Table of Contents:
- General Comments
- Scope and Exemptions
- Grounds of Processing, Obligation on Entities and Individual Rights
- Child’s Consent
- Other Grounds of Processing
- Purpose specification and use limitation
- Processing of Sensitive Personal Data
- Storage Limitation and Data Quality
- Individual Participation Rights – 1
- Individual Participation Rights – 2
- Individual Participation Rights – 3: Right to be Forgotten
- Regulation and Enforcement
India will write its data protection legislation on a clean slate. It has the advantage of the experience of the European Union in the creation of its General Data Protection Regulation and observation of the general anti-regulatory philosophy of the United States. But the national opportunity for India is not to follow in any other society's footsteps. Rather, we have the technical knowledge and the social commitment to build a new pathway of our own that will be important as an example to others throughout humanity.
We should begin by understanding that the purpose of the legislation is not to protect data, but to protect people. This simple shift of focus affects the details of drafting, for we are making a statute to protect persons, not to regulate the general data economy. It affects the scope of application, which must be as transnational as necessary to protect every person to whom digital services involving data collection or processing are offered, no matter where in the world the data actually is stored or how it is processed, aggregated or modified. Protecting people means concentrating attention on the harms that can flow from data collection and retention, and providing remedies against those harms. One of the architectural mistakes India does not want to copy from the European Union is the attempt to center the legislative design around types of data, rather than types of harm against which law should provide remedy.
What we are making, then, is data safety regulation, protecting not data but people, drawing its categories from the harms against which people should be made safe, and the remedies for failures of safety, not primarily legislation for the protection of data as a basis for industrial activity. Therefore:
- Data safety legislation should define the harms that people can suffer, against which the law's remedies are directed. Harms of disclosure, harms of unpermitted aggregation or use for impermissible inferences or discrimination, harms of facilitation of crime or civil wrong---all should be given specific definition and characterization.
- In general, the principle of safety is control: that people should know when data about them is being requested, how that data is being processed, that the results of aggregations and combinations of their data with others data are being returned to them, as well as being used by others.
- In addition to rules giving people control over their data, there should be rules of accountability and safe handling. Parties responsible for the management of personal data on a large scale should be required to give people real-time access to information about use and handling of their data: who has requested it, what was provided, what rules or agreements govern how it can be used downstream, and how long it can be retained there. Safe storage practices (concerning encryption to protect against accidental or criminal disclosure, concerning access by judicial process in India or abroad, requiring accountability for all disclosures including disclosures to government) should also be defined by regulation and updated by ongoing government administrative process.
- Remedies must be provided that give swift recourse for people whose data is harmfully disseminated or mishandled. Large-scale processors of information should be required to post bond or otherwise ensure prompt recourse.
- A primary goal of data safety regulation should be to inform people of their risks and available remedies. It is crucial that the law itself, as well as the subordinate legislation to which it gives rise be as simple as possible. Data protection legislation often is devised to hide all the trees in the complexity of the forest. That must not happen here.
Data safety regulation is not a barrier to India's role as a global destination for data processing. On the contrary, our current success in that competition for global data service business has come despite international customers' concerns about unsafe Indian data practices. Making India a global leader in data safety will expand rather than reduce our attractiveness in the world market. Similarly, Indian data safety can be a strong value for start-ups and innovative small businesses, which can operate with certainty that their own reputations and market access will not be undermined by data safety crises and exposure episodes of the kind that are now routinely experienced by companies large and small around the world. Data privacy and safety regulation protecting individuals are an export industry for Digital India, providing to consumers around the world, as a commercial product, the services for which global platform companies now charge a grand total of $0 plus comprehensive privacy invasion and near-complete data unsafety.
In addition to these general comments, we have also responded in detail to the consultation questions asked. MEITY has provided broad general consultation opportunity through the specific questions it has raised. We hope that there will be a complete publication of all comments, an open, transparent process, and further consultation before the final report. We thank you for undertaking this important exercise.
SCOPE AND EXEMPTIONS
1. Territorial and Personal Scope
1. What are your views on what the territorial scope and the extra territorial application of a data protection law in India should be?
The law should apply to the processing of data by data controllers which are State entities, including Government agencies or authorised personnel on their behalf as well as private companies, partnerships or any other body corporate which conduct activities within the territory of India through a registered place of business or establishment, irrespective of whether data processing is carried out at such place or outside the territory of India. It should also apply to data controllers that are State entities, including Government agencies or authorised personnel on their behalf as well as private companies, partnerships or any other body corporate which do not have a registered place of business or establishment in India and offer goods or services to persons in India, irrespective of consideration, as defined under the Indian Contracts Act, 1872, being sought in lieu of such goods or services.
Note: Data processing includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.
2. To what extent should the law be applicable outside the territory of India in cases where data of Indian residents is processed by entities who do not have any presence in India?
Apart from being applicable to entities that have registered offices in India, the Act should apply to data controllers that do not have a registered place of business or establishment in India and offer goods or services to persons in India, irrespective of consideration, as defined under the Indian Contracts Act, 1872, being sought in lieu of such goods or services.
3. While providing such protection, what kind of link or parameters or business activities should be considered?
a. Cover cases where processing wholly or partly happens in India irrespective of the status of the entity.
b. Regulate entities which offer goods or services in India even though they may not have a presence in India (modelled on the EU GDPR)
c. Regulate entities that carry on business in India (modelled on Australian law), business meaning consistent and regular activity with the aim of profit.
Alternative B comes closest to providing wholesome protection as it covers all entities in and outside India that process data. The first alternative does not cover processing that happens wholly outside India. The third alternative (Australian model) leaves room for ambiguity as the phrase “carries on business in Australia” is not defined and is to be interpreted on a case to case basis.
4. What measures should be incorporated in the law to ensure effective compliance by foreign entities inter alia when adverse orders (civil or criminal) are issued against them?
Local agents of a body corporate that is located outside the country can be held liable for the actions of the body corporate. Local agents could include employees of the body corporate, local office of the body corporate or a subsidiary of the body corporate.
Each body corporate that targets Indians may be required to have a data protection officer located in India if the body corporate is of a certain size, for example, if the body corporate has 200 employees or a revenue exceeding 10 crore rupees per annum, there could be a requirement to have a local agent in India that is held responsible for the actions of the body corporate. Please note that these figures are for representational purposes only.
Entities that do not have a registered office in India and fail to comply with adverse orders can be restricted from accessing the market temporarily till the orders are complied with.
5. Are there any other views on the territorial scope and the extra-territorial application of a data protection law in India, other than the ones considered above?
2. Other issues of scope
1. What are your views on the issues relating to applicability of a data protection law in India in relation to: (i) natural/juristic person; (ii) public and private sector; and (iii) retrospective application of such law?
The law should cover only natural persons to avoid complications.
It must apply to both public and private sector.
Entities already dealing in data should be given a transition period to bring their data processing practices into line with the requirements of the new law.
It might not be feasible to obtain consent for already existing data. However, consent should be sought if the purpose of processing is changed. Entities should review how they seek, register and manage consent and whether they need to make any changes. Existing standards should be reviewed if they do not meet the standards of the new law.
2. Should the law seek to protect data relating to juristic persons in addition to protecting personal data relating to individuals?
a. The law could regulate personal data of natural persons alone.
b. The law could regulate data of natural persons and companies as in South Africa. However, this is rare as most data protection legislations protect data of natural persons alone.
The law should cover only natural persons.
3. Should the law be applicable to government/public and private entities processing data equally? If not, should there be a separate law to regulate government/public entities collecting data?
a. Have a common law imposing obligations on Government and private bodies as is the case in most jurisdictions. Legitimate interests of the State can be protected through relevant exemptions and other provisions.
b. Have different laws defining obligations on the government and the private sector.
There should be a common law regulating both private and Government bodies. Even though public and private bodies collect data for different purposes, both indulge in storage, processing and sharing of information. There is no reason to treat them differently and enact different legislations.
4. Should the law provide protection retrospectively? If yes, what should be the extent of retrospective application? Should the law apply in respect of lawful and fair processing of data collected prior to the enactment of the law?
a. The law should be applicable retrospectively in respect of all obligations.
b. The law will apply to processes such as storing, sharing, etc. irrespective of when data was collected while some requirements such as grounds of processing may be relaxed for data collected in the past.
Rights of the individual such as access to data, right to rectification, right to data portability, right to withdrawal of consent, right to deletion, right to security, right to lodge a complaint with the data protection authority, right to compensation should apply retrospectively. Also, certain obligations of the data controller, such as maintaining the confidentiality and integrity of the information, encrypting data, should be applied retrospectively. If the already collected data is to be used for a purpose beyond the original purpose of collection, fresh consent has to be sought.
Other requirements such as collection limitation and general grounds of processing should be in line with the new law when it comes into effect.
5. Should the law provide for a time period within which all regulated entities will have to comply with the provisions of the data protection law?
The law should allow a transition period for entities to bring their data processing practices in line with the requirements of the new law.
6. Are there any other views relating to the above concepts?
3. Definition of Personal Data
1. What are your views on the contours of the definition of personal data or information?
The term “data” usually means raw, unorganized, random facts whereas information is the result of processing and structuring of data in a given context.
‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, among other information.
2. For the purpose of a data protection law, should the term personal data or personal information be used?
a. The SPDI Rules use the term sensitive personal information or data.
b. Adopt one term, personal data as in the EU GDPR or personal information as in Australia, Canada or South Africa.
For the sake of brevity and to avoid confusion, either the term ‘personal data’ or ‘personal information’ can be used.
3. What kind of data or information qualifies as personal data? Should it include any kind of information including facts, opinions or assessments irrespective of their accuracy?
Personal data should include any information that can be used to identify an individual, either by looking at the data alone or by looking at the data in conjunction with other data or information.
4. Should the definition of personal data focus on identifiability of an individual? If yes, should it be limited to an identified, identifiable‘ or reasonably identifiable‘ individual?
Yes, the law should focus on identifiability of an individual. It should be limited to “identifiable” individual.
5. Should anonymised or pseudonymised data be outside the purview of personal data? Should the law recommend either anonymisation or psuedonymisation, for instance as the EU GDPR does?
[Anonymisation seeks to remove the identity of the individual from the data, while pseudonymisation seeks to disguise the identity of the individual from data.
Anonymised data falls outside the scope of personal data in most data protection laws while psuedonymised data continues to be personal data. The EU GDPR actively recommends psuedonymisation of data.]
Anonymised and pseudonymised data should not be outside the purview of personal data. Research has shown that anonymised data can be de-anonymised using little information. Netflix had come up with a challenge for people to suggest better recommendation mechanisms than the one that the company was currently using. Ten million movie rankings by 5 lakh customers was published and the data was anonymised. Researchers de-anonymised some of that data by cross referencing it with public information available on IMDB. Similarly, in 2006, identities of a number of AOL users was revealed using anonymised data only by applying the method of cross referencing. University of Stanford researchers could identify a large proportion of the population of the United States using census data such as gender, ZIP code and date of birth.
This kind of analysis proves that anonymous data is equally at risk as other personal data and therefore should not be left outside the view of protection.
6. Should there be a differentiated level of protection for data where an individual is identified when compared to data where an individual may be identifiable or reasonably identifiable? What would be the standards of determining whether a person may or may not be identified on the basis of certain data?
The same level of protection should be provided for data where an individual is identified and data where an individual may be identifiable or reasonably identifiable.
7. Are there any other views on the scope of the terms personal data‘ and personal information‘, which have not been considered?
4. Definition of Sensitive Personal Data
1. What are your views on sensitive personal data?
Data should be categorised as “sensitive” depending on the context and the reasons for processing it. The potential harm resulting from the leak or theft of sensitive personal data is much greater than the leak or theft of personal data such as name or telephone number. For e.g, information about an individual’s ethnicity or caste can be used to discriminate against her.
2. Should the law define a set of information as sensitive data? If yes, what category of data should be included in it? Eg. Financial Information / Health Information / Caste / Religion / Sexual Orientation. Should any other category be included?
[For instance, the EU GDPR incorporates racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.]
The following non-exhaustive list contains the categories of data considered sensitive.
Data revealing :
- Race, colour, religion, ethnicity, caste
- Political affiliations
- Religious or philosophical beliefs
- Financial data
- Health data (Physical and mental health including disability)
- Biometric and genetic data
- Marital status and sexual orientation
- Sexual activities
- Criminal history
- Employment history
- Trade union membership
- Passwords and encryption keys
3. Are there any other views on sensitive personal data which have not been considered above?
5. Definition of Processing
1. What are your views on the nature and scope of data processing activities?
Processing should cover collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The nature of processing can be both manual or automated.
2. Should the definition of processing list only main operations of processing i.e. collection, use and disclosure of data, and inclusively cover all possible operations on data?
While it will be simpler to limit the definition to collection, use and disclosure of data, it will also leave room for ambiguity and therefore require judicial intervention. Also, structuring, adaptation and alteration of data do not fall into any of these categories. Hence, the definition should be a comprehensive one and inclusively cover all possible operations on data.
3. Should the scope of the law include both automated and manual processing? Should the law apply to manual processing only when such data is intended to be stored in a filing system or in some similar structured format?
a. All personal data processed must be included, howsoever it may be processed.
b. If data is collected manually, only filing systems should be covered as the risk of profiling is lower in other cases.
c. Limit the scope to automated or digital records only.
The law should include both automated and manual processing, irrespective of whether this data is intended to be stored in a filing system or a similar structured format.
4. Are there any other issues relating to the processing of personal data which have not been considered?
6. Definition of Data Controller and Processor
1. What are your views on the obligations to be placed on various entities within the data ecosystem?
The distinction between data controller and data processor is not important and will only complicate things. The purpose of the data protection legislation is to protect people and not data. Since the primary purpose of the law is safety, the responsibility or liability of the entity handling/processing data should be based on the quantum of risk they create. Any entity that creates potential risk of data breaches/leaks therefore causing harm to the data subject should be subject to some responsibility.
The obligations bestowed upon the data controllers should be as follows:
- Must be able to demonstrate compliance with national privacy principles such as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, data security, openness and accountability.
- Must implement appropriate technical and organizational measures to ensure and to demonstrate that its processing activities are compliant with the requirements of the Act.
- Must have written agreements with data processors that state all the requirements and safeguards for processing in the Act.
- Maintain records of processing and report breaches to the concerned authority.
- Notify concerned individuals in case there is a data breach
- encryption of personal data
- on-going reviews of security measures;
- redundancy and back-up facilities; and
- regular security testing
- adhere to approved codes of conduct
2. Should the law only define data controller or should it additionally define data processor‘?
a. Do not use the concept of data controller/processor; all entities falling within the ambit of the law are equally accountable.
b. Use the concept of data controller‘ (entity that determines the purpose of collection of information) and attribute primary responsibility for privacy to it.
c. Use the two concepts of data controller‘ and data processor‘ (entity that receives information) to distribute primary and secondary responsibility for privacy.
