Back

White Paper of the Committee of Experts on Data Protection Framework for India

Part IV: Regulation and Enforcement

Part IV discusses various regulatory models including: (a) the ‘command-and-control’ approach; (b) the ‘self regulation’ approach; and (c) ‘co-regulation’ approach. Other regulatory tools such as codes of practice for data controllers and data breach notification obligations have also been discussed.

This Part examines the possibility of a data protection law setting out various subject matters on which these codes may be issued. The need for differentiated, or more stringent obligations on data controllers with significant processing activities has also been discussed. These obligations may include the requirement of registration with an appropriate authority, and compliance measures such as data audits and data protection impact assessments. Further, this Part also discusses the need for a separate and independent authority to oversee the implementation and enforcement of a data protection law, and the potential powers and functions that such an authority would have. Finally, the need for defining certain remedies in the form of penalties for a data processing entity for failure to comply with the obligations set out under a data protection law, and compensation to an individual whose personal data has not been processed lawfully has also been discussed.

View Part IV of the report

Summary of the Chapter

Once the substantive obligations of a data protection law are formalised, provisions regarding enforcement must be structured so as to ensure compliance with substantive provisions. Effective enforcement requires the consideration of certain aspects of institutional design and overall approach before we can develop and align individual elements of the framework. This may be in terms of the extent of burden placed on entities covered under such framework, the structure and functions of any enforcement agency, or the tools at its disposal. Enforcement models consist of: (i) ‘command and control’; (ii) self-regulation; and (iii) co-regulation.

Questions

  • 1.What are your views on the above described models of enforcement?
  • 2.Does co-regulation seem an appropriate approach for a data protection enforcement mechanism in India?
  • 3.What are the specific obligations/areas which may be envisaged under a data protection law in India for a (i) ‘command and control’ approach; (ii) self-regulation approach (if any); and (iii) co-regulation approach?
  • 4.Are there any alternative views to this?
;

Summary of the Chapter

The processing of personal data entails an increase of power (in terms of knowledge and its consequent insights) of the data controller vis-à-vis the individual. Data protection regulations are a means to help protect individuals from abuses of power resulting from the processing of their personal data.

Questions

  • 1.What are your views on the use of the principle of accountability as stated above for data protection?
  • 2.What are the organisational measures that should be adopted and implemented in order to demonstrate accountability? Who will determine the standards which such measures have to meet?
  • 3.Should the lack of organisational measures be linked to liability for harm resulting from processing of personal data?
  • 4.Should all data controllers who were involved in the processing that ultimately caused harm to the individual be accountable jointly and severally or should they be allowed mechanisms of indemnity and contractual affixation of liability inter se?
  • 5.Should there be strict liability on the data controller, either generally, or in any specific categories of processing, when well-defined harms are caused as a result of data processing?
  • 6.Should the data controllers be required by law to take out insurance policies to meet their liability on account of any processing which results in harm to data subjects? Should this be limited to certain data controllers or certain kinds of processing?
  • 7.If the data protection law calls for accountability as a mechanism for protection of privacy, what would be impact on industry and other sectors?
  • 8.Are there any other issues or concerns regarding accountability which have not been considered above?
;

Summary of the Chapter

A number of regulatory tools and mechanisms may be simultaneously utilised to achieve different enforcement objectives such as flexibility and rigour in compliance. It needs to be determined which regulatory tools and mechanisms will find place in a data protection law for India.

Questions

  • 1.What are your views on this?
  • 2.What are the subject matters for which codes of practice or conduct may be prepared?
  • 3.What is the process by which such codes of conduct or practice may be prepared? Specifically, which stakeholders should be mandatorily consulted for issuing such a code of practice?
  • 4.Who should issue such codes of conduct or practice?
  • 5.How should such codes of conduct or practice be enforced?
  • 6.What should be the consequences for violation of a code of conduct or practice?
  • 7.Are there any alternative views?
;

Summary of the Chapter

The aggregation of data in the hands of public and private entities leaves them vulnerable to data breaches. Data breaches can take many forms including; hackers gaining access to data through a malicious attack; lost, stolen, or temporary misplaced equipment; employee negligence; and policy and/or system failure. It is important to identify these threats and establish processes to deal with these breaches.

Questions

  • 1.What are your views in relation to the above?
  • 2.How should a personal data breach be defined?
  • 3.When should personal data breach be notified to the authority and to the affected individuals?
  • 4.What are the circumstances in which data breaches must be informed to individuals?
  • 5.What details should an breach notification addressed to an individual contain?
  • 6.Are there any alternative views in relation to the above, others than the ones discussed above?
;

Summary of the Chapter

Given the complexity and breadth of application of a data protection law, it may be difficult for a regulator to effectively ensure compliance on the part of all data controllers. Further, a data protection law can entail heavy compliance burdens. As a result, it may be necessary, both for principled and practical reasons to differentiate between data controllers, depending on factors that give rise to greater risks or threats to individual data protection rights.

