Back

White Paper of the Committee of Experts on Data Protection Framework for India

Part III: Grounds of Processing, Obligation on Entities and Individual Rights

This Part discusses the importance of obtaining an individual’s consent prior to such processing, and examines the manner in which an entity can obtain valid and informed consent. It also examines the need to legally demarcate grounds other than consent on the basis of which personal data may be processed since obtaining consent may not be feasible or desirable in all circumstances. To allow individuals to exercise some degree of control over their personal data, a data protection law must guarantee certain rights to them. These rights are known as individual participation rights and the following rights are specifically discussed in this Part: (a) confirmation and access; (b) rectification; (c) objection to processing; (d) objection to automated decision making; (e) restriction of processing, (f) data portability and (g) right to be forgotten.

View Part III of the report

Summary of the Chapter

Most jurisdictions treat consent as one of the grounds for processing of personal data. However, consent is often not meaningful or informed, which raises issues of the extent to which it genuinely expresses the autonomous choice of an individual. Thus, the validity of consent and its effectiveness needs to be closely examined.

Questions

  • 1.What are your views on relying on consent as a primary ground for processing personal data? Alternatives: a.Consent will be the primary ground for processing. b.Consent will be treated at par with other grounds for processing. c.Consent may not be a ground for processing.
  • 2.What should be the conditions for valid consent? Should specific requirements such as ‘unambiguous’, ‘freely given’ etc. as in the EU GDPR be imposed? Would mandating such requirements be excessively onerous?
  • 3.How can consent fatigue and multiplicity of notices be avoided? Are there any legal or technology-driven solutions to this?
  • 4.Should different standards for consent be set out in law? Or should data controllers be allowed to make context-specific determinations?
  • 5.Would having very stringent conditions for obtaining valid consent be detrimental to day-to-day business activities? How can this be avoided?
  • 6.Are there any other views regarding consent which have not been explored above?
;

Summary of the Chapter

It is estimated that globally, one in three Internet users is a child under the age of 18. Keeping in mind their vulnerability and increased exposure to risks online, a data protection law must sufficiently protect their interests.

Questions

  • 1.What are your views regarding the protection of a child’s personal data?
  • 2.Should the data protection law have a provision specifically tailored towards protecting children’s personal data?
  • 3.Should the law prescribe a certain age-bar, above which a child is considered to be capable of providing valid consent? If so, what would the cut-off age be?
  • 4.Should the data protection law follow the South African approach and prohibit the processing of any personal data relating to a child, as long as she is below the age of 18, subject to narrow exceptions?
  • 5.Should the data protection law follow the Australian approach, and the data controller be given the responsibility to determine whether the individual has the capacity to provide consent, on a case by case basis? Would this requirement be too onerous on the data controller? Would relying on the data controller to make this judgment sufficiently protect the child from the harm that could come from improper processing?
  • 6.If a subjective test is used in determining whether a child is capable of providing valid consent, who would be responsible for conducting this test? Alternatives: a.The data protection authority b.The entity which collects the information c.This can be obviated by seeking parental consent
  • 7.How can the requirement for parental consent be operationalised in practice? What are the safeguards which would be required?
  • 8.Would a purpose-based restriction on the collection of personal data of a child be effective? For example, forbidding the collection of children’s data for marketing,advertising and tracking purposes?
  • 9.Should general websites, i.e. those that are not directed towards providing services to a child, be exempt from having additional safeguards protecting the collection, use and disclosure of children’s data? What is the criteria for determining whether a website is intended for children or a general website?
  • 10.Should data controllers have a higher onus of responsibility to demonstrate that they have obtained appropriate consent with respect to a child who is using their services? How will they have “actual knowledge” of such use?
  • 11.Are there any alternative views on the manner in which the personal data of children may be protected at the time of processing?
;

Summary of the Chapter

Notice is an essential prerequisite to operationalise consent. However, concerns have been raised about notices being ineffective because of factors such as length, use of complex language, etc. Thus, the law needs to ensure that notices are effective, such that consent is meaningful.