The law need not define data controller and data processor separately. Since the primary purpose of the law is safety, the responsibility or liability of the entity handling/processing data should be based on the quantum of risk it creates.
3. How should responsibility among different entities involved in the processing of data be distributed?
a. Making data controllers key owners and making them accountable.
b. Clear bifurcation of roles and associated expectations from various entities.
c. Defining liability conditions for primary and secondary owners of personal data.
d. Dictating terms/clauses for data protection in the contracts signed between them.
e. Use of contractual law for providing protection to data subject from data processor.
Responsibility or liability of the entity handling/processing data should be based on the quantum of risk it creates with respect to the safety of the data subject. There is no need to bifurcate roles between data controller and processor.
4. Are there any other views on data controllers and processors which have not been considered above?
1. What are the categories of exemptions that can be incorporated in the data protection law?
2. What are the basic security safeguards/organisational measures which should be prescribed when processing is carried out on an exempted ground, if any?
Domestic / Household Processing
1. What are your views on including domestic/household processing as an exemption?
Domestic / Household processing is exempted in varying degrees from data protection laws in most jurisdictions (GDPR, South Africa). Individuals processing data for domestic or household purposes and not for commercial purposes or processing data in a professional capacity should be exempt from the ambit of data protection. However, individuals should follow certain basic non-binding guidelines while handling data for personal processing:
- Comply with the Regulation’s basic security requirement – albeit in a ‘light’ manner
- Respect other individuals’ access, rectification, – for example where a friend requests that information about him or her is taken down from a social networking page
- Make sure any information processed about other individuals is done in compliance with the data protection principles – e.g. the data should be accurate and up to date.
- Have a legal basis for processing the personal data.
It is important to note that with increased penetration of the Internet and the power of the same to convey information to large audiences, the line separating domestic/household processing from processing for commercial/gainful interest can quite often get blurred. A possible solution to the issue could be to give wide powers of investigation to the data protection authority. In cases of conflict, the data protection authority should be able to intervene to decide the category in which the processing falls. Some of the questions that the data protection authority could refer to in the preliminary stage of investigation to determine whether or not the processing falls within the scope of personal or domestic processing are:
- Is the personal data disseminated to an indefinite number of persons, rather than to a limited community of friends, family members or acquaintances?
- Is the personal data about individuals who have no personal or household relationship with the person posting it?
- Does the scale and frequency of the processing of personal data suggest professional or full-time activity?
- Is there evidence of a number of individuals acting together in a collective and organised manner?
- Is there the potential adverse impact on individuals, including intrusion into their privacy?
2. What are the scope of activities that will be included under this exemption?
Processing that is carried out solely for the purposes of personal, family and household affairs should be exempt from the law. It is difficult to exhaustively lay down the specific activities that should be included under this exemption. However, activities that would not fall within this exemption would be:
- Activities carried out by an organization.
- Processing done for commercial purposes or for a gainful/commercial interest.
- Processing done in a professional capacity.
3. Can terms such as domestic‘ or household purpose‘ be defined?
It is difficult to comprehensively define terms such as “domestic” or “household” purpose, due to the wide scope of activities that could come within its scope. However, the law should try to lay down some objective standards to determine the contours of domestic or household purpose.
4. Are there any other views on this exemption?
8. Cross Border Flow of Data
1. What are your views on cross-border transfer of data?
Cross-border transfer of data is necessary for the existence of a thriving digital economy. It is also necessary to ensure that individual rights are not violated while promoting development of the economy.
Cross-border transfers should be allowed under pre-defined and clearly known circumstances to avoid the existence of loop-holes that can be exploited to transfer data to a country or an entity that does not offer sufficient protections for personal data.
2. Should the data protection law have specific provisions facilitating cross border transfer of data? If yes, should the adequacy standard be the threshold test for transfer of data?
Yes, the data protection law should have specific provisions facilitating cross border transfer of data. The law should strive to leave no room for ambiguity regarding the situations in which data transfer is or is not allowed to another country.
An adequacy test can be performed to determine whether data transfer should be allowed to a specific country. While performing an adequacy test, the data protection authority should take the following into account in addition to the requirements that are present in Article 45 of EU GDPR:
- Safe storage practices;
- Access to data by judicial process;
- Existence of mass surveillance programs;
- Applicability of the principle of accountability.
Adequacy tests performed by the data protection authority with regular reviews by the authority would:
- be more efficient than requiring each data controller to perform their own analysis of whether or not a country offers sufficient legal protection;
- reduce variation in the form of the laws of a specific country being deemed sufficient for data transfer by one data controller, but insufficient by another data controller; and
- allow data transfers without any ambiguity regarding liability of data controller when undertaking a data transfer to a third country.
That said, data transfers to another country should not be limited to only those countries that have passed the adequacy test performed by the data protection authority. Binding Corporate Rules (BCR) and Model Contractual Clauses (MCC) can be used as additional grounds for allowing data transfers to occur to other countries. However, there needs to be an effective method of ensuring that the entity transferring data out of India uses the legal options available to them under BCRs or MCCs in case of a data safety violation by the entity to which data has been transferred. This could be done by holding the transferring entity accountable for violations by the transferee, similar to Canada’s PIPEDA.
An arrangement such as Privacy Shield should not be used for white-listing any country, as it creates an imbalance between the countries that have passed the adequacy test, and the countries that have been white-listed for other, possibly only trade-related, reasons. It also causes uncertainty regarding the intentions and ability of the country of origin to protect the data of its people.
Most people are unable to comprehend the implications of their consent on their digital rights and freedoms. Legal documentation is often too long and complex for a lay person to understand. For these reasons, notice and/or consent should not be the only ground to allow data transfers to another country.
3. Should certain types of sensitive personal information be prohibited from being transferred outside India even if it fulfils the test for transfer?
No, there should be no restrictions on cross border transfer of sensitive personal data if it fulfils the test for transfer. Medical data may need to be transferred to another country for a treatment to be undertaken by a patient in another country. Financial details may need to be transferred to another country for an international financial transaction. Other forms of sensitive personal data may need to be transferred in specific circumstances. Restrictions on the transfer of such data, when adequate protections are available for the transferred data, would only serve to hamper development and innovation.
4. Are there any other views which have not been considered?
The authority can create two blacklist of known bad actors:
- a blacklist of countries that violate data safety by requiring, say, mass surveillance of data stored in that country or other violation(s) of data safety principles; and
- a blacklist of data controllers or other entities known to violate their privacy obligations.
Data transfers to known bad actors should be prohibited by law, even if there are binding corporate rules, model contractual clauses or any other form(s) of protection recognized by law.
Parties responsible for the management of personal data on a large scale should be required to give people real-time access to information about use and handling of their data: who has requested it, what was provided, what rules or agreements govern how it can be used downstream, and how long it can be retained there.
Safe storage practices should also be defined by regulation and updated by ongoing government administrative process, i.e. minimum standards for encryption should be made to protect against accidental or criminal disclosure of personal and sensitive personal data; modes and kinds of access by judicial process in India and abroad should be regulated; and the principle of accountability should apply for all disclosures including disclosures to domestic and foreign government(s).
9. Data Localisation
1. What are your views on data localisation?
Different sectors can come up with their own data localisation requirements based on the sensitivity of the data and the need to store such data within the geographical boundaries of India. With the possible exception of government data, especially data that could have national security implications, there should be no general requirement to store any kind of data locally. Data localisation requirements pose an additional and unnecessary burden on service providers for no apparent advantage. Small and medium-sized enterprises would particularly face the brunt of such requirements.
Compliance with local laws can be ensured by the use of other means such as holding a local agent liable or restricting trade with an entity that refuses to comply with data safety directions issued in India, among other measures.
2. Should there be a data localisation requirement for the storage of personal data within the jurisdiction of India?
No, there should be no data localisation requirement for the storage of personal data within the jurisdiction of India, as mentioned in the answer to question 1 above.
3. If yes, what should be the scope of the localisation mandate? Should it include all personal information or only sensitive personal information?
With the possible exception of government data, especially data that could have national security implications, there should be no requirement for the storage of personal data within the jurisdiction of India, as mentioned in the answer to question 1 above.
4. If the data protection law calls for localisation, what would be impact on industry and other sectors?
The brunt of the burden created by such a requirement would be faced primarily by small and medium-sized enterprises. Innovation would be greatly hampered by the need to invest in storage of data locally within the geographical boundaries of India. The Internet is border-less by design. Forcing geographical borders onto the Internet would pose unnecessary impediments to freedom and innovation without any apparent benefit for the rights of the people. If every country were to enforce data localisation requirements, then every entity that wanted to provide a service across the world would need to store and process the data of every person within the boundaries of the specific country that they belong to. Such data localisation would also prevent users from accessing their data when they are travelling through another country. The only beneficiaries in such a situation would be large corporations that would face less competition when deploying services across the globe, but even their users would be prevented from accessing their own data and services while travelling abroad.
5. Are there any other issues or concerns regarding data localisation which have not been considered above?
10. Allied Laws
1. Comments are invited from stakeholders on how each of these laws may need to be reconciled with the obligations for data processing introduced under a new data protection law.
The new data protection legislation should override all inconsistent laws, in order to ensure that the protections afforded under the data protection legislation are given precedence over the protections afforded under older legislations. No older law should be allowed to be used for reducing the protections offered to personal or sensitive personal data. An exception to this overriding effect can be made where the protections offered in an inconsistent law not only meet the requirements imposed under the new data protection law, but impose a requirement of an even higher standard than the data protection law. The data protection law should not, for example, prevent a requirement under a financial law to implement a higher minimum standard of encryption than that which is required under the data protection law. Lastly, the new data protection legislation should not override the Right to Information Act, 2005 (RTI Act). Section 11 of the RTI Act contains sufficient protections for third party data. No additional protection is required for the purposes of RTI, and therefore, no amendment is needed in the RTI Act.
These aims could be achieved by inserting the following Sections in the new data protection legislation:
- Inconsistency in laws: Nothing contained in this Act or any rule or regulations made thereunder or any instrument having effect by virtue of this Act, rule or regulations shall have effect in so far as it is inconsistent with any other provisions of the Right to Information Act, 2005 (22 of 2005).
- Overriding effect: Save as otherwise provided in the Section on Inconsistency in laws, the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any enactment other than this Act.
Explanation: Where the standard of protection required under an inconsistent law is higher than the standard required under this Act, then the higher standard of protection will apply, as long as the use of the higher standard does not violate the provisions of this Act or any rules or regulations made thereunder.
Example 1: If Act ‘A’ requires at least 512 bit AES encryption and regulations made under this Act require at least 256 bit AES encryption, then the minimum encryption strength required would be 512 bit AES encryption.
Example 2: If Act ‘A’ limits the use of encryption to 64 bit keys and regulations made under this Act require at least 256 bit encryption key, then the encryption strength required would be 256 bit.
GROUNDS OF PROCESSING, OBLIGATION ON ENTITIES AND INDIVIDUAL RIGHTS
1. What are your views on relying on consent as a primary ground for processing personal data :
a) Consent will be the primary ground for processing. b) Consent will be treated at par with other grounds for processing. c) Consent may not be a ground for processing
Consent is an important ground for data processing, but relying on it solely is not sufficient. For example, if an individual consents to allow a platform company to read all her email in return for giving her free email service, she is also giving away information about the people she corresponds with, without regard to their wishes. So, the law we need is not about getting, managing, or automating consent. The objective is to give an individual control over her personal information.
Consent should be an essential ground for processing when a data controller is collecting data from a data subject. It should however be complemented with other robust data protection principles to protect the individual from any potential harm.
2. What should be the conditions for valid consent? Should specific requirements such as ‘unambiguous’, ‘freely given’ etc. as in the EU GDPR be imposed? Would mandating such requirements be excessively onerous?
The most important way by which individuals can exercise informational self determination is by giving or withholding consent to processing data. However, the practicality of consent has been under scrutiny. Most people tick consent boxes without reading or understanding privacy statements. The problem lies with the implementation of consent and not with the idea of consent. The following conditions can be applied to make consent more meaningful:
- Consent must be explicit, specific, unambiguous, and freely given
- Consent must be informed: The data subject should know what exactly she is consenting to
- The data subject should have the right to withdraw consent during any stage of processing
Section 13 of the Indian Contract Act, 1872 defines consent as “Two or more persons are said to consent when they agree upon the same thing in the same sense.’ The Act further delineates that consent is free when it is not caused by:
- undue influence;
- misrepresentation; and
3. How can consent fatigue and multiplicity of notices be avoided? Are there any legal or technology-driven solutions to this?
Users face consent fatigue mainly because of complex privacy policies and having to give consent to many service providers who have fairly distinct policies. Layered notices can address this issue. There can be two layers of a privacy notice, the first layer may contain condensed form of the actual notice, while the second layer should delineate full text of the Notice.
In addition, adopting measures such as standardization, localization and recommendation can further simplify complex privacy policies.
Standardization: Data Protection Authority can design standard privacy policies including easily identifiable symbols which can be adopted by service providers. These symbols must be shown to the user in the first layer of notice.
Localization: All the standard privacy policies should be localized and made available in more than one language to ensure that users can understand them. Localized notices can be made mandatory. This will help the service providers who adopt standard privacy policies incur less cost for localization and also promote participation from the service providers in standardizing and localizing. Notice should allow a user to select preferred language in a way that a user can understand the label for the language drop-down as “choose your preferred language”. Second layer must be shown in the chosen language.
Lastly, Data Protection Authority can run a platform which publishes these standards. This platform can be used by Data Protection Authority and other individual volunteers & volunteer organizations to design the same. Having a platform is essential for localizing in least amount of time. Data Protection Authority should release a notification asking individuals/organizations from all over India to volunteer for localizing the standard privacy policies to all official languages as translators (one who translates text) and moderators (who performs 1st level of review). The authority could work with Indic language communities that work in the area of language localisation.
4. Should different standards for consent be set out in law? Or should data controllers be allowed to make context-specific determinations?
Standards of consent should be uniform with respect to data processing. It should adhere to the conditions mentioned above. Relying on the subjective wisdom of the data controller to decide if a particular form of processing requires consent or not may lead to consent not being taken in important circumstances as well.
5. Would having very stringent conditions for obtaining valid consent be detrimental to day-to-day business activities? How can this be avoided?
The data controller should comply with the conditions of consent as stated in the law when collecting new data or information, irrespective of whether its for day to day business. However, to avoid taking consent multiple times for day to day business activities, the data controller may obtain consent once for a particular purpose and kind of processing at the beginning. She may not be required to obtain consent at each stage of processing unless there is a change of purpose or processing In that case the data subject must be asked for consent.
