The Government of India constituted a Committee of Experts on July 31st, 2017 under the Chairmanship of former Supreme Court justice B.N. Srikrishna with the objective to identify and study the key issues relating to data protection in India and make specific suggestions on principles to be considered for data protection in India and suggest a draft Data Protection Bill. The “White Paper of The Committee of Experts on A Data Protection Framework for India” was released by the Ministry of Electronics and Information Technology on November 27th, 2017. This white paper is the first step on the part of the Union Government to put in place a robust data protection regime1 to ensure data protection against the dangers posed to an individual’s privacy by state and non-state actors.
The White Paper is divided into approximately 23 chapters. The Committee has provided provisional views and raised several questions on which it has invited comments and responses from all stakeholders across all fields. Comments are required to be submitted by December 31st, 2017. A copy of the White Paper is available Click here . The aim of the Committee is to consolidate these responses to understand the shape and purpose which the sui generis data protection law of India must take.
Of importance, is the provisional conclusion of the Committee in chapter 1 of Part IV of the report, where it has been proposed to have a “co-regulation” model / approach to data protection laws, which would be a hybrid between a “command and control” model and “self-regulation” model.
The Committee of Experts is of the view that data protection laws must account for subjective as well as objective harms which arise from unregulated collection and use of personal information. The Committee has taken a comparative approach, considering the data protection laws and practices in various jurisdictions like the US, EU, Japan, Singapore, Australia, Canada. But the two main models of data protection which the Committee has considered are the EU and US models of data protection. The white paper is divided into three substantive parts “Scope and Exemptions”, “Grounds of Processing, Obligation on Entities and Individual Rights” and “Regulation and Enforcement”.
The Committee has brought out seven principles on which the data protection regime in India must be based. They are:
1. Technology agnosticism - i.e. flexibility to address changing technologies and standards of compliance. This is brought out by the fact that the white paper suggests an all-encompassing definition for “personal data” as data about/relating to an individual from which an individual is identified or identifiable/reasonably identifiable. It suggests that “sensitive personal data” may include “health information, genetic information, religious beliefs and affiliations, sexual orientation, racial and ethnic origin, caste information, financial information”. This closely reflects the current standard under the Information Technology Act, 2000. This also implies that the proposed law is not intended to cover data of companies (as opposed to individuals). The white paper suggests attributing a wide definition to the term “data processing” to include all existing operations of processing such as collection, use and disclosure of data, and at the same time leaves room to incorporate new operations by way of interpretation.
2. Holistic application – The white paper suggests that data protection laws must apply to both private sector entities as well as the government. However, in case of processing of data by the government, certain obligations or exceptions may be carved out for certain legitimate purposes.
3. Informed consent - Consent is a pivotal principle for all the international data protection practices. The Committee has acknowledged this fact and stated that the consent of individuals must be one of the grounds for collection and use of personal data. The white paper highlights the need for methods for effectively ensuring parental consent for protecting young children from privacy harms, even suggesting carving out distinct provisions within the data protection law, which prohibit the processing of children’s personal data for potentially harmful purposes.
4. Data minimization – The foremost objective of data protection laws is that the individuals retain control over the way their personal data is collected, used and disclosed. The white paper suggests developing standards for data minimization and provide guidance to data controller in this regard. Basic aim is that there ought to be minimal data processing and only where it is necessary for the purposes for which such data is sought.
5. Controller accountability – The white paper brings in the concept of “data controller” and “data processor” to ensure accountability by creating obligations in law on both the bodies who shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing.
6. Structured enforcement- Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralized enforcement mechanisms.
7. Deterrent penalties – The white paper suggests stringent penalties and a term of imprisonment that is higher in quantum than that provided in the Information Technology Act, 2000. The aim is to penalize wrongful processing of personal data to ensure deterrence.