Decoding Data Protection
The objective of the Data Protection Framework is to ensure the growth of the digital economy, while keeping personal data of the citizens secure and protected
The Government of India has constituted a Committee of Experts under the Chairmanship of former Supreme Court Justice Shri. B. N. Srikrishna to study the various issues relating to the Data Protection in India and make proper improvements on principles to be considered for the Data Protection in India and suggest a ‘draft’ Data Protection Bill. The objective of the Data Protection Framework is to “ensure the growth of the digital economy while keeping personal data of the citizens secure and protected”.
Mentioned below are the components of India’s Privacy Framework:
Free and Fair Digital Economy This report is based on the fundamental belief shared by the entire Committee that, if India is to shape the Global Digital landscape in the 21st century, it must have a proper legal framework relating to personal data that can work as a standard framework for the developing world. The protection of personal data holds the key to innovation, progress, and empowerment of the country. This is the same as the GDPR which is been implemented across the EU. Jurisdiction and Applicability The Data privacy law of India will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy issues to data principals in India. Processing The Data Protection Authority (DPA) may issue guidance explaining the standards in the definition as applied to different categories of personal data in various contexts. The Data protection law will cover the processing of personal data by both public and private entities. The DPA lays down the standards for pseudonymization and anonymization. If the Anonymous data that is laid down by the DPA meets the industry standards it would be exempt from the law.
Sensitive personal data will include passwords, financial data, health data, biometric and genetic data. Also includes data that reveals transgender status, caste, tribe, religious or political beliefs or affiliations of an individual. A data principal below the age of eighteen years will be considered a child.
Consent will be a lawful basis for the processing of personal data. For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.
Obligations of Data Fiduciaries
The relationship between the data controller and the data subject is to improve this as a fiduciary relationship between the data fiduciary and data principal. There shall be obligations of data quality and storage limitation on data fiduciaries.
A data fiduciary is obliged to provide proper notice to the data principal without further delay than at the time of the collection of the personal data.
Data Principal Rights
The right to access, confirmation and correction should be included in the data protection law. The right to object to direct marketing, right to object to decisions, right to object to processing, based on solely automated processing and the right to restrict processing need not be provided in the law for the reasons set out in the report.
The right to data portability, subject to limited exceptions, should be included in the data protection law.
The right to be forgotten may be adopted; the DPA determining its applicability on the basis of the five-point criteria as follows: i) The sensitivity of personal data should be restricted; ii) the scale of disclosure or degree of accessibility should
be restricted; iii) the role of the data principal to serve in public office;
CONSENT WILL BE A LAWFUL BASIS FOR THE PROCESSING OF PERSONAL DATA. FOR CONSENT TO BE VALID IT SHOULD BE FREE, INFORMED, SPECIFIC, CLEAR AND CAPABLE OF BEING WITHDRAWN. FOR SENSITIVE PERSONAL DATA, CONSENT WILL HAVE TO BE EXPLICIT — Subramanya Ajjampur Senior Practice Manager & Practice Lead for GDPR, Happiest Minds Technologies
iv) the relevance of the personal data to the public (whether the passage of time or change in circumstances has modified such relevance for the public); and v) the nature of the disclosure and the activities of the
data fiduciary. The time frame for implementing such rights by a data fiduciary, as applicable, shall be specified by the Data Protection Authority. Transfer of Personal Data Outside India Cross border data transfers of personal data, other than critical personal data, should be done through the contract clauses containing the obligations with the person who is transferring the data, he is liable for harms caused to the principal due to any violations committed by the transferor. The Central Government will have the option to do transfers to some jurisdictions in consultation with the Data Protection Authority (DPA).
The Central Government should determine categories of sensitive personal data which are important to the country having regard to interests and enforcement requirements
The personal data that is determined to be critical will be subject to the requirement to process only in India. The Central Government should determine categories of sensitive personal data which are important to the country having regard to interests and enforcement requirements. Personal data relating to health will, however, be permitted to be transferred for reasons of immediate action or emergency. Other types of personal data that is noncritical will be subject to the requirement to store at least one serving copy in India. Allied Laws The Committee has identified a list of 50 regulations which have a potential overlap with the data protection framework. Exemptions The data protection law will enable an exemption to the processing of personal or sensitive personal data if it is necessary for the interest of the security of the state. Any restriction must be proportionate and customized to the stated purpose. The Central Government should promptly bring in a law for the oversight of intelligence gathering activities
The disclosure of personal data necessary for enforcing a legal right or claim, for seeking any relief, defending any charge, opposing any claim or for obtaining legal advice from an advocate in an impending legal proceeding would be exempt from the application of the data protection law. General obligations of security and fair and reasonable processing will continue to apply. Enforcement The data protection law will set up a DPA which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. Broadly, the DPA shall perform the following primary functions: (i) monitoring and enforcement; (ii) legal affairs, policy and standard setting; (iii) research and awareness; (iv) inquiry, grievance handling and adjudication.
Significant data fiduciaries will have to undertake obligations such as (1) Recordkeeping; (2) Data audits; and (3) Appointment of DPO; (4) Registration with the DPA, (5) Data protection Impact Assessments. The Central Government shall establish a tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA. Appeals against orders of the tribunal will be to the Supreme Court of India.
Penalties may be imposed on data fiduciaries and compensation may be awarded to data principals for violations of the data protection law. The penalty imposed would be as high as INR 5 Crore to INR 15 Crore, or 2 percent to 4 percent of an entity’s total worldwide turnover in the preceding financial year, whichever is higher.