there any other views on this exemption?
  • Investigation and Detection of Crime, National Security

    1.What are your views on including investigation and detection of crimes and national security as exemptions?
  • 2.What should be the width of the exemption provided for investigation and detection of crime? Should there be a prior judicial approval mechanism before invoking such a clause?
  • 3.What constitutes a reasonable exemption on the basis of national security? Should other related grounds such as maintenance of public order or security of State be also grounds for exemptions under the law?
  • 4.Should there be a review mechanism after processing information under this exemption? What should the review mechanism entail?
  • 5.How can the enforcement mechanisms under the proposed law monitor/control processing of personal data under this exemption?
  • 6.Do we need to define obligations of law enforcement agencies to protect personal data in their possession?
  • 7.Can a data protection authority or/and a third-party challenge processing covered under this exemption?
  • 8.What other measures can be taken in order to ensure that this exemption is used for bona fide purposes?
  • 9.Are there any other views on these exemptions?
  • Additional Exemptions

    1.Should ‘prevention of crime’ be separately included as ground for exemption?
  • 2.Should a separate exemption for assessment and collection of tax in accordance with the relevant statutes be included?
  • 3.Are there any other categories of information which should be exempt from the ambit of a data protection law?
;

Summary of the Chapter

Given the advent of the Internet, huge quantities of personal data are regularly transferred across national borders. Providing strong rules to govern such data flows is vital for all entities in the data eco-system.

Questions

  • 1.What are your views on cross-border transfer of data?
  • 2.Should the data protection law have specific provisions facilitating cross border transfer of data? If yes, what should the adequacy standard be the threshold test for transfer of data?
  • 3.Should certain types of sensitive personal information be prohibited from being transferred outside India even if it fulfils the test for transfer?
  • 4.Are there any other views on cross-border data transfer which have not been considered?
;

Summary of the Chapter

Data localisation requires companies to store and process data on servers physically located within national borders. Several governments, driven by concerns over privacy, security, surveillance and law enforcement, have been enacting legislations that necessitate localisation of data. Localisation measures pose detrimental effects for companies may, harm Internet users, and fragment the global Internet.

Questions

  • 1.What are your views on data localisation?
  • 2.Should there be a data localisation requirement for the storage of personal data within the jurisdiction of India?
  • 3.If yes, what should be the scope of the localisation mandate? Should it include all personal information or only sensitive personal information?
  • 4.If the data protection law calls for localisation, what would be impact on industry and other sectors?
  • 5.Are there any other issues or concerns regarding data localisation which have not been considered above?
;

Summary of the Chapter

Currently, there are a variety of laws in India which contain provisions dealing with the processing of data, which includes personal data as well as sensitive personal data. These laws operate in various sectors, such as, the financial sector, health sector and the information technology sector. Consequently, such laws may need to be examined against a new data protection legal and regulatory framework as and when such framework comes into existence in India.

Questions

  • 1.Comments may be required from relevant stakeholders on how each of these laws may need to be reconciled with the obligations for data processing introduced under a new data protection law. Details of such laws identified by us may be found on page 77 above.
;
Back