6. Are there any other views regarding consent which have not been explored above?
2. Child’s Consent
1. What are your views regarding the protection of a child‘s personal data?
The basis of taking consent before collecting data lies in the law of contract, wherein it is necessary for a meeting of the minds for a contract to be considered valid in the eyes of the law. The consent given by a data subject is a part of the agreement between a data subject and the data controller. Concepts of the law of contract can be imported into the realm of data protection to ensure that a child’s personal data is offered the same level of protection as a child’s agreement would be offered under the Indian Contract Act, 1872. This would vastly simplify the requirements placed upon data controllers while providing sufficient protection to a child’s personal data.
Under Section 11 of the Indian Contract Act, 1872, a minor is incapable of entering into a contract. Section 3 of the Indian Majority Act, 1875 sets the age of majority at 18 years. This age is perfectly acceptable for the purposes of data protection as mentioned below. We do not need to lower the age of consent for the purposes of data safety.
Enforcement by a data controller against a data subject is not necessary in the majority of situations involving data collection, use, transfer, protection, etc. The only situation where enforcement may be considered by a data controller against a data subject for the purposes of a data protection law would be at the stage of collection of data. Data may be collected by a data controller in one of two ways:
- The data controller automatically collects data from a data subject; and / or
- The data subject manually provides data to a data controller.
In case of automatic collection of data from data subjects, the data controller does not require additional steps on the part of the data subject in order to collect data. Hence, no enforcement of contract is necessary to ensure the protection of the ability of a data controller to collect data from a data subject. If a data subject blocks the attempts of a data controller to collect data from a data subject then the data controller can refuse to provide their product or service to the data subject.
A provision can, but does not necessarily need to, be made in law to empower data controllers to restrict the use of any service or product by a child without ratification by the child’s parent or legal guardian. This should not be a mandate on the data controller to restrict the use of their products or services by a child, but instead a right of the data controller to do so if the child does not comply with their obligations.
If the data protection law has these two protections in place, then no additional protection is required for a child to be able to revoke their consent or delete their data once they reach the age of majority (18 years): (1) revoke consent at any time; and (2) request deletion of data at any time.
Despite the inability of a minor to enter into a valid contract, any beneficial agreement that a minor enters into without the ratification of a parent or a legal guardian can be enforced by the minor as long as the minor has fulfilled his / her obligations under the contract.
The question before the Madras High Court in the case of Raghava Chariar v Srinivasa was “Whether a mortgage executed in favour of a minor who has advanced the whole of the mortgage money is enforceable by him or by any other person on his behalf.” The Full Bench unanimously held that the transaction was enforceable by or on behalf of the minor. Wallis CJ said “The provision of law which renders minors incompetent to bind themselves by contract was enacted in their favour and for their protection, and it would be a strange consequence of this legislation if they are to take nothing under transfers in consideration of which they have parted with their money.”
In Sharfath Ali v Noor Mahomed, the Court held that “The law does not regard a minor as incapable of accepting a benefit.”
To make this legal situation concrete for the purposes of data protection, a Section in law is required stating that a minor shall have the right to exercise all the rights of a data subject under the data protection law, regardless of whether or not the agreement is considered valid for the purposes of the law of contract. Thus, if a minor has supplied some data to a data controller, the minor should have all the rights that exist for a data subject, such as the rights of rectification, revocation of consent and deletion of data, amongst others.
Designating a minimum age at which a data subject would become competent to give consent would create an unnecessary complication in the law of contract wherein the minimum age of consent for entering into a valid and enforceable contract would differ for the purposes of data collection, processing, use, transfer, protection and other data-related activities, and for other purposes for which a person may legally enter into a contractual relationship. The protections offered to minors under the case laws discussed above in combination with the protections that would be offered to all data subjects if the data protection law is created in accordance with our recommendations to the rest of this white paper would ensure that the rights of minors are not unduly harmed. A provision should be made in law to clarify that a minor’s rights cannot be violated by a data controller if the minor has provided their data.
2. Should the data protection law have a provision specifically tailored towards protecting children’s personal data?
Left untouched, some data controllers could attempt to seek protection under the principle of the Mohori Bibi v Dhurmodas Ghose case which laid down in the year 1903 that “all contracting parties should be competent to contract and expressly provides that a person who by reason of infancy is incompetent to contract cannot make a contract within the meaning of the Act.” In another case called Mir Sarwarjan v Fakhruddin Mohd Chowdhury, the Privy Council rejected the action of a minor seeking specific performance of to recover possession of an immovable property.
Courts have, since then, recognized the rights of a minor to seek performance of a beneficial contract. This can be seen in the cases of Raghava Chariar v Srinivasa and Sharfath Ali v Noor Mahomed stated above in the answer to Question 1.
Thus, a provision is required in law to clarify that a data controller cannot violate the rights of a minor under the data protection law.
Apart from the above, the data protection authority should also have a power to start an educational program to teach minors about their rights. The report titled ‘Growing Up Digital’ by the Children’s Commissioner for England, published in January 2017, notes that children are unaware of how the internet works and recommends that an educational program should be set up to train children to be ‘digital citizens’. Such a program could contain training of the following rights as per the report:
- *The Right to Remove: To be able to curate your online presence through being able to easily remove what you yourself have put up.
- The Right to Know: To know who has access to your data, why and for what purposes.
- The Right to Safety and Support: To know where to turn for support when something online is distressing.
- The Right to Informed and Conscious Use: To know that the internet is ‘sticky’ and that you have the power to switch off.
- The Right to Digital Literacy: To understand the purposes of the technology that you are using and to have the critical understanding and the skills to be a digital creator.*
Article 19 of EU GDPR requires a data controller to give notice of any rectification or erasure “to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.” Following Article 19 to the letter would prove insufficient for protecting a child. In order to protect the interests of minors any data gathered from a person that is known to the data controller to be a child should not be transferred to an entity unless the data controller can ensure that any rectification or deletion requested by the child would also be performed by all entities to whom the data has been transferred. In other words, situations where such intimation may prove to be impossible or involve disproportionate effort should be minimized for children.
3. Should the law prescribe a certain age-bar, above which a child is considered to be capable of providing valid consent? If so, what would the cut-off age be?
The data protection law may create the following situation:
- The age of consent at which a data controller can exercise their rights against a data subject can be set at 18 years in accordance with Section 11 of the Indian Contract Act, 1872 and Section 3 of the Indian Majority Act, 1875. Minors below the age of 18 years should not be compelled to provide their data in accordance with the law of contract.
- A section can be created in the data protection legislation to empower a data controller to require ratification by a parent or a legal guardian in matters involving sensitive personal data.
- For all other situations, the data protection law should not restrict the ability of a child to provide consent for any service or product that is beneficial for the child in accordance with the law of contract.
For exercising the rights of a child as a data subject, there needs to be no minimum age limit, as a child should not be prohibited from exercising his / her rights under the law if they are below a certain age. The purpose of the law should be protecting the rights and interests of the child, and not to be an impediment for the child.
If a minimum age is defined below which children are barred from providing a valid consent, then the case law of Gadigeppa Bhimappa Mets v Balangowda Bhimagowda would apply wherein the court held that “The court is of opinion that where an infant represents fraudulently or otherwise that he is of age and thereby induces another to enter into a contract with him them in an action founded on the contract the infant is not estopped from setting up infancy.” In other words, if a minor misleads a data controller into believing that (s)he is not a minor for the purposes of providing a valid consent, the minor would be able to use the product or service of the data controller without foregoing the protections offered to the minor under the law of contract, and in future, the law of data protection.
4. Should the data protection law follow the South African approach and prohibit the processing of any personal data relating to a child, as long as she is below the age of 18, subject to narrow exceptions?
Prohibiting any activity related to the processing of any personal data relating to a child below the age of majority would restrict the rights and freedoms of a child. Among other rights, the fundamental right to freedom of expression would be hampered if a child is not allowed to create an account and participate in a social network or blogging platform or any other similar service. Narrowly defined exceptions are likely to hamper the rights and freedoms of a child despite best efforts.
5. Should the data protection law follow the Australian approach, and the data controller be given the responsibility to determine whether the individual has the capacity to provide consent, on a case by case basis? Would this requirement be too onerous on the data controller? Would relying on the data controller to make this judgment sufficiently protect the child from the harm that could come from improper processing?
Giving a data controller the power to determine whether an individual has the capacity to provide consent on a case-by-case basis would not protect a child. The age for giving consent should be defined in a uniform manner and should not be left up to the variable discretion of a data controller. A data controller’s primary motives would be to maximize gains, not to protect the interests of children. Thus, in case there is a doubt regarding the capacity of a child to provide consent on a case by case basis, it would be in the best interests of a data controller to assume by default that a child is capable of providing valid consent instead of assuming by default that a child is incapable of providing valid consent.
6. If a subjective test is used in determining whether a child is capable of providing valid consent, who would be responsible for conducting this test?
a. The data protection authority
b. The entity which collects the information
c. This can be obviated by seeking parental consent
There should not be a subjective test to determine whether a child is capable of providing valid consent. However, if such a system were to be adopted, such a determination should not be in the hands of a data controller or an entity which collects the information. The interests of a data controller or data collecting entity lie in collecting / using / processing / storing / sharing the data, and not in protecting the rights of children.
Parental consent can be used to obviate the need to determine whether a child is capable of providing valid consent.
The data protection authority should only be involved in determining whether parental consent was necessary in a particular case and investigating whether that parental consent was obtained, and not in determining whether a child is / was capable of providing valid consent.
7. How can the requirement for parental consent be operationalised in practice? What are the safeguards which would be required?
Parental consent can be sought through:
- Giving consent for a child’s account through a separate parental account; or
- Creation of a child’s account using a parent’s account.
Under the Indian Contract Act, 1872, a child cannot enter into a binding contract, however, a child can enforce a beneficial agreement if the child has performed their obligation(s) under the agreement, as mentioned in the answer to question 1 above.
8. Would a purpose-based restriction on the collection of personal data of a child be effective? For example, forbidding the collection of children’s data for marketing, advertising and tracking purposes?
The primary reason to create any safeguard for the collection and processing of a child’s data is that various jurisdictions, including our own under the Indian Contract Act, 1872, view a child as incapable of providing consent due to an inability to properly understand the effects of giving consent. As such, there are certain areas where additional care is needed to ensure that a child’s rights are not unduly harmed.
Recital 38 of EU GDPR states “specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.”
Profiling for any reason, including but not limited to marketing, advertising and tracking, should not be allowed in order to allow a child to learn and grow without suffering from the result of mistakes or choices made during his / her growing years.
9. Should general websites, i.e. those that are not directed towards providing services to a child, be exempt from having additional safeguards protecting the collection, use and disclosure of children’s data? What is the criteria for determining whether a website is intended for children or a general website?
The protections under the law should not be limited to only website, but should extend to all forms of digital products and services that collect and / or process personal data, including but not limited to websites, mobile apps, gaming platforms, plug-ins, advertising networks, location based services, voice over internet protocol services, connection toys and other internet of things enabled devices.
If a product or service is permitted by a data controller to be used by a child, then the data controller must provide the protections that are available to children under the law, regardless of whether children are the primary target demographic of the website.
The definitions clause of USA’s Children’s Online Privacy Protection Rule contains the following about determination of whether a website or an online service is targeted towards children:
“Web site or online service directed to children means a commercial Web site or online service, or portion thereof, that is targeted to children.
(1) In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.
(2) A Web site or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.
(3) A Web site or online service that is directed to children under the criteria set forth in paragraph (1) of this definition, but that does not target children as its primary audience, shall not be deemed directed to children if it:
(i) Does not collect personal information from any visitor prior to collecting age information; and
(ii) Prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with the notice and parental consent provisions of this part.
(4) A Web site or online service shall not be deemed directed to children solely because it refers or links to a commercial Web site or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.”
Guidance can be taken from the above-mentioned clause of COPPA to determine whether a service or a website targets children, but it should be kept in mind that under Indian law, protections are made available to legal minors, not just to those children that are below the age of 13 years.
10. Should data controllers have a higher onus of responsibility to demonstrate that they have obtained appropriate consent with respect to a child who is using their services? How will they have actual knowledge of such use?
In other jurisdictions, actual knowledge for the purpose of determining whether or not a data subject is a child, is based on the declaration of age, date of birth, or a simple “yes/no” when a data subject is asked whether they are a child or an adult. A data controller cannot be held liable for an incorrect statement by a child.
However, Indian case laws have recognized that even if a child misleads someone into believing that they are an adult, the child would still have the same protections as are otherwise available to the child under the Indian Contract Act, 1872. Please see the reference to Gadigeppa Bhimappa Mets v Balagowda Bhimagowda in the answer to question 3 above.
11. Are there any alternative views on the manner in which the personal data of children may be protected at the time of processing?
USA’s Children’s Online Privacy Protection Rule contains a clause requiring data controllers to “An operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity.” (§312.7)
The same can be incorporated in the Indian law to enhance the protections available to children.
1. Should the law rely on the notice and choice mechanism for operationalising consent?
Uninformed sharing of personal data amounts to violation of right to privacy as recognized under Article 21 in the landmark judgment K.S. Puttaswamy vs Union of India. Thus to ensure informational self determination, the data protection law should prescribe for a method of notice and choice. It is a positive obligation on a data controller/processor, and creates a sense of awareness among the data subjects and gives them a choice to part with their data. The Justice A.P Shah Committee has also mentioned notice and choice as important data protection principles.
2. How can notices be made more comprehensible to individuals? Should government data controllers be obliged to post notices as to the manner in which they process personal data?
Notices should be easy to understand and without complex legal jargon. The simplified notice could provide the link to the legal text for anyone who wants to read it. But the notice, prima facie, should be as simple and comprehensible as possible. That can be achieved by employing the following methods:
- Use of plain and simple language with clear fonts, no legalese and ;
- Use of clear explanations of purpose and uses;
- Use of regional languages apart from English to draft notices;
- Use of standardized icons for activities such as profiling, data sharing, collection of sensitive personal data, withdrawal of consent (delete my data) and grievance redressal; and
- Graphical assistance capable of explaining terms and conditions to consumers.
Government data controllers should be obliged to post notices as to the manner in which they process personal data as uniformed consent of processing personal data is violative of right to privacy recognized under Article 21 of the Constitution of India.
3. Should the effectiveness of notice be evaluated by incorporating mechanisms such as privacy impact assessments into the law?
Privacy impact assessments can be integrated to evaluate effectiveness of notice. Regular internal and external audits must be carried out to ensure compliance with data protection standards and policies to ensure efficacy of notice. In addition, audit reports and compliance status should be updated and made available for public access on the website/ platform by data controllers.
4. Should the data protection law contain prescriptive provisions as to what information a pivacy notice must contain and what it should look like?
a. No form based requirement pertaining to a privacy notice should be prescribed by law.
b. Form based requirements may be prescribed by sectoral regulators or by the data protection authority in consultation with sectoral regulators.
The data protection law should contain prescriptive provisions as to what information a privacy notice must contain. Data protection authorities in consultation with sectoral regulators should prescribe form based requirements for a privacy notice.
