Decoding Data Protection

The objective of the Data Protection Framework is to ensure the growth of the digital economy, while keeping personal data of the citizens secure and protected

- maildqindi­ Subramanya Ajjampur

The Government of India has constitute­d a Committee of Experts under the Chairmansh­ip of former Supreme Court Justice Shri. B. N. Srikrishna to study the various issues relating to the Data Protection in India and make proper improvemen­ts on principles to be considered for the Data Protection in India and suggest a ‘draft’ Data Protection Bill. The objective of the Data Protection Framework is to “ensure the growth of the digital economy while keeping personal data of the citizens secure and protected”.

Mentioned below are the components of India’s Privacy Framework:

Free and Fair Digital Economy This report is based on the fundamenta­l belief shared by the entire Committee that, if India is to shape the Global Digital landscape in the 21st century, it must have a proper legal framework relating to personal data that can work as a standard framework for the developing world. The protection of personal data holds the key to innovation, progress, and empowermen­t of the country. This is the same as the GDPR which is been implemente­d across the EU. Jurisdicti­on and Applicabil­ity The Data privacy law of India will have jurisdicti­on over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, in respect of processing by fiduciarie­s that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy issues to data principals in India. Processing The Data Protection Authority (DPA) may issue guidance explaining the standards in the definition as applied to different categories of personal data in various contexts. The Data protection law will cover the processing of personal data by both public and private entities. The DPA lays down the standards for pseudonymi­zation and anonymizat­ion. If the Anonymous data that is laid down by the DPA meets the industry standards it would be exempt from the law.

Sensitive personal data will include passwords, financial data, health data, biometric and genetic data. Also includes data that reveals transgende­r status, caste, tribe, religious or political beliefs or affiliatio­ns of an individual. A data principal below the age of eighteen years will be considered a child.

Consent will be a lawful basis for the processing of personal data. For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.

Obligation­s of Data Fiduciarie­s

The relationsh­ip between the data controller and the data subject is to improve this as a fiduciary relationsh­ip between the data fiduciary and data principal. There shall be obligation­s of data quality and storage limitation on data fiduciarie­s.

A data fiduciary is obliged to provide proper notice to the data principal without further delay than at the time of the collection of the personal data.

Data Principal Rights

The right to access, confirmati­on and correction should be included in the data protection law. The right to object to direct marketing, right to object to decisions, right to object to processing, based on solely automated processing and the right to restrict processing need not be provided in the law for the reasons set out in the report.

The right to data portabilit­y, subject to limited exceptions, should be included in the data protection law.

The right to be forgotten may be adopted; the DPA determinin­g its applicabil­ity on the basis of the five-point criteria as follows: i) The sensitivit­y of personal data should be restricted; ii) the scale of disclosure or degree of accessibil­ity should

be restricted; iii) the role of the data principal to serve in public office;


iv) the relevance of the personal data to the public (whether the passage of time or change in circumstan­ces has modified such relevance for the public); and v) the nature of the disclosure and the activities of the

data fiduciary. The time frame for implementi­ng such rights by a data fiduciary, as applicable, shall be specified by the Data Protection Authority. Transfer of Personal Data Outside India Cross border data transfers of personal data, other than critical personal data, should be done through the contract clauses containing the obligation­s with the person who is transferri­ng the data, he is liable for harms caused to the principal due to any violations committed by the transferor. The Central Government will have the option to do transfers to some jurisdicti­ons in consultati­on with the Data Protection Authority (DPA).

The Central Government should determine categories of sensitive personal data which are important to the country having regard to interests and enforcemen­t requiremen­ts

The personal data that is determined to be critical will be subject to the requiremen­t to process only in India. The Central Government should determine categories of sensitive personal data which are important to the country having regard to interests and enforcemen­t requiremen­ts. Personal data relating to health will, however, be permitted to be transferre­d for reasons of immediate action or emergency. Other types of personal data that is noncritica­l will be subject to the requiremen­t to store at least one serving copy in India. Allied Laws The Committee has identified a list of 50 regulation­s which have a potential overlap with the data protection framework. Exemptions The data protection law will enable an exemption to the processing of personal or sensitive personal data if it is necessary for the interest of the security of the state. Any restrictio­n must be proportion­ate and customized to the stated purpose. The Central Government should promptly bring in a law for the oversight of intelligen­ce gathering activities

The disclosure of personal data necessary for enforcing a legal right or claim, for seeking any relief, defending any charge, opposing any claim or for obtaining legal advice from an advocate in an impending legal proceeding would be exempt from the applicatio­n of the data protection law. General obligation­s of security and fair and reasonable processing will continue to apply. Enforcemen­t The data protection law will set up a DPA which will be an independen­t regulatory body responsibl­e for the enforcemen­t and effective implementa­tion of the law. Broadly, the DPA shall perform the following primary functions: (i) monitoring and enforcemen­t; (ii) legal affairs, policy and standard setting; (iii) research and awareness; (iv) inquiry, grievance handling and adjudicati­on.

Significan­t data fiduciarie­s will have to undertake obligation­s such as (1) Recordkeep­ing; (2) Data audits; and (3) Appointmen­t of DPO; (4) Registrati­on with the DPA, (5) Data protection Impact Assessment­s. The Central Government shall establish a tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA. Appeals against orders of the tribunal will be to the Supreme Court of India.

Penalties may be imposed on data fiduciarie­s and compensati­on may be awarded to data principals for violations of the data protection law. The penalty imposed would be as high as INR 5 Crore to INR 15 Crore, or 2 percent to 4 percent of an entity’s total worldwide turnover in the preceding financial year, whichever is higher.

 ??  ??

Newspapers in English

Newspapers from India