Questions

  • 1.What are your views on the manner in which data controllers may be categorised?
  • 2.Should a general classification of data controllers be made for the purposes of certain additional obligations facilitating compliance while mitigating risk?
  • 3.Should data controllers be classified on the basis of the harm that they are likely to cause individuals through their data processing activities?
  • 4.What are the factors on the basis of which such data controllers may be categorised?
  • 5.What range of additional obligations can be considered for such data controllers?
  • 6.Are there any alternative views other than the ones mentioned above?
  • Registration

    1.Should there be a registration requirement for certain types of data controllers categorised on the basis of specified criteria as identified above? If yes, what should such criteria be; what should the registration process entail?
  • 2.Are there any alternative views in relation to registration?
  • Data Protection Impact Assessment

    1.What are your views on data controllers requiring DPIAs or Data Protection Impact Assessments?
  • 2.What are the circumstances when DPIAs should be made mandatory?
  • 3.Who should conduct the DPIA? In which circumstances should a DPIA be done (i) internally by the data controller; (ii) by an external professional qualified to do so; and (iii) by a data protection authority?
  • 4.What are the circumstances in which a DPIA report should be made public?
  • 5.Are there any alternative views on this?
  • Data Protection Audit

    1.What are your views on incorporating a requirement to conduct data protection audits, within a data protection law?
  • 2.Is there a need to make data protection audits mandatory for certain types of data controllers?
  • 3.What aspects may be evaluated in case of such data audits?
  • 4.Should data audits be undertaken internally by the data controller, by a third party (external person/agency), or by a data protection authority?
  • 5.Should independent external auditors be registered / empanelled with a data protection authority to maintain oversight of their independence?
  • 6.What should be the qualifications of such external persons/agencies carrying out data audits?
  • 7.Are there any alternative views on this?
  • Data Protection Officer

    1.What are your views on a data controller appointing a DPO?
  • 2.Should it be mandatory for certain categories of data controllers to designate particular officers as DPOs for the facilitation of compliance and coordination under a data protection legal framework?
  • 3.What should be the qualifications and expertise of such a DPO?
  • 4.What should be the functions and duties of a DPO?
  • 5.Are there any alternative views?
;

Summary of the Chapter

The effective enforcement of data protection law may necessitate a separate, independent regulatory authority. Such an authority may discharge the following types of functions, powers and duties: (i) Monitoring, enforcement and investigation; (ii) Standard-setting; and (iii) Awareness generation.

Questions

  • 1.What are your views on the above?
  • 2.Is a separate, independent data protection authority required to ensure compliance with data protection laws in India?
  • 3.Is there a possibility of conferring the function and power of enforcement of a data protection law on an existing body such as the Central Information Commission set up under the RTI Act?
  • 4.What should be the composition of a data protection authority, especially given the fact that a data protection law may also extend to public authorities/government? What should be the qualifications of such members?
  • 5.What is the estimated capacity of members and officials of a data protection authority in order to fulfil its functions? What is the methodology of such estimation?
  • 6.How should the members of the authority be appointed? If a selection committee is constituted, who should its members be?
  • 7.Considering that a single, centralised data protection authority may soon be over-burdened by the sheer quantum of requests/ complaints it may receive, should additional state level data protection authorities be set up? What would their jurisdiction be? What should be the constitution of such state level authorities?
  • 8.How can the independence of the members of a data protection authority be ensured?
  • 9.Can the data protection authority retain a proportion of the income from penalties/fines?
  • 10.What should be the functions, duties and powers of a data protection authority?
  • 11.With respect to standard-setting, who will set such standards? Will it be the data protection authority, in consultation with other entities, or should different sets of standards be set by different entities? Specifically, in this regard, what will be the interrelationship between the data protection authority and the government, if any?
  • 12.Are there any alternative views other than the ones mentioned above?
;

Summary of the Chapter

Adjudication plays an integral role in enforcement of any law as it ascertains the rights and obligations of parties involved in a dispute and prescribes corrective actions and remedies. In the context of a data protection law, adjudication entails an assessment of whether and to what extent data protection rights of an individual have been infringed by a data controller, the loss or damage suffered by the individual due to the said infringement, the remedies available to the individual as well as the penal consequences that the data controller may be liable for.