The following principles should be adhered to while drafting a privacy notice:
- Data controllers or processors must build a voluntary or ‘opt in’ based consent mechanism;
- It should be easy for data subjects to opt out or withdraw their consent;
- The consent obtained should be explicit, data controllers should not consider involuntary/silent consents;
- The language should be plain, simple and comprehensible by all;
- There should be icons to simplify notices. There should be standard icons for activities such as profiling, data sharing, collection of sensitive personal data, withdrawal of consent (delete my data) among others.
- A privacy notice must include the following:
- Purpose for which data will be taken;
- Time period for which the data will be retained
- Processors/ Controllers with whom data can be shared with;
- Rights to access and control data;
- Grievance redressal mechanism
5. How can data controllers be incentivized to develop effective notices?
a. Assigning a data trust score.
b. Providing limited safe harbor from enforcement if certain conditions are met.
If a data trust score is assigned, then who should be the body responsible for providing the score?
The new data protection law can prescribe for a system of assigning a data trust score to the data controller. A trust score can be assigned to controllers on the basis of certain standards devised by an independent body appointed by data protection authority. This kind of standardization is already in practice for various products of consumption. For example, Bureau of Indian Standards assign ISI mark based on the quality of the product as compared to a specified standard.
This practice would incentivize controllers in creating a brand, reputation and loyal clientele. On the other hand, it would also guarantee subjects of a certain assurance as to how their data will be handled.
6. Would a consent dashboard be a feasible solution in order to allow individuals to easily gauge which data controllers have obtained their consent and where their personal data resides? Who would regulate the consent dashboard? Would it be maintained by a third party, or by a government entity?
The concept of consent dashboard appears to be a feasible solution in order to allow individuals to manage their consents. However, it raises concerns related to privacy. The usage of consent dashboard to avail services and organize consents would create a series of metadata every time an individual gives her consent. Analysis of the said metadata would allow an insight into the life of an individual’s private life. This infrastructure created to manage consent would serve as a mode of mass surveillance which is a massive breach of the fundamental right to privacy.
7. Are there any other alternatives for making notice more effective, other than the ones considered above?
4. Other Grounds of Processing
1. What are your views on including other grounds under which processing may be done?
As discussed earlier, consent should be the primary ground for data processing when data is being collected from a data subject by the data controller for a specified purpose or purposes. However, in certain cases of emergency where processing of data is in furtherance of accomplishing the consented purpose and obtaining consent would cause unnecessary trouble, data processing can be allowed. But such grounds (vital/public/legitimate interests), if imported into the law, should be defined clearly and as narrowly as possible.
2. What grounds of processing are necessary other than consent?
The following can be recognized as other grounds of processing:
- Where processing is necessary to perform a contract that the data subject has consented to;
- In order to safeguard the data subject’s vital interests i.e in an emergency situation, for e.g. where a medical condition may be disclosed to treat the data subject;
However, as mentioned above, terms such as “vital/legitimate interests” should be clearly and narrowly defined.
3. Should the data protection authority determine residuary grounds of collection and their lawfulness on a case-by-case basis? On what basis shall such determination take place?
a. No residuary grounds need to be provided.
b. The data protection authority should lay down ‘lawful purposes’ by means of a notification.
c. On a case-by-case basis, applications may be made to the data protection authority for determining lawfulness.
d. Determination of lawfulness may be done by the data controller subject to certain safeguards in the law
No residuary grounds need to be provided, data controllers should adopt consent based approach to process data.
4. Are there any alternative methods to be considered with respect to processing personal data without relying on consent?
5. Purpose specification and use limitation
1. What are your views on the relevance of purpose specification and use limitation principles?
The principles of purpose specification and use limitation exist to ensure that data subjects are able to retain an extent of control over their personal data even after parting with it. As the SC observed in K S Puttaswamy, the right to privacy is built around the individual, in whom it vests control over information about him/her. Control in context of data protection relates not only to the manner in which data is collected, stored and shared as the Committee notes in the white paper, but also to substantial decisions made about collection, storage and sharing of data, including whether data should be processed for purposes beyond that for which it was originally collected. It is equally important to keep in mind that regulations, while vesting control over data in data subjects, must also provide some degree of flexibility for data controllers so that the industry is not shackled by burdensome compliances. The principles of purpose specification and use limitation must be seen as core tenets of any data protection framework and given legislative effect.
2. How can the purpose specification and use limitation principles be modified to accommodate the advent of new technologies?
We agree with the Committee’s proposition that rapid advancements in technology may necessitate changes in the regulatory approach to data protection from time to time. As regulatory reforms are time-consuming and may not be able to keep pace with technology at all times, regulators must ensure that data protection principles are not given legislative effect in ways that cripple the industry. However, it is our submission that the principles of purpose specification and use limitation do not need any modifications to accommodate new technologies i.e. in any given technology framework, personal data must be collected only for specified purposes, and processing for any other purposes without express consent must be prohibited. In fact, it can be argued the significance of these principles have increased of late, as the potential use-cases of existing databases have grown exponentially with the advent of artificial intelligence, machine learning, big data analytics and more. The fundamental premise of purpose specification and use limitation being that data subjects must be made aware of the purposes for which their personal data is being processed, effective enforcement of the principles will play a significant role in ensuring that personal data is not processed for purposes that the data subjects have not consented to.
3. What is the test to determine whether a subsequent use of data is reasonably related to/compatible with the initial purpose? Who is to make such determination?
There is no objective test to determine whether a subsequent use of data is compatible with the initial purpose for which it was collected. In the event of a dispute, such determinations will have to be made on a case-to-case basis by the data protection authority after considering whether one could reasonably have foreseen one’s data being used for the secondary purpose in question.
4. What should be the role of sectoral regulators in the process of explicating standards for compliance with the law in relation to purpose specification and use limitation?
1. The sectoral regulators may not be given any role and standards may be determined by the data protection authority.
2. Additional/higher standards may be prescribed by sectoral regulators over and above baseline standards prescribed by such data protection authority.
3. No baseline standards will be prescribed by the authority; the determination of standards is to be left to sectoral regulators.
We recommend that the data protection authority should prescribe baseline standards for compliance with the purpose specification and use limitation principles, after which sectoral regulators should have the option of prescribing additional/higher standards as they see fit. While the DPA can very well specify general standards that must govern data processing activities, more specific standards that account for the nuances involved in various sectors are better prescribed by sectoral regulators. For instance, higher encryption standards may have to be prescribed for financial services. It is also essential that the DPA makes itself available for consultations by sectoral regulators when said sector-specific standards are being drafted.
6. Processing of Sensitive Personal Data
1. What are your views on how the processing of sensitive personal data should be done?
Some categories of personal data carry an elevated risk of harm to the data subject if disclosed, for reasons the Committee has already noted in the white paper. As such, it stands to reason that such categories of data i.e. sensitive personal data be given a higher degree of protection under law. However, regulators must also avoid placing the onus of identifying sensitive personal data on data controllers/processors, as the margin for error is too great and the consequences of improper processing are too grave. Therefore, India’s data protection framework must explicitly earmark certain categories of personal data as sensitive personal data, the processing of which must be prohibited other than with express consent from the data subjects or under the authority of law.
2. Given that countries within the EU have chosen specific categories of “sensitive personal data”, keeping in mind their unique socio-economic requirements, what categories of information should be included in India’s data protection law in this category?
In a previous response, we had proposed that the following categories of personal data be treated as “sensitive” and given elevated protection under law:
- Race, color, religion, ethnicity, caste
- Political affiliations
- Religious or philosophical beliefs
- Passwords and encryption keys
- Financial data
- Health data (physical and mental health including disability)
- Biometric and genetic data
- Marital status and sexual orientation
- Sexual activity
- Criminal history
- Employment history
- Trade union membership
Of these, we believe data revealing the subject’s caste is of particular relevance in an Indian context as caste-based discrimination and violence continue to be unfortunate realities in our society. Aside from this, other categories of data such as religious/philosophical beliefs, marital status, sexual orientation, and sexual activity are similarly relevant for India, even if not uniquely so.
3 What additional safeguards should exist to prevent unlawful processing of sensitive personal data?
1. Processing should be prohibited subject to narrow exceptions.
2. Processing should be permitted on grounds which are narrower than grounds for processing all personal data.
3. No general safeguards need to be prescribed. Such safeguards may be incorporated depending on context of collection, use and disclosure and possible harms that might ensue.
4. No specific safeguards need to be prescribed but more stringent punishments can be provided for in case of harm caused by processing of sensitive personal information.
We recommend that processing of sensitive personal data should be prohibited, subject to narrow exceptions. This is functionally equivalent to the second alternative proposed above (permit processing on narrow grounds), and is in line with regulatory approaches under the EU GDPR, UK DPA and South Africa’s POPI among others. Exceptions to the prohibition on processing sensitive personal data must include at least (i) processing done with express consent from the data subject and (ii) processing done under authority of law (iii) processing of data that has deliberately been made public by the data subject (iv) processing of information that falls within the ambit of the Right to Information Act, 2008. Additional grounds of exemption such as processing done in the interest of establishing a right or obligation and processing done in compliance with international public law may also be considered for adoption. However, regulators must take care to tailor the language as narrowly as possible so as to avoid legal loopholes that defeat the purpose of providing elevated protection to sensitive personal data.
4. Should there be a provision within the law to have sector specific provisions for sensitive data, such as a set of rules for handling health and medical information, another for handling financial information and so on to allow contextual determination of sensitivity?
The law may make provisions for the issuance of sector-specific rules/regulations/guidelines on contextual determination of sensitivity, but such determinations must be made over and above the determinations already made by the primary data protection legislation i.e. without prejudice to the categories of data that have been identified as sensitive by the legislation. In other words, it should be permissible to consider typically non-sensitive personal data as sensitive in one or more sectors on a need-basis, but not vice-versa.
7. Storage Limitation and Data Quality
1. What are your views on the principles of storage limitation and data quality?
Both storage limitation and data quality are crucial principles of data protection that must feature in India’s data protection law. Both principles are also closely linked to the purpose specification principle. Without limits on the duration for which personal data that was collected for specific purposes is allowed to be retained by the controller, data subjects may lose control over their data, which in turn may lead to risks of theft, unauthorized copying and so on.16 Similarly, it is important to ensure that collected personal data is accurate, complete and up-to-date, as inaccurate, incomplete or outdated data can be misleading and harm data subjects in many ways.
2. On whom should the primary onus of ensuring accuracy of data lie especially when consent is the basis of collection?
1. The individual
2. The entity collecting the data
We reiterate at the outset that “consent” does not justify improper collection and processing of personal data. Data protection is primarily about putting data subjects in control of information about themselves, and as such, whether or not data was collected on the basis of consent should make no difference to the application of the data quality principle. That being said, it may nevertheless be impractical to stipulate that data controllers are at all times responsible to ensure the accuracy of the personal data that they collect, especially when it comes to data that the subjects themselves (or third parties) provide. In such cases, data controllers must be required to take reasonable steps to ensure accuracy of data, but inaccuracies must not be treated as breaches of the data quality principle, so long as the data controller:
- Has accurately recorded information provided
- Has, where applicable, made clear that the data subject has challenged the accuracy of information
“Reasonableness” of steps in these cases will be circumstantial and must be determined on a case-to-case basis after considering the nature of data collected and the purpose of collection.
3. How long should an organization be permitted to store personal data? What happens upon completion of such time period?
1. Data should be completely erased
2. Data may be retained in anonymized form
We concur with the Committee’s position that it may not be feasible to prescribe precise durations for which personal data may be retained by data controllers, as it would be impossible to foresee all possible applications of personal data and identify appropriate retention periods for all such applications. The law may therefore stipulate that personal data must not be retained for any longer than is reasonably necessary to fulfill the primary purpose for which it was collected. Once the purpose has been fulfilled, personal data must be completely erased rather than retained in anonymized forms. This is because anonymization is not a fool-proof way to ensure that data is permanently dissociated from their subjects, and can be reversed with the right tools. The only way to prevent this from happening is to have data controllers completely destroy personal data once the purpose of collection has been fulfilled.
8. Individual Participation Rights – 1
1. What are your views in relation to the above?
The data subject’s ability to participate in and influence the manner in which their personal data is used by controllers is an effective way to allow him/her control over his/her data, and is therefore one of the most important aspects of any data protection law. The Committee has rightly identified the rights to confirmation, access and rectification of data as the most widely recognized individual participation rights across other jurisdictions with comprehensive data protection laws. It is imperative that these rights find mention in an Indian data protection law, as they play a big role in serving the fundamental purpose of such a law, which is to put control over personal data in the hands of data subjects themselves.
2. Should there be a restriction on the categories of information that an individual should be entitled to when exercising their right to access?
Individuals should be entitled to access all categories of information including at least the purpose of processing, categories of data being processed, recipients of data, period of storage, source of data, and meaningful information on the logic behind automated decisions, so long as his/her exercise of this right does not infringe the rights and freedoms of others.
3. What should be the scope of the right to rectification? Should it only extend to having inaccurate data rectified, or should it include the right to move court to get an order to rectify, block, erase or destroy inaccurate data as is the case with the UK?
Right to rectification must essentially allow data subjects to rectify inaccurate personal data held by controllers. This right may be exercised at the first instance through a formal rectification request before the relevant controller(s), but data subjects must also not be made to forfeit their right to move the court or the data protection authority in cases where the controller(s) fail to respond to valid requests. In order to avoid overcrowding courts with data rectification matters, formal rectification requests before the controller may be made a necessary pre-requisite to legal action.
4. Should there be a fee imposed on exercising the right to access and rectify one’s personal data?
1. There should be no fee imposed.
2. The data controller should be allowed to impose a reasonable fee.
3. The data protection authority/sectoral regulators may prescribe a reasonable fee.
To avoid overburdening data controllers with frivolous or vexatious exercise of individual participation rights, the regulator may prescribe a nominal fee that data controllers may choose to impose. Since the sole purpose of imposing such a fee is to filter out illegitimate exercises of the rights, this task need not be delegated to sectoral regulators. The data protection authority may instead prescribe a fee that applies across all sectors. While determining the precise fee to be levied, the regulator must be careful to not make the rights inaccessible to the economically backward.
5. Should there be a fixed time period within which organizations must respond to such requests? If so, what should these be?
We recommend that the turn-around time for responding to individual requests be prescribed as 30 days from the date of receipt of the request.
6. Is guaranteeing a right to access the logic behind automated decisions technically feasible? How should India approach this issue given the challenges associated with it?