Questions

  • 1.Should the law rely on the notice and choice mechanism for operationalising consent?
  • 2.How can notices be made more comprehensible to individuals? Should government data controllers be obliged to post notices as to the manner in which they process personal data?
  • 3.Should the effectiveness of notice be evaluated by incorporating mechanisms such as privacy impact assessments into the law?
  • 4.Should the data protection law contain prescriptive provisions as to what information a privacy notice must contain and what it should look like? Alternatives: a.No form based requirement pertaining to a privacy notice should be prescribed by law. b.Form based requirements may be prescribed by sectoral regulators or by the data protection authority in consultation with sectoral regulators.
  • 5.How can data controllers be incentivized to develop effective notices? Alternatives: a.Assigning a ‘data trust score’. b.Providing limited safe harbor from enforcement if certain conditions are met. If a ‘data trust score’ is assigned, then who should be the body responsible for providing the score?
  • 6.Would a consent dashboard be a feasible solution in order to allow individuals to easily gauge which data controllers have obtained their consent and where their personal data resides? Who would regulate the consent dashboard? Would it be maintained by a third party, or by a government entity?
  • 7.Are there any other alternatives for making notice more effective, other than the ones considered above?
;

Summary of the Chapter

It is widely recognised that consent may not be sufficient as the only ground for lawful processing of personal data. Several other grounds, broadly conforming to practical requirements and legitimate state aims, are incorporated in various jurisdictions. The nature and remit of such grounds requires determination in the Indian context.

Questions

  • 1.What are your views on including other grounds under which processing may be done?
  • 2.What grounds of processing are necessary other than consent?
  • 3.Should the data protection authority determine residuary grounds of collection and their lawfulness on a case-by-case basis? On what basis shall such determination take place? Alternatives: a.No residuary grounds need to be provided. b.The data protection authority should lay down ‘lawful purposes’ by means of a notification. c.On a case-by-case basis, applications may be made to the data protection authority for determining lawfulness. d.Determination of lawfulness may be done by the data controller subject to certain safeguards in the law.
  • 4.Are there any alternative methods to be considered with respect to processing personal data without relying on consent?
;

Summary of the Chapter

Purpose specification and use limitation are two cardinal principles in the OECD framework. The principles have two components- first, personal data must be collected for a specified purpose; second, once data is collected, it must not be processed further for a purpose that is not specified at the time of collection or in a manner incompatible with the purpose of collection. However the relevance of these principles in the world of modern technology has come under scrutiny, especially as future uses of personal data after collection cannot always be clearly ascertained. Its relevance for the Indian context will thus have to be assessed.

Questions

  • 1.What are your views on the relevance of purpose specification and use limitation principles?
  • 2.How can the purpose specification and use limitation principles be modified to accommodate the advent of new technologies?
  • 3.What is the test to determine whether a subsequent use of data is reasonably related to/compatible with the initial purpose? Who is to make such determination?
  • 4.What should the role of sectoral regulators be in the process of explicating standards for compliance with the law in relation to purpose specification and use limitation? Alternatives: a.The sectoral regulators may not be given any role and standards may be determined by the data protection authority. b.Additional/ higher standards may be prescribed by sectoral regulators over and above baseline standards prescribed by such data protection authority. c.No baseline standards will be prescribed by the authority; the determination of standards is to be left to sectoral regulators.
  • 5.Are there any other considerations with respect to purpose specification and use limitation principles which have not been explored above?
;

Summary of the Chapter

If ‘sensitive personal data’ is to be treated as a separate category, there is a concomitant need to identify grounds for its processing. These grounds will have to be narrower than grounds for general processing of personal data and reflect the higher expectations of privacy that individuals may have regarding intimate facets of their person.

Questions

  • 1.What are your views on how the processing of sensitive personal data should be done?
  • 2.Given that countries within the EU have chosen specific categories of “sensitive personal data”, keeping in mind their unique socio-economic requirements, what categories of information should be included in India’s data protection law in this category?
  • 3.What additional safeguards should exist to prevent unlawful processing of sensitive personal data? Alternatives: a.Processing should be prohibited subject to narrow exceptions. b.Processing should be permitted on grounds which are narrower than grounds for processing all personal data. c.No general safeguards need to be prescribed. Such safeguards may be incorporated depending on context of collection, use and disclosure and possible harms that might ensue. d.No specific safeguards need to be prescribed but more stringent punishments can be provided for in case of harm caused by processing of sensitive personal information.
  • 4.Should there be a provision within the law to have sector specific protections for sensitive data, such as a set of rules for handling health and medical information, another for handling financial information and so on to allow contextual determination of sensitivity?
  • 5.Are there any alternative views on this which have not been discussed above?
;

Summary of the Chapter

Related to the principle of purpose specification is the principle of storage limitation which requires personal data to be erased or anonymised once the purpose for which such data was collected is complete. Personal data in the possession of data controllers should also be accurate, complete and kept up-to-date. These principles cast certain obligations on data controllers. The extent of such obligations must be carefully determined.