Questions

  • 1.What are your views on the above?
  • 2.Should the data protection authority have the power to hear and adjudicate complaints from individuals whose data protection rights have been violated?
  • 3.Where the data protection authority is given the power to adjudicate complaints from individuals, what should be the qualifications and expertise of the adjudicating officer appointed by the data protection authority to hear such matters?
  • 4.Should appeals from a decision of the adjudicating officer lie with an existing appellate forum, such as, the Appellate Tribunal (TDSAT)?
  • 5.If not the Appellate Tribunal, then what should be the constitution of the appellate authority?
  • 6.What are the instances where the appellate authority should be conferred with original jurisdiction? For instance, adjudication of disputes arising between two or more data controllers, or between a data controller and a group of individuals, or between two or more individuals.
  • 7.How can digital mechanisms of adjudication and redressal (e.g. e-filing, video conferencing etc.) be incorporated in the proposed framework?
  • 8.Should the data protection authority be given the power to grant compensation to an individual?
  • 9.Should there be a cap (e.g. up to Rs. 5 crores) on the amount of compensation which may be granted by the data protection authority? What should be this cap?
  • 10.Can an appeal from an order of the data protection authority granting compensation lie with the National Consumer Disputes Redressal Commission?
  • 11.Should any claim for compensation lie with the district commissions and/or the state commissions set under the COPRA at any stage?
  • 12.In cases where compensation claimed by an individual exceeds the prescribed cap, should compensation claim lie directly with the National Consumer Disputes Redressal Commission?
  • 13.Should class action suits be permitted?
  • 14.How can judicial capacity be assessed? Would conducting judicial impact assessments be useful in this regard?
  • 15.Are there any alternative views other than the ones mentioned above?
;

Summary of the Chapter

In the context of a data protection law, civil penalties may be calculated in a manner so as to ensure that the quantum of civil penalty imposed not only acts as a sanction but also acts as a deterrence to data controllers, which have violated their obligations under a data protection law. Further, there may be three models (or a combination thereof) possible for the calculation of civil penalties, which are as follows: (i) Per day basis; (ii) Discretion of the adjudicating body subject to a fixed upper limit; (iii) Discretion of adjudicating body subject to an upper limit linked to a variable parameter (such as a percentage of the total worldwide turnover of the preceding financial year of the defaulting data controller).

Questions

  • 1.What are your views on the above?
  • 2.What are the different types of data protection violations for which a civil penalty may be prescribed?
  • 3.Should the standard adopted by an adjudicating authority while determining liability of a data controller for a data protection breach be strict liability? Should strict liability of a data controller instead be stipulated only where data protection breach occurs while processing sensitive personal data?
  • 4.In view of the above models, how should civil penalties be determined or calculated for a data protection framework?
  • 5.Should civil penalties be linked to a certain percentage of the total worldwide turnover of the defaulting data controller (of the preceding financial year as in EU GDPR) or should it be a fixed upper limit prescribed under law?
  • 6.Should the turnover (referred to in the above question) be the worldwide turnover (of preceding financial year) or the turnover linked to the processing activity pursuant to a data protection breach?
  • 7.Where civil penalties are proposed to be linked to a percentage of the worldwide turnover (of the preceding financial year) of the defaulting data controller, what should be the value of such percentage? Should it be prescribed under the law or should it be determined by the adjudicating authority?
  • 8.Should limit of civil penalty imposed vary for different categories of data controllers (where such data controllers are categorised based on the volume of personal data processed, high turnover due to data processing operations, or use of new technology for processing)?
  • 9.Depending on the civil penalty model proposed to be adopted, what type of factors should be considered by an adjudicating body while determining the quantum of civil penalty to be imposed?
  • 10.Should there be a provision for blocking market access of a defaulting data controller in case of non-payment of penalty? What would be the implications of such a measure?
  • 11.Are there any alternative views on penalties other than the ones mentioned above?
;

Summary of the Chapter

Awarding of compensation constitutes an important remedy where an individual has incurred a loss or damage as a result of a data controller’s failure to comply with the data protection principles as set out under law.

Questions

  • 1.What is the nature, type and extent of loss or damage suffered by an individual in relation to which she may seek compensation under a data protection legal regime?
  • 2.What are the factors and guidelines that may be considered while calculating compensation for breach of data protection obligations?
  • 3.What are the mitigating circumstances (in relation to the defaulting party) that may be considered while calculating compensation for breach of data protection obligations?
  • 4.Should there be an obligation cast upon a data controller to grant compensation on its own to an individual upon detection of significant harm caused to such individual due to data protection breach by such data controller (without the individual taking recourse to the adjudicatory mechanism)? What should constitute significant harm?
  • 5.Are there any alternative views other than the ones mentioned above?
;

Summary of the Chapter

The law may treat certain actions of a data controller as an offence and impose a criminal liability. This may include instances where any person either knowingly or recklessly obtains or discloses, sells, offers to sell or transfers personal data to a third party without adhering to relevant principles of the data protection law. It may be considered whether other acts should create criminal liability.

Questions

  • 1.What are the types of acts relating to the processing of personal data which may be considered as offences for which criminal liability may be triggered?
  • 2.What are the penalties for unauthorised sharing of personal data to be imposed on the data controller as well as on the recipient of the data?
  • 3.What is the quantum of fines and imprisonment that may be imposed in all cases?
  • 4.Should a higher quantum of fine and imprisonment be prescribed where the data involved is sensitive personal data?
  • 5.Who will investigate such offences?
  • 6.Should a data protection law itself set out all relevant offences in relation to which criminal liability may be imposed on a data controller or should the extant IT Act be amended to reflect this?
  • 7.Are there any alternative views other than the ones mentioned above?
;
Back