While it may be true that the logic behind most automated decisions regarding personal data has reached a point, where disclosure of the precise logic behind such decisions could prove either futile due to their complexity vis-a-vis the presumed technical expertise of most data subjects, or infeasible due to concerns such as the inevitable disclosure of trade secrets in the process, the idea behind envisaging the right to access the logic behind automated decisions remains relevant even today. Given that data subjects stand to be impacted in very real ways by automated decisions, it follows that they be given the option of understanding how such a decision was made so as to be able to determine whether they wish for automated processing to continue. The challenges associated with accessing the logic can be overcome to a large extent by stipulating the disclosure of not the precise logic that resulted in a particular automated decision, but a simplified and accurate description presented in a manner that would allow data subjects to make informed decisions on its basis.
7. What should be the exceptions to individual participation rights?
Exceptions to individual participation rights must be very narrowly tailored, and refusal of access to personal data should be avoided in almost all cases. This is because it is usually possible to arrange for a trusted third party to access a record on behalf of the data subject where direct access is not permissible. That being said, some exceptions to participation rights may still need to be considered so as not to impose unreasonable demands on controllers and to safeguard the rights and freedoms of others. For instance, if a controller can conclusively demonstrate that individual participation is technically impossible or prohibitively costly in specific cases, it may be exempted from compliance with access requests from the data subject. Similarly, if the exercise of a subject’s participation rights would result in the violation of a statutory mandate to maintain confidentiality, compliance by the controller may be exempted. However, we would like to re-emphasize that all exceptions to individual participation rights must be very narrowly tailored as participation is essential for the individual to retain control over his/her information, which is the primary purpose of any data protection law.
9. Individual Participation Rights – 2
1. What are your views on the above individual participation rights?
As the Committee rightly notes, the contours of the above individual participation rights are still evolving as they are relatively new entrants to the data protection landscape. We propose that all rights, save for the right to object to processing, be considered for inclusion in India’s data protection law. As “public interest” and “legitimate interest of the organization” are not recommended to be included as permissible grounds for processing owing to the presence of significant ambiguities, the right to object to processing, which applies only in cases where processing is done on these grounds, would be unfit for inclusion. Rights such as data portability and objection to automated decisions on the other hand, have grown increasingly relevant and are important aspects to consider in a complex data ecosystem.
2. The EU GDPR introduces the right to restrict processing and the right to data portability. If India were to adopt these rights, what should be their scope?
3. Should there be a prohibition on evaluative decisions taken on the basis of automated decisions?
1. There should be a right to object to automated decisions as is the case with the UK.
2. There should be a prohibition on evaluative decisions based on automated decision making.
Whereas most developments in the use of technology in business administration have focused until recently on helping entrepreneurs make business decisions, we expect technology to be used extensively in automating business decisions in the near future. Considering the potential for industrial growth fueled by new technologies such as artificial intelligence, machine learning and big data, we do not recommend an outright prohibition on automated evaluative decisions. The focus rather should be on ensuring from a regulatory stand-point that the adoption of such technologies in general, and their use in automated evaluative decision-making in particular, respect fundamental data protection principles and other rights of data subjects. By providing for a right to object to automated decisions, Indian data subjects would be afforded the opportunity to participate or refrain from participating in automated decision making processes after weighing their legitimate interests against potential harms.
4. Given the concerns related to automated decision making, including the feasibility of the right envisioned under the EU GDPR, how should India approach this issue in the law?
As provisionally noted by the Committee, the right to object to automated decisions is relevant today due to the pervasiveness of automated decision making in the digital economy. India’s adoption of this right can largely be based on the EU approach, where the right was first envisioned under the 1995 E-commerce Directive. In essence, data subjects must have the right not to subject themselves to decisions based solely on automated processing. Decisions in this context would also include profiling of the data subject, though the right would only arise when said decisions have significant effects on the data subject – legal or otherwise. A significant drawback with this right as it exists in the EU GDPR is that human involvement at any stage of the decision-making process would forfeit the right to object, which means a large portion of effectively automated decisions will be immune from challenge due to human involvement, however inconsequential. To overcome this drawback, the Indian data protection law could stipulate that the right to object would apply even if there was human involvement in the decision-making process, so long as the decision was functionally automated. Whether or not particular decisions fall into the ambit of this right will then have to be determined on a case-by-case basis by the data protection authority as and when disputes arise.
10. Individual Participation Rights-3: Right to be Forgotten
1. What are your views on the right to be forgotten having a place in India’s data protection law?
There has been much debate on global policy platforms regarding the right to be forgotten (RTBF), including on such fundamental aspects as whether it should be treated as an enforceable right to begin with. While there certainly is merit to a lot of arguments in favor of giving effect to such a right, there are equally meritorious arguments against it. On the one hand, from a privacy stand-point, data subjects have a legitimate interest in erasing damaging information about themselves held by data controllers. The underlying spirit of data protection i.e. meaningful control over one’s data, would also appear to support the proposition that data subjects must be able to exercise RTBF. On the other hand however, there are concerns that exercising RTBF would adversely affect freedom of speech and expression, specially when there arguably is a larger public interest to be served by processing personal data even if such processing may prove harmful to the data subject. Incorporating RTBF into a data protection law then becomes a matter of striking a delicate balance between rights of the data subject and the larger freedom of speech and expression. Though the global trend seems to favor recognizing RTBF as an enforceable right, we believe the contours of the right need to be crystallized before this can be done. Regulators must take extreme caution when importing RTBF to an Indian data protection framework, and must ensure that it does not derogate free speech or any allied right.
REGULATION AND ENFORCEMENT
1. Enforcement Models
1. What are your views the above described models of enforcement?
Command-sanction approach: There are various flaws in a command-sanction model of enforcement. The command-sanction approach provides for:
- Lengthy procedures for drafting legislation which are too slow to keep up with dynamic nature of technologies;
- Non-inclusion of technical know-how. Regulators are often unaware of technical perspectives of every industry; and
- Formulation of prescriptive legislations which lead to obtusive legislations that are capable of wrecking the balance of society in a dynamic information economy.
Thus, while drafting a new data protection framework, India should move past the constraints of command sanction approach and should adopt a co-regulatory model of enforcement.
Co-regulatory approach: The following are the reasons to endorse a co-regulatory approach:
- There is a shift in approach and many countries are inclined towards incorporating multi stakeholder approach in drafting and enforcing legislations;^[Department of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Economy: A Dynamic Policy Framework (2010) [hereinafter Green Paper]
- Adopting a co-regulatory approach to draft the data protection framework ensures a technology neutral legislation;
- The framework only provides for obligations to adhere to, it does not delineate the modes to achieve the same;
- This approach enables faster development and advancement as the drafted technical standards are easier to comply with;
- Co-regulatory approach also engages a decentralized approach for enforcement;
- It further prescribes for supervision which is a more effective enforcement mechanism in comparison to the traditional model of enforcement that suffers from challenges due to centralized supervision; and lastly,
- The proponents of this model argue that when the industrial leaders negotiate with the government regulators they are more motivated to make their consented-approach a success.
Thus, it is best for India to adopt a co-regulatory approach as it strikes a balance between industry and the government. It ensures stricter enforcement and leads to development.
Shortcomings of Self- regulatory approach:
- The laws drafted in this process are non binding and only followed by those who willingly accept the same. Although it is considered 'consistent with innovation and consumer-oriented’ ,however, there are various concerns about its implementation ;
- Self-regulation from big industrial stakeholders are often non-inclusive of perspectives of individual proprietors and small businesses;
- Hirsch underlines another impact of self-regulation on the business industry, he states 'without the ability to guarantee legal compliance, pure self-regulation will neither attract sufficient industry involvement nor address the need for international privacy standards';
- Co-regulatory frameworks are supervisory in nature and they ensure enforcement in various forms at different levels. On the other hand, self-regulated frameworks are lenient. Therefore, to ensure enforcement and implementation, we must adopt a co-regulatory model.
2. Does co-regulation seem an appropriate approach for a data protection enforcement mechanism in India?
The pace of innovation and technology is ludicrous. To ensure a civic society, the government should focus on the ability to adopt new legal provisions ensuring data protection. Thus, the government of India should adopt a co-regulatory approach in drafting the data protection framework which recognizes the role of government and at the same time, takes into account the interests of its subjects.
The Indian government can take inspiration from the European method of standardization and the innovative methods of self governance provided in the Dutch model. The standardization method provides for creation of codes by industry and the government. The fascinating fact about devising standards is that certain factors such as technical details which are often overlooked by a legislation can be incorporated with standards. Moreover the standards have to comply with the law as they are mandated by legislation. Thus adoption of a co-regulatory approach would ensure participation, flexibility and supervision.
3. What are the specific obligations/areas which may be envisaged under a data protection law in India for a (i) ‘command and control’ approach; (ii) self-regulation approach (if any); and (iii) co-regulation approach?
The specific areas envisaged under a data protection law in India for the following approaches are:
Command and control approach: The members of the parliament should draft an overarching framework based on a multi stakeholder approach. The framework should delineate the concepts and guiding principles for various industries to ensure data protection. The statute should include the following definition, principles and guidelines:
- Definitions of important terms such as: data controller, processing, personal data and sensitive personal data among others;
- Scope of the regulation;
- Principles such as: choice and consent, openness, disclosure of information, accountability, collection limitation, and purpose limitation;
- Rights of individuals with respect to their data
- Adjudication process;
- Security safeguards;
- Exemptions for processing certain types of data;
- Compensation; and
A co-regulatory approach should be adopted in drafting and enforcement of data protection laws. The members of the parliament should draft overarching norms which would serve as principles for the industry to regulate themselves. Industries should comply with the principles enshrined in the data protection framework by creating policies and standards for themselves.
The industries from different sectors should be allowed to draft codes of conduct in order to comply with the overarching framework. The codes drafted should be detailed and technology neutral. In addition, the codes drafted should be approved by the Data Protection Authority as prescribed to ensure compliance with the framework. This exercise would lead to a more inclusive and effective rule making mechanism. Industries should draft standardized codes for the following practices:
- Privacy policies;
- Notices to ensure informed consent;
- Notification for breach of data;
- Anonymization/Pseudonymization of data;
- Systems for implementation and assessment of policies;
- Technical and organizational measures, measures introducing data protection by design and by default, and safeguards for the security of processing; and
- Transparency in data processing
Lastly, the Data Protection Authority and self regulating organizations at various levels should be responsible for supervising and ensuring compliance with the Act by public and private sector. The Court should adjudicate in case of appeals from the orders of Data Protection Authority.
4. Are there any alternative views to this?
2. Accountability and Enforcement Tools
1. What are your views on the use of the principle of accountability as stated above for data protection?
Any data controller should ensure protection of the right to privacy of individuals recognized under Article 21 of the Constitution of India. Failing to do so, it should be held accountable under the data protection legislation.
The legislation must adopt the principle of accountability and ensure the following:
- Data privacy and security;
- A sense of autonomy to individuals over their data;
- Adoption of privacy based approach i.e. inculcation of privacy by design or privacy by default at nascent stages of developing technologies;
- Additional responsibility for third party processors to process the information only with authorization or knowledge of data controller;
- Strict liability on data controller;
- Hold the data controller responsible to inform the data subject in case of data leak/breach;
- Brief and swift redressal mechanisms.
In addition, to inculcate the principle of accountability, the legislation should obligate data controllers to take all appropriate and reasonable technical and organizational measures in order to ensure the integrity and safety of personal information of data subjects. The reasonable measures that can ensure safety of data include calculating all foreseeable internal and external risks, establishing and maintaining efficient practices to mitigate such risks and verifying and upgrading implemented safeguards. Lastly, the data controllers should also send out breach notifications to the data subject in case of a breach.
2. What are the organizational measures that should be adopted and implemented in order to demonstrate accountability? Who will determine the standards which such measures have to meet?
The organizational measures that should be adopted and implemented by data controllers to demonstrate the principle of accountability can be connoted as follows:
Privacy based approach: The data controllers should adopt the following practices to ensure privacy of data subjects:
- Privacy by design and privacy by default must be inculcated in developing businesses and technologies;
- Adopting techniques such as data anonymization, pseudonymization and data minimization can be used among others
- Strategies for data collection should be drafted and must be kept up to date.
- The data controllers should draft personalized policies, standards and guidelines to comply with the overarching privacy principles; They should:
- Align data and data analytics with the data protection policies; and
- Draft clear intention rules and retention guidelines.
Privacy management program: The data controllers must devise a privacy management program to implement and enforce the principles demarcated in the data protection law. A successful privacy management program comprises the following:
- Appointment of officers as supervisors to ensure enforcement of the data protection policies and standards by the data controller;
- Educational and training programs for employees and officers to ensure better enforcement;
- Assignment of unique id to all the individuals in an organization who have access to the data collected;
- Usage of high level of encryption for data collection and retention;
Assessment of implemented policies and standards: Technology is dynamic and changes fast when compared to rules and policies. To ensure that the implemented policies and standards stay compliant with applicable regulations and that they remain cognizant of new security risks, they should be assessed regularly. Organizations should take the following steps in this regard:
- Identify potential threats and high risk activities;
- Continuously monitor all access to data collected;
- Conduct regular audits to ensure compliance with the data protection law, policies and standards;
4.The audits should be conducted by an external auditor.
Feedback and enhancement of existing system, policies and standards: The principle of accountability can be achieved with effective policies and standards that conform to data protection legislation. To ensure effective policies, regular follow-ups and revision of policies is necessary.28 Data controllers should be allowed to set the standards to be met, however the standards drafted should conform to the data protection law of the nation.
3. Should the lack of organizational measures be linked to liability for harm resulting from processing of personal data?
The principle of accountability provides for establishing organizational mechanism to ensure data protection and privacy. The principle of accountability also provides for strict liability of data controllers in the case of a breach/ leak. The concept of strict liability can be termed as ‘occurrence of a proscribed act and creates a liability unless the defendant is covered by exemptions’. Thus, when a data controller is unable to adopt necessary organizational measures causing harm from processing of personal data, there arises liability of data controller to compensate the data subjects.
4. Should all data controllers who were involved in the processing that ultimately caused harm to the individual be accountable jointly and severally or should they be allowed mechanisms of indemnity and contractual affixation of liability inter se?
The data controllers who were involved in the processing or allowed processing by processor which ultimately led to harm to the data subject should be held accountable under jointly and severally type of model.
It should be the choice of the data controller to incorporate an indemnity clause which provides for reimbursement for the controllers who has paid the entire amount from other defaulters for their part since it is unfair to hold all the controllers equally responsible for the irresponsible act of others or contractual fixation liability.
5. Should there be strict liability on the data controller, either generally, or in any specific categories of processing, when well-defined harms are caused as a result of data processing?
The principle of absolute liability in tort shall be taken into consideration while data controllers are collecting or processing sensitive personal data. They are performing an inherently risky task to make commercial profits and in the case of leaks they shall be absolutely liable for the same. Thus, Data controllers should be held absolutely liable in specific categories of processing i.e. while processing sensitive personal data.
6. Should the data controllers be required by law to take out insurance policies to meet their liability on account of any processing which results in harm to data subjects? Should this be limited to certain data controllers or certain kinds of processing?
