On 27th November 2017, the Committee of Experts on Data Protection for India chaired by former Supreme Court Judge Justice B.N Srikrishna released a White Paper on Data Protection Framework for India.

The Deadline for submission of comments has passed.

The Committee has invited response from the public for 231 questions spanning a range of different topics including the definitions of terms such as personal data, sensitive personal data, processing, data controller and processor; the purposes for which exemptions should be available; cross border flow of data; data localization; consent, with separate questions for child's consent; notice; data breach notification; right to be forgotten; and more. The full list of categories can be read below.

The white paper states that:

The objective is to "ensure growth of the digital economy while keeping personal data of citizens secure and protected."

A consolidated list of all the questions is available under Part V of the White Paper, from page 204 to page 233. We recommend reading the entire white paper, or at least the parts relevant to the questions that you would like to answer, before you answer any question. Some resources on the issue of privacy and data protection are available on our own website.

The Committee has released a set of guidelines to submit comments. The paper asks for comments to be submitted through a web form available here. Alternatively, you can send your comments in a written form to:
Shri Rakesh Maheshwari, Scientist G & Group Co-ordinatory, Cyber Laws
Ministry of Electronics and Information Technology (MeitY)
Electronics Niketan,6, CGO Complex,
Lodhi Road, New Delhi-110003

A list of all questions asked in the consultation paper can be accessed here.

The key issues on which questions are asked in the paper are:

Scope and Exemptions

  1. Territorial and Personal Scope
  2. Other Issues of Scope
  3. Definition of Personal Data
  4. Definition of Sensitive Personal Data
  5. Definition of Processing
  6. Definition of Data Controller and Processor
  7. Exemptions
  8. Cross Border Flow of Data
  9. Data Localisation
  10. Allied Laws

Grounds of Processing,Obligation on Entities And Individual Rights

  1. Consent
  2. Child’s Consent
  3. Notice
  4. Other Grounds of Processing
  5. Purpose Specification and Use Limitation
  6. Processing of sensitive personal data
  7. Storage Limitation and Data Quality
  8. Individual Participation Rights-1
  9. Individual Participation Rights-2
  10. Individual Participation Rights-3: Right to be forgotten

Regulation and Enforcement

  1. Enforcement Models
  2. Accountability and Enforcement Tools
    2.1 Accountability
    2.2 Enforcement Tools:
    2.2.1 Codes of Practice
    2.2.2 Personal Data Breach Notification
    2.2.3 Categorisation of Data Controllers
    2.2.4 Data Protection Authority
  3. Adjudication Process
  4. Remedies
    4.1 Penalties
    4.2 Compensation
    4.3 Offences