Data Protection Framework for India

On 24 August 2017, a nine-judge bench of the Supreme Court of India (Supreme Court) declared privacy as a fundamental right protected under the Indian Constitution (Privacy Judgment)[1]. The Supreme Court while holding the right to privacy as an intrinsic part of the right to life and personal liberty, and informational privacy as a facet of the right to privacy; highlighted the need for government to examine and enforce a robust regime for data protection.

The Supreme Court suggested balance between data regulation and personal privacy as there are legitimate state concerns (like protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits)on one hand and individual interests in the protection of privacy on the other. Appreciating the complexity of all these issues, the Supreme Court (upon being informed of the constitution of an expert committee chaired by Hon’ble Shri Justice B.N. Srikrishna, former Judge of Supreme Court), left the matter for determination by the said expert committee (Expert Committee), which was required to give due regard to what the Supreme Court had held in the Privacy Judgment.

To accomplish the purpose of designing a carefully structured regime for data protection, a “White Paper of the Committee of Experts on a Data Protection Framework for India” (White Paper) was recently released to solicit comments from the public. Bearing in mind the fact that individual privacy is a fundamental right limited by reasonable restrictions, the committee has recommended a nuanced approach towards data protection in India.

The paper proposes seven principles on which the data protection framework in India must be based: technology agnosticism; holistic application; informed consent; data minimisation; controller accountability; structured enforcement; and deterrent penalties.

This update briefly captures the key issues that a majority of the members of the Expert Committee thought was required to be incorporated into law, including experiences of other jurisdictions as well as questions for public. Upon receipt of responses, the Expert Committee proposed to conduct consultations with, inter-alia, stakeholders. This White Paper and the potential implications of the data protection framework in India (once adopted), may result in the overhauling of the way businesses operate in India. The Expert Committee has accordingly framed its queries around the following key issues:

  • Territorial Jurisdiction: The borderless nature of the internet raises several jurisdictional issues in data protection. A single act of processing personal data could very easily occur across multiple jurisdictions. Therefore, it is very important to determine the territorial scope of the legislation. One of the suggestions given in the White Paper is to make the law applicable to any entity, no matter where they may be located, processing personal data of Indian citizens. This is an important suggestion, as it puts the data squarely at the center of the legislation, ensuring that the law is applicable to anyone who would process personal data of the data subject.
  • Personal Data and Sensitive Data: The purpose of data protection legislation is to ensure that an individual’s identity is protected by protecting his or her personal data. Accordingly, to define personal data or information it is necessary to demarcate the facts, details or opinions that bear relationship with a person’s identity. This identifiability may be direct or indirect. However, one of the significant challenges highlighted in the White Paper pertains to the definition of personal data owing to modern technologies (and new devices) which collect newer forms of data from newer sources which may be unique. Also, the White Paper appreciates that Internet of Things pose a challenge to the degree of anonymity that can be achieved. Thus, recognizing of shortfalls of definitions of personal data which are structured around notion of information related to an identified person (or identifiable person), the White Paper rightly suggests a need to construct a definition of personal data, which may have to be guided by codes of practice or guidance notes – indicating the boundaries of personal information having regard to the state of the technology.
  • Exemptions: Certain data or activities form an important part of any data protection legislation. In this regard, the White Paper clarifies that certain exemptions may be granted by keeping certain activities outside the purview of data protection law. One of the major exemption in this regard is activities carried out in the national interest. However, in this regard, the White Paper clarifies that the exemption must be defined to ensure that processing of data is done only for stated purposes and that certain safeguards/procedures are included in the data protection legislation so that there is no misuse of the exemption granted, especially to the enforcement agencies.
  • Data Localisation: Data localisation requires companies to store and process data on servers physically located within the national borders of the country. Though this prevents foreign surveillance, easy access to data by enforcement agencies, and protection of rights of data subjects, it puts a huge burden on the industry in the form of heavy investment for setting up servers in India. Therefore, as suggested by the White Paper , it would be imperative for the government to take a view which carefully balances enforcement benefits of data localisation with the costs involved pursuant to such requirement.
  • Control Over Data: One of the significant issues covered by the Supreme Court in its Privacy Judgment is regarding the framework for an individual’s autonomy, based on consent. The White Paper, keeping in mind this Privacy Judgment, acknowledges consent as the foundation of the data protection law. Accordingly, the White Paper suggest that consent of individuals should be one of the grounds for collection and use of personal information. The White Paper recognizes that consent is operationalized through “notice and choice”; as notice is representation of terms of an agreement by the data controller and choice/ consent is acceptance of those terms of agreement by an autonomous person. One of the key questions on which opinion of public is sought pertains to the need for law to contain requirements regarding form and substance of the privacy notice.
  • Individual Participation Rights: One of the core principles of data privacy law is the individual participation principle, which stipulates that processing of personal data must be transparent to, and capable of being influenced by, the data subject. These rights ensure the individual has control over his or her personal data and are regarded as one of the most important privacy protection safeguards. One of these rights is the right to be forgotten, which has been adverted to by the Supreme Court in its recent Privacy Judgment upholding right to privacy.
  • Enforcement Tools: The White Paper suggests the use of regulatory tools and mechanisms, that may be used simultaneously to achieve different enforcement objectives. These tools may include the incorporation of a code of practice within the data protection framework, notification of breach of data where there is likelihood the privacy of the individual will be infringed, and establishing a separate authority for ensuring compliance with data protection laws.

The Bigger Picture

The views extrapolated in the White Paper appear to be deriving inspiration from international law and jurisprudence. The White Paper promises an exhaustive and robust data protection framework ensuring that India’s data protection law covers all aspects recognised in digitally developed jurisdictions across the globe. However, as stated by the Supreme Court, these regulations must reflect a balance between data regulation and individual privacy – a balance between the legitimate concerns of the State, on one hand, and individual interests in the protection of privacy, on the other .

* The author was assisted by Anu Monga, Director – Competition Practice.

[1] Justice K S Puttaswamy (Retd.), and Another v. Union of India and Others WP (C) No. 494 of 2012 Judgment dated 24 August 2017 – also at MANU/SC/1044/2017