The law should be voluntary in this regard and it should not mandate data controllers to take insurance policies to meet their account liability of any processing which results in harm to data subjects. However, it will be in the interest of the data controllers to manage the risk by opting for insurance.
It is the general duty of data controllers to compensate the data subjects on account of any processing which results in harm. Also, in a case where the data controllers are wholly/ partly owned subsidiaries, the parent company would be held liable to compensate in cases of data breach.
7. If the data protection law calls for accountability as a mechanism for protection of privacy, what would be impact on industry and other sectors?
If the data protection law calls for accountability as a mechanism for protection of privacy, it would impact all the industries and sectors. There would be a significant increase in the incurred expenditure of organizations. Industries and other sectors would have to ensure inculcation of privacy by design/default in their mechanism, it would require a significant change in perspective of the staff and training of employees. Moreover, the principle also shifts the responsibility towards data controllers. This would lead to increased risk of companies acting as data collectors as their liabilities would increase.
A. Codes of Practice
1. What are your views on this?
There are several reasons that make codes of practice an effective enforcement tool in a co-regulatory framework:
This practice endorses division of labor. Organizations/ industries are able to customize rules as per their circumstances.
It ensures administrative efficiency. The codes are drafted by subject experts and industrial leaders who are well versed with technical implications of data in the given subject.
This practice provides for better enforcement mechanism. The codes of conduct are easy to amend and update in contrast to statutory legislations.
The codes ensure higher standards of privacy. The codes of practice further elaborate on functioning of already existing principles in order to inculcate specific features and needs of different enterprises.
Thus, Indian data protection law should encourage industries to draft codes of practice.
2. What are the subject matters for which codes of practice or conduct may be prepared?
As provided by the white paper, codes of practice/ conduct can be prepared for the following subject matters:
- the collection of personal data;
- the anonymization/pseudonymization of personal data;
- the information provided to the public and to data subjects;
- the exercise of the rights of data subjects;
- the protection of children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
- the transfer of personal data to third countries or international organizations etc.;
- the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects; and
- technical and organizational measures, measures introducing data protection by design and by default, and safeguards for the secure processing;
3. What is the process by which such codes of conduct or practice may be prepared? Specifically, which stakeholders should be mandatorily consulted for issuing such a code of practice?
Associations and organizations representing controllers can voluntarily draft codes of conduct or practice. The codes of conduct should be drafted to fill the lacunae identified by the association/organization in the application and enforcement of data protection framework. Associations and organizations representing controllers should adopt a multi-stakeholder approach to include technical experts, subject matter experts to draft these codes. The codes should comply with the overarching principles provided in the data protection framework. Also, the codes should be approved by the data protection authority. The supervisory authority should be empowered to suggest and make amendments and even refuse to certify a code in case it fails to comply with provided principles. Once, the supervisory authority certifies a code of conduct or practice as a statutory framework, all the controllers represented by drafting association/organization must comply with the code.
4. Who should issue such codes of conduct or practice?
The codes of conduct/practice should be issued by self regulating organizations and associations representing controllers. They can also be issued by independent entities. However these codes should comply with the data protection law and be approved and certified by a competent supervisory authority. The Data Protection law should provide for institution of a supervisory authority i.e. data protection authority to regulate and enforce data protection rules and regulations. The regulatory body instituted should approve and certify such codes of practice.
5. How should such codes of conduct or practice be enforced?
Once, the codes of conduct or practice are approved by the Data Protection Authority, codes acquire a similar status as the law and are required to be complied with by the data controllers. Thus, in order to enforce codes of conduct or practice, the industries and other sectors should incorporate the codes of practice for their industry in their policies and standards. The controllers which are being represented by an association/ organization should send audit reports of compliance to their respective association/organization for enforcement. Associations/organizations representing controllers should ensure that the codes are being followed. In case of non compliance they should report to the Data Protection Authority. The data protection authority should have the power to impose fines and penalties in case of non compliance.
6. What should be the consequences for violation of a code of conduct or practice?
7. Are there any alternative views?
B. Personal Data Breach Notification
1. What are your views in relation to the above?
Personal data breach notifications are important and should be made to inform data subjects and regulators in case of a breach. Personal data breach notifications are a necessity in terms of preventing identity thefts and financial frauds against individuals and ensuring privacy. A notification enables individuals and organizations to improve already existing mechanism, be cautious and undertake necessary measure to prevent or mitigate harm as per the situation. Thus, the data controllers should notify the regulators and individuals of a data breach as soon as possible when there is a risk to rights and freedom of the individuals.
2. How should a personal data breach be defined?
The definition of ‘personal data breach’ should include the following three types of breaches i.e. availability, confidentiality and integrity breach as prescribed in the white paper.
3. When should personal data breach be notified to the authority and to the affected individuals?
A personal data breach should be notified to the authority immediately, however it can be delayed maximum upto 72 hours from the time when data controllers become aware of the same. In case of delay post 72 hours, data controllers must submit in writing the reasons of delay. It is often argued that the provision which makes it mandatory to notify authorities every time increases the number of notifications and sometimes important ones are missed. However, on the other hand informing about all the data breaches to the authority, aids the authorities in assessing the data breaches in terms of their nature/ impact and the measures taken by data controllers. Moreover, it is also argued that 72 hours is very less time for data controllers to notify and notifications on short notice might not be as meaningful. Thus, the data controllers may take more time to come up with a detailed notification, but they must send out an immediate notification informing about the breach to the data protection authority.
Data controllers should inform individuals only in cases where there exists high risk to rights and freedom of individuals. In such cases, data controllers must inform them immediately, however it can be delayed maximum upto 72 hours from the time when data controllers become aware of the same.
4. What are the circumstances in which data breaches must be informed to individuals?
The data breaches should be notified to individuals when there is a high risk to rights and freedom of individuals. Following are the circumstances;
- Threat of identity theft;
- Financial loss;
- Damage to reputation;
- loss of confidential medical records;
- Lead to psychological distress;
- Easy identification of individuals;
- If it impacts large number of people;
5. What details should a breach notification addressed to an individual contain?
There should be a standard form of notification to address data subjects. It should contain the following:
- Be in the language which can be easily understood by the individuals;
- Explicitly specify the type of data breach that has occurred;
- Inform individuals what all data has been compromised;
- Describe the possible outcomes of the breach;
- Name and contact details of point of contact at Data Protection Authority
- An account on the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- An account on the measures that data subjects may take to minimize harm such as changing passwords, enabling two-factor authentication, reviewing permissions and so on.
C. Categorization of data controllers
1. What are your views on the manner in which data controllers may be categorized?
We agree that it is not feasible or even desirable to have all data protection obligations apply to every data controller without differentiation. However, it may also be infeasible to envisage a single scheme of controller categorization that applies across the board in relation to every obligation under law. Instead, factors such as size of the organization, nature of data being processed, potential harm to data subjects, and state of technology among other things must be considered when mapping obligations to controllers, and obligations so imposed must not be disproportionate. This will ensure that controllers are not bound down by unreasonable obligations that they cannot comply with, allowing the industry to grow unimpeded by restrictive regulations. As the Committee observes, it will also allow the regulator to monitor actual data protection practices so as to identify and address risks.
2. Should data controllers be classified on the basis of the harm that they are likely to cause individuals through their data processing activities?
For the purposes of determining applicable data protection obligations, potential harm to data subjects is one of the criteria on the basis of which a classification can be made. Controllers that are not likely to cause significant harm to the subjects through their processing activities (those that do not process sensitive personal data, for instance) may be given limited exemptions from compliance, while stricter requirements may be imposed on controllers that are likely to cause harm.
1. Should there be a registration requirement for certain types of data controllers categorized on the basis of specified criteria as identified above? If yes, what should such criteria be; what should the registration process entail?
Rather than mandating registration on the basis of an inclusive list of criteria, registration may be mandated in principle for all data controllers. However, exemptions will need to be made so as not to create a prohibitively vast registry of controllers, a large portion of whose activities may not even warrant frequent monitoring by the data protection authority. Exemptions may be made on the basis of criteria including but not limited to nature and quantity of data being processed, purpose of processing, and legal obligations mandating processing. The following fields of information may be required for registration: (i) name and address (ii) contact person (iii) purpose of business (iv) description of each application of personal data as it relates to the purpose of business, along with types of personal data (v) list of entities to whom personal data will be disclosed (vi) countries to which information will be transferred (vii) sensitive data that is retained. A searchable online databse of registered controllers may also be maintained for public access.
Data Protection Impact Assessment
1. What are the circumstances when DPIAs should be made mandatory?
DPIAs may be made mandatory in the following circumstances:
- Where processing uses new technologies.
- Where processing is likely to result in a high risk to the rights and freedoms of data subjects, owing to the nature, scope, context and purpose(s) of processing.
The data protection authority must also publish a clarificatory list of processing operations that would attract DPIA obligations. Operations that already attract DPIA obligations in other jurisdictions include, among others: automated processing for purposes of profiling and similar activities; large-scale processing of sensitive personal data; large-scale processing of data relating to criminal convictions and offenses; large-scale processing of data that affects a large number of people.
2. Who should conduct the DPIA? In which circumstances should a DPIA be done (i) internally by the data controller; (ii) by an external professional qualified to do so; and (iii) by a data protection authority?
The task of conducting DPIAs can primarily be entrusted with the data controllers themselves. Processing of data must commence only after completing DPIA processes where applicable, and if the DPIA reveals that the envisaged processing would result in significant risk to the data subjects, the controller may consult the data protection authority before commencing processing.
Data protection audit
1. Is there a need to make data protection audits mandatory for certain types of data controllers?
The law should mandate yearly data protection audits for only those data controllers who are processing sensitive personal data. Data protection audits are necessary for them as processing of personal sensitive data is inherently risky in nature. Once compromised, the damage that has been done is irreversible. In addition, for all other data controllers processing personal data, Data Protection Authority should be authorized by law to conduct data protection audits of public and private data controllers/processors in following circumstances:
- When there have been repeated complaints of non compliance of obligations about data controller;
- In cases of self notified breaches from a controller;
- Adoption of new and latest technologies that raise public concern;
- Reports from other resources such as journalists or whistle blowers;
- When data subjects have undergone reasonable trouble due to adopted policies; and
- Nature and volumes of data being processed by the controller
2. What aspects may be evaluated in case of such data audits?
Data audits may evaluate all or some of the following aspects:
- Implemented policies;
- Fair obtainment and processing data;
- Number of audits that have taken place and their results;
- Contractual requirements with other data controllers/ processors;
- Service agreements;
- Third party disclosures;
- Initiatives of the data controller;
- Data protection impact assessment.;
- Awareness among employees;
- Data Security;
- System Review;
- Number of data breaches; and
- Access requests
3. Should data audits be undertaken internally by the data controller, by a third party (external person/agency), or by a data protection authority?
Audits should be conducted by an external person or agency or by Data Protection Authority to ensure transparency. Primary reason to hire an external auditor is to prevent mis-statement of real facts to the data subjects and authorities. Moreover, external auditing lends credibility and results in unbiased recommendations.
4. Should independent external auditors be registered /empaneled with a data protection authority to maintain oversight of their independence?
External auditors should be empaneled with the Data Protection Authority to regulate the profession of auditors and maintain an oversight of their independence.
Data Protection Officer
1. Should it be mandatory for certain categories of data controllers to designate particular officers as DPOs for the facilitation of compliance and coordination under a data protection legal framework?
As the Committee notes, the appointment of Data Protection Officers where applicable to facilitate compliance and coordination is a crucial element of data protection laws. India’s data protection law can be informed by international practices and stipulate that DPOs be appointed where:
- Processing is carried out by public authorities (other than courts)
- The controller’s activities require regular, systematic and large scale monitoring of persons
- The controller’s core activities require large-scale monitoring of sensitive personal data
2. What should be the functions and duties of a DPO?
DPOs may be tasked with the following functions:
- Inform and advise data controllers and their employees on applicable legal obligations
- Monitor compliance with extant data protection laws in jurisdictions where processing is carried out
- Assist in conducting DPIAs
- Serve as a point of contact with the data protection authority
- Work with the data protection authority when required
D. Data Protection Authority
1. What are your views on the above?
We recommend that the data protection authority in India should be called the Data Safety Regulatory Board instead of making it an Authority or a Commission with a multi-tiered judicial process. A seemingly small change on the surface, such a title for the authority would set the tone for the primary focus of the work on safety of personal data instead of primarily regulating businesses. The primary goals for the Board should be to provide speedy and judicious remedy to persons affected by violations of their data safety rights and issuing injunctions to halt / prevent violations.
For the reason of readability, the terms ‘data protection authority’ or ‘authority’ have been used interchangeably with ‘Data Safety Regulatory Board’ in our answers to the questions in this whitepaper with a view to maintain consistency with the manner in which the whitepaper and its questions have been framed.
While it is helpful to look at foreign jurisdictions for guidance in structuring our authority, it may be helpful to take a look at how government bodies are structured in our own country. For this purpose, reference has been made to a few Indian laws while answering the questions below.
2. Is a separate, independent data protection authority required to ensure compliance with data protection laws in India?
Yes, the data protection authority needs to be completely independent of government control, as the authority’s primary job of data safety is likely to clash with other tasks performed by various parts of the government. It needs to be independent in a fashion similar to the way that the judiciary is independent from the executive and the way that the Election Commission is independent. Ideally, a constitutional amendment is required to create a fully independent data protection authority. Failing that, it can be created in a manner that ensures that the its functioning cannot be influenced by the ruling government or corporate interests. It should not be allowed to undertake any profit making business; neither should it be allowed to accept any donations. The appointment, duration of service and disqualification of its members should be independent of government influence.
If the government or corporations are able to exert any influence over the data protection authority, then its primary task – protecting personal data – would be compromised. Other jurisdictions have recognized this possible conflict of interest, and have created an independent data protection authority.
Another reason to create a separate and independent body is that Article 45(2)(b) of EU GDPR requires the European Commission to take into account the existence and functioning of an independent data protection authority for a country to pass the adequacy test. Without such a separate and independent body, India is unlikely to be considered adequate for the purposes of cross border transfer of data.
3. Is there a possibility of conferring the function and power of enforcement of a data protection law on an existing body such as the Central Information Commission set up under the RTI Act?
The task of data safety requires highly specialized knowledge crossing the realms of law, security and data analytics, amongst others. None of the existing government bodies deals with matters involving this cross-section.
India needs a new, separate and completely independent body to enforce the data protection law.
4. What should be the composition of a data protection authority, especially given the fact that a data protection law may also extend to public authorities/government? What should be the qualifications of such members?
The body should consist of a Chairperson, equal number of Member (Legal) and Member (Technical), and a variable number of additional members. The number of additional members should be determined by rules instead of being fixed in the Act.
The relevant Ministry of the Central Government having expertise in the field of information technology (currently, the Ministry of Electronics and Information Technology) should appoint the Member(s) (Technical) of the Authority from amongst persons of eminence in the field of information technology.