Questions

  • 1.What are your views on the principles of storage limitation and data quality?
  • 2.On whom should the primary onus of ensuring accuracy of data lie especially when consent is the basis of collection? Alternatives: a.The individual b.The entity collecting the data
  • 3.How long should an organisation be permitted to store personal data? What happens upon completion of such time period? Alternatives: a.Data should be completely erased b.Data may be retained in anonymised form
  • 4.If there are alternatives to a one-size-fits-all model of regulation (same rules applying to all types of entities and data being collected by them) what might those alternatives be?
  • 5.Are there any other views relating to the concpets of storage limitation and data quality which have not been considered above?
;

Summary of the Chapter

One of the core principles of data privacy law is the “individual participation principle” which stipulates that the processing of personal data must be transparent to, and capable of being influenced by, the data subject.Intrinsic to this principle are the rights of confirmation, access, and rectification. Incorporation of such rights has to be balanced against technical, financial and operational challenges in implementation.

Questions

  • 1.What are your views in relation to the above?
  • 2.Should there be a restriction on the categories of information that an individual should be entitled to when exercising their right to access?
  • 3.What should be the scope of the right to rectification? Should it only extend to having inaccurate date rectified or should it include the right to move court to get an order to rectify, block, erase or destroy inaccurate data as is the case with the UK?
  • 4.Should there be a fee imposed on exercising the right to access and rectify one’s personal data? Alternatives: a.There should be no fee imposed. b.The data controller should be allowed to impose a reasonable fee. c.The data protection authority/sectoral regulators may prescribe a reasonable fee.
  • 5.Should there be a fixed time period within which organisations must respond to such requests? If so, what should these be?
  • 6.Is guaranteeing a right to access the logic behind automated decisions technically feasible? How should India approach this issue given the challenges associated with it?
  • 7.What should be the exceptions to individual participation rights? [For instance, in the UK, a right to access can be refused if compliance with such a request will be impossible or involve a disproportionate effort. In case of South Africa and Australia, the exceptions vary depending on whether the organisation is a private body or a public body.]
  • 8.Are there any other views on this, which have not been considered above?
;

Summary of the Chapter

In addition to confirmation, access and rectification, the EU GDPR has recognised other individual participation rights, viz. the right to object to processing (including for Direct marketing), the right not to be subject to a decision solely based on automated processing, the right to restrict processing, and the right to data portability. These rights are inchoate and some such as those related to Direct Marketing overlap with sectoral regulations. The suitability of incorporation of such rights must be assessed in light of their implementability in the Indian context.

Questions

  • 1.What are your views on the above individual participation rights?
  • 2.The EU GDPR introduces the right to restrict processing and the right to data portability. If India were to adopt these rights, what should be their scope?
  • 3.Should there be a prohibition on evaluative decisions taken on the basis of automated decisions? Alternatives: a.There should be a right to object to automated decisions as is the case with the UK. b.There should a prohibition on evaluative decisions based on automated decision making.
  • 4.Given the concerns related to automated decision making, including the feasibility of the right envisioned under the EU GDPR, how should India approach this issue in the law?
  • 5.Should direct marketing be a discrete privacy principle, or should it be addressed via sector specific regulations?
  • 6.Are there any alternative views which have not been considered?
;

Summary of the Chapter

The right to be forgotten has emerged as one of the most emotive issues in data protection law. The decision of the European Court of Justice in the Google Spain case and the repeated reference to this right in Puttaswamy necessitates a closer look at its contours, scope and exceptions, particularly as it raises several vexed questions relating to the interface between free speech, privacy and the right to know.

Questions

  • 1.What are your views on the right to be forgotten having a place in India’s data protection law?
  • 2.Should the right to be forgotten be restricted to personal data that individuals have given out themselves?
  • 3.Does a right to be forgotten add any additional protection to data subjects not already available in other individual participation rights?
  • 4.Does a right to be forgotten entail prohibition on display/dissemination or the erasure of the information from the controller’s possession?
  • 5.Whether a case-to-case balancing of the data subject’s rights with controller and public interests is a necessary approach for this right? Who should perform this balancing exercise? If the burden of balancing rests on the data controller as it does in the EU, is it fair to also impose large penalties if the said decision is deemed incorrect by a data protection authority or courts?
  • 6.Whether special exemptions (such as the right to freedom of expression and information) are needed for this right? (over and above possible general exemptions such as national security, research purposes and journalistic or artistic expression)?
  • 7.Are there any alternative views to this?
;
Back