The Central Government should appoint the Chairperson, Member(s) (Legal) and other members from amongst persons of eminence in the fields of law, administration, management, information technology or consumer affairs. A Member (Legal) should be qualified to be a Judge of a High Court or should have been a member of the Indian Legal Service and held a post in Grade I of that Service for at least three years.
The appointment of the Chairperson and all other members of the authority should be done by a search committee.
5. What is the estimated capacity of members and officials of a data protection authority in order to fulfil its functions? What is the methodology of such estimation?
The number of members in the data protection authority should be kept variable, and can be determined depending on the workload of the authority.
6. How should the members of the authority be appointed? If a selection committee is constituted, who should its members be?
The Chairperson and Members should be appointed by a selection committee consisting of:
- The Chief Justice of India or his nominee (Chairperson of the Selection Committee);
- The Secretary of the Ministry of Electronics and Information Technology (Member);
- The Secretary of the Ministry of Law and Justice (Member);
- Two experts of repute who have special knowledge of, and professional experience in data protection, data analytics, information technology law, data protection law, data security, privacy or child rights.
The above-mentioned committee has been suggested based on the selection committee for Chairperson and members of the Competition Commission of India under Section 9 of the Competition Act, 2002, as modified by the Competition (Amendment) Act, 2007.
Section 5(8) of The Electricity Regulatory Commissions Act, 1998 should also be included in the legislation on data protection. This sub-section reads as:“Before recommending any person for appointment as a Chairperson or other Member of the Central Commission, the Selection Committee shall satisfy itself that such person does not have any financial or other interest, which is likely to affect prejudicially his functions as a Member.”
7. Considering that a single, centralised data protection authority may soon be over-burdened by the sheer quantum of requests/ complaints it may receive, should additional state level data protection authorities be set up? What would their jurisdiction be? What should be the constitution of such state level authorities?
Germany has 16 data protection authorities – one in each Federal State and one central authority. Such a system necessitates extensive consultations involving a lot of time and resources before recommendations can be made. It also leads to the possibility of the same action being prosecuted twice by different regional data protection authorities. Having a multi-tier redressal mechanism would result in a multi-year litigation process before any relief can be obtained by affected persons.
There should not be state level data protection authorities as there may be conflicting recommendations and standards from different state level authorities that can create an aura of uncertainty for data controllers and data subjects. Unlike the judiciary, the data protection authority would be tasked with creating rules, regulations and standards, and reviewing the compatibility of existing and upcoming legislative instruments and technologies with the requirements of data safety, in addition to other tasks.
There should be a single body with its primary office and bench located at Delhi. The Chairperson of the body should be vested with the power to constitute such number of benches and at such place(s) as he / she deems fit. A bench of the central body in every State without a system of appeals through multiple bodies can result in the same level of accessibility for data subjects that can be achieved through the creation of State level authorities, without the consequent negative effects of creating multiple authorities.
8. How can the independence of the members of a data protection authority be ensured?
The following steps should be taken to ensure that the members (including the Chairperson) act independently:
- The decision of all proceedings before the authority should be made by following the same process as that followed by any court of law, i.e. by a vote of the members hearing the matter. Each member should have an equal share of vote. The majority decision should be followed.
- Members should have a fixed term and should not be eligible for re-appointment at the end of the term.
- Members should not be allowed to accept any gift.
- There should be a conflict of interest clause to prevent a member from hearing any proceeding if it may constitute a conflict of interest.
- Members should not have any financial or other interest, which is likely to affect prejudicially his / her functions as a Member. This includes, but is not limited to, holding any office of profit during their term.
- Sections 11(2), 11(3) and 12 of the Competition Act, 2002 and Sections 7(3) and 7(4) of the Electricity Regulatory Commissions Act, 1998 can be referred for standard provisions in Indian law that should be implemented in order to ensure the independence of the authority. Section 12 of the Competition Act, 2002 bars a member of the Commission from taking employment with any entity that has been a party to proceedings before the Commission for two years from the date of leaving to Commission.
9. Can the data protection authority retain a proportion of the income from penalties/fines?
The data protection authority should be funded directly by the government. Any penalties/fines issued by the authority should go to the Consolidated Fund of India and should not be retained by the authority.
If the authority is allowed to retain a proportion of the income from penalties/fines, the authority’s independence would be weakened as the authority would have an incentive to issue more and higher penalties and fines.
10. What should be the functions, duties and powers of a data protection authority?
The functions, duties and powers should include:
- Monitoring, enforcement and investigation of non-compliance, including the power to initiate suo-moto investigations;
- Advising central and state government departments, bodies, organizations, and others for compliance with the data protection law;
- Review of existing and upcoming legislations, rules and regulations for compliance with the data protection law, and recommending changes to the Parliament where necessary;
- Standard setting powers;
- Awareness generation and educational programs;
- Review the adequacy of data protection laws and practices in other countries for cross border transfer of data;
- Creating a blacklist of known bad actors in order to restrict transfer of data to the blacklisted entities and countries;
- Formulating guidelines for best practices in data protection;
- Formulating model codes of conduct and standard clauses to be adopted by data controllers;
- Creation and maintenance of an automated tool to draft simple standardized privacy policies in multiple languages by filling in a simple form asking questions such as “Do you sell personal data to third parties?”, “Which of these types of data do you collect: Name, Age, Date of Birth, Address, Gender, Phone number, [...]”. The form could be made with checkboxes. Fields that need to by typed in, such as name of the company or product, could be kept in English only. The form would need to be adapted by the authority based on feedback from its users, so the authority must have the power to decide the contents on the form;
- Conducting impact assessment of new legislations, rules and regulations, new technologies, methods of collecting data, and processing of certain data, amongst others.
11. With respect to standard-setting, who will set such standards? Will it be the data protection authority, in consultation with other entities, or should different sets of standards be set by different entities? Specifically, in this regard, what will be the interrelationship between the data protection authority and the government, if any?
The data protection authority should set the minimum standard of protection to be applicable across all sectors by holding consultations with the public, as is done by the Telecom Regulatory Authority of India.
Sector specific regulators should be allowed to set higher standards than those that have been defined by the data protection authority, however, such regulators must be under a compulsion to seek the approval of the data protection authority to ensure that the standards defined by the regulator(s) meet (and possibly exceed) the requirements set by the authority.
12. Are there any alternative views other than the ones mentioned above?
There should be a clause in the data protection law stating that vacancies or defects would not invalidate the proceedings of the body. The Cyber Appellate Tribunal formed under the Information Technology Act, 2000 does not have any such clause. Its proceedings were pending for years because of non-appointment of a Chairperson to the Tribunal, unless it functions were delegated to the TDSAT. It would be prudent to add provision(s) in the data protection legislation to ensure that the authority does not become dysfunctional merely on this ground.
Additional guidance can be taken from Section 10(4) and Section 10(5) of the Competition Act, 2002, which reads:
(4) In the event of the occurrence of a vacancy in the office of the Chairperson by reason of his death, resignation or otherwise, the senior-most Member shall act as the Chairperson, until the date on which a new Chairperson, appointed in accordance with the provisions of this Act to fill such vacancy, enters upon his office.
(5) When the Chairperson is unable to discharge his functions owing to absence, illness or any other cause, the senior-most Member shall discharge the functions of the Chairperson until the date on which the Chairperson resumes the charge of his functions.
3. Adjudication Process
1. What are your views on the above?
2. Should the data protection authority have the power to hear and adjudicate complaints from individuals whose data protection rights have been violated?
Yes, the authority must be the first grievance redressal forum for individuals whose data protection rights have been violated, and must therefore be vested with the power to hear and adjudicate complaints.
3. Where the data protection authority is given the power to adjudicate complaints from individuals, what should be the qualifications and expertise of the adjudicating officer appointed by the data protection authority to hear such matters?
We do not recommend that complaints be adjudicated upon by single adjudicating officers as the adjudicator would necessarily need to have extensive knowledge of both technology and law, and it may prove difficult to find candidates with such qualifications. Instead, our recommendation is that complaints must be heard by a full bench of the data protection authority. As stated in our response to Q.7 from the previous section (Part IV, Chapter 2, Section D), the authority should be vested with the power to constitute such number of benches and at such place(s) as it deems fit, and a bench in every State can result in the same level of accessibility for data subjects that can be achieved through the creation of State level authorities. The proposed constitution and qualification of members of such benches is provided in our response to Q.4 from the same section.
4. Should appeals from a decision of the adjudicating officer lie with an existing appellate forum, such as the Appellate Tribunal (TDSAT)?
No. The TDSAT’s primary mandate is to serve as the appellate authority for telecom-related disputes and as such, it is not well-placed to hear appeals on determinations made by the data protection authority. Additionally, as concerns have already been raised about the TDSAT’s ability to take over the functions of the now defunct Cyber Appellate Tribunal, vesting it with the responsibility of hearing appeals from yet another authority from a distinct regulatory domain would only worsen the situation.
5. If not the Appellate Tribunal, then what should be the constitution of the appellate authority?
We propose that appeals against decisions made by the data protection authority must lie directly to the respective High Court of the jurisdiction in which the bench that made the decision is situated.
6. What are the instances where the appellate authority should be conferred with original jurisdiction? For instance, adjudication of disputes arising between two or more data controllers, or between a data controller and a group of individuals, or between two or more individuals.
We do not feel that the appellate authority i.e. the High Court needs to be conferred original jurisdiction in any instance. The data protection authority already comprises technical and legal members who are capable of disposing off complaints without needing to refer them to a higher authority.
7. How can digital mechanisms of adjudication and redressal (e.g. e-filing, video conferencing etc.) be incorporated in the proposed framework?
Provisions could be made allowing the use of digital technologies in the adjudication process followed by the data protection authority. E-filing of complaints, remote hearing of arguments from data subjects and controllers situated outside of applicable regional/national boundaries, and e-delivery of adjudicatory decisions will all serve to streamline the adjudication and redressal processes and achieve maximum efficiency.
8. Should the data protection authority be given the power to grant compensation to an individual?
Yes, the authority should be able to award compensations to complainants.
9. Should there be a cap (e.g. up to Rs. 5 crores) on the amount of compensation which may be granted by the data protection authority?
No, there is no need to impose a cap on the quantum of compensation that may be granted by the authority. If the authority is empowered to impose the highest possible civil penalties on controllers for violation of data protection obligations, it naturally follows that it must also be empowered to award any amount of compensation to data subjects as it deems fit.
10. Can an appeal from an order of the data protection authority granting compensation lie with the National Consumer Disputes Redressal Commission?
No, appeals from such orders should lie before the High Court, same as with any other civil penalty imposed by the authority. The NCDRC, like the TDSAT, has a mandate that does not cover data protection and it would therefore be imprudent to refer appeals against determinations made by the data protection authority to the NCDRC.
11. Should any claim for compensation lie with the district commissions and/or the state commissions set under the COPRA at any stage?
No. As state previously, there must be no limits on the amount of compensation that the data protection authority is allowed to award. Moreover, district and state Consumer Dispute Redressal Commissions, like the NCDRC, is ill-suited to hear claims in data protection disputes. All compensation claims should lie directly before the data protection authority at the first instance.
12. In cases where compensation claimed by an individual exceeds the prescribed cap, should compensation claim lie directly with the National Consumer Disputes Redressal Commission?
No. As explained in the preceding responses, all compensation claims should lie directly before the data protection authority at the first instance.
13. Should class action suits be permitted?
Class action suits are particularly relevant in context of data protection, as failure by data controllers to adhere to data protection obligations is likely to affect a large number of data subjects at once. For instance, if a controller fails to implement adequate security safeguards, as a result of which it suffers a serious data breach leading to the leakage of personal data of all its data subjects, every individual affected by the breach would have an equal claim to legal remedy. Rather than entertain each complaint in such cases separately, class action suits would allow the data protection authority and the courts to dispose off the matter expeditiously. Section 245 of the Companies Act, 2013 envisages a similar scheme that permits individuals to bring a class action claim when dissatisfied management of a company.
A. Civil Penalties
1. What are your views on the above?
Imposition of civil penalties ensures compliance with the law and acts as a deterrent to data controllers and data processors from violating the provisions of the law. One of the distinguishing features of the new General Data Protection Regulation from the previous Data Protection directive is that it dramatically increases sanctions for violations of the law. The Indian Data Protection Act should adopt a similar model and prescribe a certain percentage of the worldwide turnover of the defaulting data controller along with a fixed upper limit (whichever is higher) as civil penalty.
Civil penalty should also include injunctions i.e complete stop of practices and imposition of damages on the data controller to compensate the data subject.
2. What are the different types of data protection violations for which a civil penalty may be prescribed?
Civil penalty may be imposed on data controllers/processors for violation of any provision under the Data Protection Act. A non exhaustive list of the different kinds of violations for which a civil penalty may be prescribed are:
- Non compliance with approved codes of conduct
- Not taking enough technical/organizational measures to protect personal data or sensitive personal data (Higher standards in case of sensitive data)
- Non adherence to basic principles of data protection, like notice and consent, purpose limitation, among others
- Non adherence to data transfer principles
- Non compliance with an order of the data protection authority
3. Should the standard adopted by an adjudicating authority while determining liability of a data controller for a data protection breach be strict liability? Should strict liability of a data controller instead be stipulated only where data protection breach occurs while processing sensitive personal data?
Considering the greater likelihood of harm resulting from the leak of sensitive personal data, there should be strict liability imposed where a data breach occurs while processing sensitive personal data. For other kinds of breaches, the data protection authority can evaluate the aggravating and mitigating factors to determine liability, as laid down in the next answer.
4. In view of the above models, how should civil penalties be determined or calculated for a data protection framework?
Civil penalties may be decided by the Data Protection Authority and should be “effective, proportionate and dissuasive.[Article 83(1), GDPR] Penalties may be determined by assessing mitigating and aggravating factors related to a data brach or leak. While deciding the quantum of penalty, the Authority shall give regard to the following factors:[Article 83(2), GDPR]
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the Data Protection Authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures by the Data Protection Authority have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
5. Should civil penalties be linked to a certain percentage of the total worldwide turnover of the defaulting data controller (of the preceding financial year as in EU GDPR) or should it be a fixed upper limit prescribed under law?
The law should incorporate both i.e a certain percentage of the total worldwide turnover of the defaulting data controller and a fixed upper limit prescribed under law, whichever is higher.
6. Should the turnover (referred to in the above question) be the worldwide turnover (of preceding financial year) or the turnover linked to the processing activity pursuant to a data protection breach?
Though it seems fair, but calculation of penalty on the basis of the turnover linked to a particular processing activity can be complicated and not easily discernible. Therefore, it is advised that worldwide turnover of the preceding financial year maybe referred to.
7. Where civil penalties are proposed to be linked to a percentage of the worldwide turnover (of the preceding financial year) of the defaulting data controller, what should be the value of such percentage? Should it be prescribed under the law or should it be determined by the adjudicating authority?
India is one of the biggest markets for big data controllers like Facebook and Google. Facebook has the highest number of Indian users after USA. The upper limit of 4% and 20,000,000 euros, as prescribed in the GDPR might not be sufficient to act as effective deterrence against data controllers and processors from violations of the law and should be raised.
The upper limit on the percentage of civil penalties should be prescribed by the law. The quantum for each case should be decided by the data protection authority.
8. Should limit of civil penalty imposed vary for different categories of data controllers (where such data controllers are categorised based on the volume of personal data processed, high turnover due to data processing operations, or use of new technology for processing)?
Civil penalty may not be categorised on the basis of different categories of data controllers, but should be calculated on the basis of the type of data breach.
9. Depending on the civil penalty model proposed to be adopted, what type of factors should be considered by an adjudicating body while determining the quantum of civil penalty to be imposed?
The adjudicating body can assess the following factors while determining the quantum of civil penalty:[Article 83(2)]
- the nature, gravity and duration of the infringement having regard to the nature, scope or purpose of the processing concerned as well as the number of data subjects and level of damage suffered by them;
- whether the infringement is intentional or negligent;
- actions taken by the controller or processor to mitigate the damage suffered by data subjects;
- the degree of responsibility of the controller or processor;
- any relevant previous infringements;
- the degree of co-operation with the supervisory authority;
- categories of personal data affected;
- whether the infringement was notified by the controller or processor to the supervisory authority;
- any previous history of enforcement;
- adherence to approved codes of conduct ; and
- any other aggravating or mitigating factors applicable to the circumstances of the case (e.g. financial benefits gained, losses avoided, directly or indirectly, from the infringement)
10. Should there be a provision for blocking market access of a defaulting data controller in case of non-payment of penalty? What would be the implications of such a measure?
Data controllers that fail to pay penalty against may be temporarily prevented from operating in India or targeting Indian users.
This could create a deterrent effect and ensure compliance with the law.
11. Are there any alternative views on penalties other than the ones mentioned above?
1. What is the nature, type and extent of loss or damage suffered by an individual in relation to which she may seek compensation under a data protection legal regime?
Under the EU regulation, compensation is granted for material or non-material damage suffered by a person as a result of the infringement of the regulations.[Article 82, GDPR.] As per the Australian Privacy Act [Section 52(1AB), Privacy Act, 1988.], any loss or damage suffered by an individual includes, for the purposes of compensation, injury to the feelings of the individual as well as the humiliation suffered by him. Similarly, in Canada, damages awarded by the court include the damages for any humiliation that the complainant has suffered.[Section 16(c), PIPEDA.]
Thus, in order to properly protect individuals, they should be entitled to compensation for any action or inaction of a data controller or any breach that results in a financial loss, risk of identity theft, mental distress, or reputational harm.
2. What are the factors and guidelines that may be considered while calculating compensation for breach of data protection obligations?
While the South African law provides that the amount awarded by the court be just and equitable[Section 99, Protection of Personal Information Act, 2013.], Australia [Article 80W, Privacy Act, 1988.] takes into consideration the nature and extent of contravention; nature and extent of any loss or damage suffered due to contravention; circumstances in which the contravention took place; and previous contraventions by the entity.
The European Union Regulations provide an exhaustive list [Article 83(2), EU GDPR.] of the factors that may be taken into consideration while calculating compensation for violation of data protection obligations. These factors have also been elaborately discussed in answer to Question 4 of Chapter IV-Remedies- Civil Penalties.
Adhering to these guidelines and including them in the proposed legislation will help in granting fair compensation to the affected data subjects by clearly specifying to the authority the various aspects that they should take into consideration.
3. What are the mitigating circumstances (in relation to the defaulting party) that may be considered while calculating compensation for breach of data protection obligations?
While calculating compensation for breach of data protection obligations, following mitigating circumstances can be considered:
- Whether immediate and reasonable steps were taken to prevent or reduce harm due to breach.
- Whether corrective measures were taken to limit the impact of the breach or to stop the continuation of the breach.
- How soon was a breach disclosed to the authority, and where required, to the data subjects. A breach should ideally be notified to the authority and data subjects as soon as may be possible, and in no circumstance should this be done in more than 72 hours after the breach came into notice of the data controller.
- Cooperation of the data controller with the authority. Whether the data controller made a full and true disclosure with respect to the said breach or lapse of obligations.
- Whether the measures undertaken complied with the guidelines issued by the authority.
4. Should there be an obligation cast upon a data controller to grant compensation on its own to an individual upon detection of significant harm caused to such individual due to data protection breach by such data controller (without the individual taking recourse to the adjudicatory mechanism)? What should constitute significant harm?
No, the data controller should not be under an obligation to grant suo-motu compensation to data subjects upon detection of breach of sensitive personal data or information. The decision on the amount of compensation to be paid to data subjects should not be left on data controllers. It would be difficult for data controller to ascertain the amount of compensation to be paid in case of significant harm. Therefore, proper authority to decide and grant compensation to the affected data subjects should be the data protection authority.
5. Are there any alternative views other than the ones mentioned above?
1. What are the types of acts relating to the processing of personal data which may be considered as offences for which criminal liability may be triggered?
The proposed legislation could have offences similar to those provided under Section 55 of UK Data Protection Act, 1998 and Section 106 of South Africa Protection of Personal Information Act, 2013. Individual acts of obtaining, disclosing or procuring the disclosure of personal information, knowingly or recklessly, should be regarded as offence attracting criminal liability if, at the time of committing the act, the data controller did not have reason to believe that valid consent of data subject had been obtained. Selling or offering to sell personal data which has been obtained or is subsequently obtained by the above-mentioned modes should also be considered offences invoking criminal liability. It should be explicitly clarified that an advertisement indicating that personal data is or may be available for sale would constitute an offer to sell.
2. What are the penalties for unauthorised sharing of personal data to be imposed on the data controller as well as on the recipient of the data?
While the penalties should be imposed on the data controller for unauthorised sharing of personal data as mentioned in the previous answer, it is to be noted that these penalties would lie only in cases of wilful sharing wherein the data controller knowingly or recklessly shares such data.
For the purpose of deciding penalties, reference may be made to Section 72A of Information Technology Act, 2000 which provides punishment for disclosure of information in breach of lawful contract in the form of imprisonment or fine or both. Similar penalties should be imposed on the recipients of such data.
3. What is the quantum of fines and imprisonment that may be imposed in all cases?
Reference may be made here to the law in European Union where the objective is to pose a suitable deterrence to large data collectors but not to impede small data collectors. For this purpose, maximum quantum of 4% of the global turnover in the preceding year or 20 million Euros, whichever is higher, has been prescribed. This is the maximum fine, not the standard fine. The quantum of fine will be calculated on a case-by-case basis once the regulations comes into force.
The quantum of maximum fine should not be set at too low a limit in the data protection legislation so as to set up an effective and credible deterrence. A low, or seemingly reasonable hard limit on the maximum fine by today’s definition would probably become outdated in a few years’ time, unless it is linked to the turnover of the entity in question. Hence, it should be comparable to that envisaged by GDPR.
4. Should a higher quantum of fine and imprisonment be prescribed where the data involved is sensitive personal data?
Yes. Having regard to the nature, gravity and consequences of the offence so committed, the fines and imprisonment prescribed should accordingly be effective, proportionate and dissuasive. Due to its very nature, sensitive personal data has the potential to be used in a discriminatory manner against the data subject. Offences involving sensitive personal data can cause irreparable harm to the data subject. Therefore, it requires a higher degree of care and protection. Hence, a stringent penalty should be levied in cases involving sensitive personal data.
5. Who will investigate such offences?
In accordance with the Information Technology Act, 2000, a police officer not below the rank of Inspector can be conferred with the power to investigate the offences under the legislation.
Moreover, there should be a training for investigating officers to deal with data protection issues, in order to prepare them to understand and deal with issues of data security, privacy, data breaches, and other offences under the data protection legislation.
6. Should a data protection law itself set out all relevant offences in relation to which criminal liability may be imposed on a data controller or should the extant IT Act be amended to reflect this?
The offences mentioned under the Information Technology Act, 2000 deal primarily with intrusions into computers, monetary losses, and other actions that intentionally cause harm or unlawful gain. These provisions do not cover the vast majority of activities related to data protection. Such activities would require new offences to be created under the proposed law. There are very few data protection activities which already have an associated offence in the Information Technology Act apart from Sections 72 and 72A of the said Act. As such, the offences dealing with data protection under the IT Act need to be included in the new data protection legislation. This would provide an additional benefit of centralizing all the sections of law on data protection into one place, making it convenient for data controllers and data subjects, especially data controllers based outside the country, to know what their rights, obligations, duties and sanctions are under the proposed legislation.
7. Are there any alternative views other than the ones mentioned above?
Art 4(1) GDPR ↩︎
Art. 4(2) GDPR ↩︎
http://ec.europa.eu/justice/data-protection/article-29/documentation/other document/files/2013/20130227_statement_dp_annex2_en.pdf ↩︎
(1916) 40 Mad 308 ↩︎
Similarly in Great American Insurance Co Ltd v Mandanlal Sonulal, (1935) 59 Bom 656, Beaumont CJ of the Bombay High Court held that “The provisions of the law which make a contract by a minor not binding were no doubt intended to be for the benefit of the minors, and the courts in this country when faced with a contract which has been carried out by or on behalf of the minor, the performance of which by the other party is then resisted on the ground of minority, have struggled hard to avoid holding the contract wholly void to the detriment of the minor.” ↩︎
AIR 1924 Rang 136 ↩︎
30 IA 114: 30 Cal 539 (1903) ↩︎
(1912) 39 Cal 232 (PC) ↩︎
Pp. 5-6, Growing Up Digital: A report of the Growing Up Digital Taskforce, Children’s Commissioner for England, January 2017. Available at https://www.childrenscommissioner.gov.uk/publication/growing-up-digital/ (last accessed on January 24, 2018) ↩︎
AIR 1931 Bom 561 ↩︎
16 CFR Part 312. Available at https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule (Last accessed on 29 January 2018) ↩︎
Supra. X ↩︎
Article 29 Data Protection Working Party, Opinion 03/2013 on Purpose Limitation (April 2, 2013), 00569/13/EN (WP 203), available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf, last accessed on January 24, 2018 ↩︎
Greenleaf, Graham, Data Protection: A Necessary Part of India’s Fundamental Inalienable Right of Privacy – Submission on the White Paper of the Committee of Experts on a Data Protection Framework for India (January 16, 2018), available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3102810, last accessed on January 25, 2018 ↩︎
See response to Q.4, Part II, Chapter 4 ↩︎
Article 9, GDPR; available at: http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf, last accessed on January 29, 2018 ↩︎
Schedule 1r/w Schedule 3, DPA; available at: https://www.legislation.gov.uk/ukpga/1998/29/contents, last accessed on January 29, 2018 ↩︎
Section 26 r/w Section 27, POPI; available at: https://www.saica.co.za/Portals/0/Technical/LegalAndGovernance/37067_26_11_Act4of2013ProtectionOfPersonalInfor_correct.pdf, last accessed on January 29, 2018 ↩︎
UK Information Commissioner’s Office, Keeping personal data accurate and up to date, available at: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-4-accuracy/, last accessed on January 20, 2018 ↩︎
Bruce Shneier, Why ‘Anonymous’ Data Sometimes Isn’t, Wired, December 12, 2007, available at: https://www.wired.com/2007/12/why-anonymous-data-sometimes-isnt/, last accessed on January 20, 2018 ↩︎
Supra. X - Greenleaf ↩︎
Supra. X ↩︎
R Bucklin, D Lehmann, J Little, From Decision Support to Decision Automation: A 2020 Vision, Marketing Letters 9:3 (1998), p. 235, available at: https://www0.gsb.columbia.edu/mygsb/faculty/research/pubfiles/950/950.pdf, last accessed on January 25, 2018 ↩︎
Muge Fazlioglu, Forget me not: the clash of the right to be forgotten and freedom of expression on the Internet, International Data Privacy Law, 2013, Vol. 3, No. 3, available at: http://bit.ly/2Fsaph0, last accessed on January 30, 2018 ↩︎
Kamara, I., "Co-regulation in EU personal data protection: the case of technical standards and the privacy by design standardisation 'mandate'", in European Journal of Law and Technology, Vol 8, No 1, 2017. ↩︎
Phaedra, Improving Practical and Helpful cooperation between Data Protection Authorities, Workstream 4: Findings and Recommendations, (2015), http://www.phaedra-project.eu/wp-content/uploads/Findings-and-recommendations-18-Jan-2015.pdf (last visited on 31.1.18) ↩︎
(Hirsch, 2013, p. 1043) ↩︎
Kamara, I., "Co-regulation in EU personal data protection: the case of technical standards and the privacy by design standardisation 'mandate'", in European Journal of Law and Technology, Vol 8, No 1, 2017. ↩︎
The National Internet Advisory Committee Legal Subcommittee, Report On A Model Data Protection Code For The Private Sector, http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN012665.pdf, (last visited on 31.1.2018) ↩︎
Report of the Group of Experts on Privacy, (Chaired by Justice A P Shah, Former Chief Justice, Delhi High Court) ↩︎
K.S Puttaswamy vs. Union of India. SC 2017 ↩︎
Referred to GDPR and POPI Act for best practices ↩︎
Cl (2) of Article 40 of GDPR ↩︎
Article 4(12) of EU GDPR ↩︎
Article 33 EU GDPR ↩︎
Article 34 EU GDPR ↩︎
Legal Altert on Draft Regulation on Data Controller Registry, available at: http://kvkk.gov.tr/docs/DraftRegulationontheDataControllerRegistration.pdf, last accessed on January 25, 2018 ↩︎
See Application for Registration as a Data Controller issued by the Irish Data Protection Commissioner, available at: https://www.dataprotection.ie/documents/forms/DPA1new_eng.pdf, last accessed on January 28. 2018 ↩︎
Article 35, GDPR ↩︎
Article 35 and Recital 91, GDPR ↩︎
Matthew C. Oldhouser, The Effects of Emerging Technologies on Data in Auditing, University of South Carolina – Columbia, May 2016, available at: https://scholarcommons.sc.edu/cgi/viewcontent.cgi?article=1069&context=senior_theses, last accessed on January 31, 2018 ↩︎
Article 37, GDPR ↩︎
Article 39, GDPR ↩︎
The ‘one stop shop’ from a German perspective, Paul Voigt, April 2016. Available at https://united-kingdom.taylorwessing.com/globaldatahub/article-one-stop-shop-german-view.html (Last accessed on 29 January 2018). ↩︎
See Section 15 of the Competition Act, 2002 and Section 10 of the Electricity Regulatory Commissions Act, 1998. ↩︎