Last week, the period for the public to respond with comments on the White Paper of the Committee of Experts on a Data Protection Framework for India (the White Paper) ended. The document was released on 27 November 2017 by the Committee of Experts to deliberate on a data protection framework for the country, established by the Ministry for Electronics and Information Technology (the Committee). It posed several foundational questions on key issues in data protection, and presented the provisional views of the Committee on these matters.
In this post, we briefly summarise nine distinguishing points from our response to the Committee. Our complete responses are available here. We also now present a skeletal legislative document here that articulates the views presented in our response to the Committee. This is a working document that binds together our thinking on various elements of data protection (like definitions, standards, rights, obligations and remedies) to present an integrated approach. We recognise our limitations in legislative form and drafting, and welcome feedback and comments on this as a learning document to refine our thinking.
A new model to rethink data protection in India
In our response to the Committee, we re-iterated the User Data Rights approach that we have previously written about. This approach looks past a consent-led approach to data protection, and seeks to embed a bundle of rights for all individuals with respect to their personally identifiable data that apply even where consent has been validly obtained for data collection. We also propose a contextual “legitimate purpose” test for India that must be applied by all entities who will have new obligations under such a regime, to allow the proper exercise of individuals’ data rights. In addition, we propose a model for supervision and enforcement that uses the full range of regulatory tools, before and after a data breach. The nine points below set out the highlights of our mental model for a future data protection framework for India.
1) Scope: We propose that the law should apply to private and public entities. Foreign entities should be caught by the law in circumstances where (i) they conduct business in India, (ii) process personal data from India or (iii) process data for an Indian controller outside India. We also propose that the law should afford protections to all natural persons (citizens and residents) present in India.
2) A single standard for personal data protection: We propose that all personally identifiable data should be protected at the same level by the future data protection law. Personally identifiable information should not be categorised into “sensitive personal” data and “personal data” (as currently contemplated by the White Paper) which results in each category getting different levels of protection. This is important given that the sensitivity of data is heavily contextual and modern data aggregation technologies are capable of revealing sensitive information from the processing of seemingly non-sensitive personal data. Simultaneously, we propose that de-identified personal data should therefore not be caught by this future law i.e. if data is anonymised or otherwise de-identified it should not attract any obligations under a future regime.
3) A test of “Legitimate purpose” should be the primary grounds for processing data in each stage of the data life-cycle. Under this approach, personal data would only be collected, processed, shared or retained if this test was met. The test requires personal data use to be lawful, necessary for the provision of the good or service, and proportionate i.e. balanced against the rights of the individual. Section 2, clause q on page 3 of our draft legislative document proposes some language for a test in Indian law on which we welcome comments and feedback (also presented on page 40 of our responses, to question 1, Chapter 4, Part III of the White Paper).
4) Consent: While we propose that the test of legitimate purpose should be the primary ground for processing, consent should remain an important part of a future data protection regime. In our model, consent should only be requested if there is a legitimate purpose to collect the personal data in question. Consent and the associated privacy notice would then empower individuals and provide them with information regarding the use of their personal data, their various rights and an option to opt-out of the proposed use of their data.
5) Individuals’ data rights: We propose that the future law should guarantee a bundle of rights to individuals. This would require entities to manage their data practices in a manner that is consistent with these rights. We propose that the future law should provide the following rights, (also incorporated in chapter 2 of our draft legislative document).
i) Right to consent for collection of personal data
ii) Right to processing for legitimate purposes only
iii) Right to adequate data security
iv) Right against disclosure of personal data
v) Right to access personal data
vi) Right to correction of personal data
vii) Right to data portability
viii) Rights related to automated decision making
ix) Right against harm
x) Right to informational privacy
xi) Right to a clear, plain and understandable privacy notice
xii) Right to privacy by design
xiii) Right to breach notification
An important proposal in our response is to provide individuals a right against harm and a right to informational privacy. Further details on our proposal on harm is available at section 13, page 13 and on informational privacy at section 14, page 13 of our draft legislative document.
6) Responsive regulation: The regulatory structure proposed is based on the theory of responsive regulation which is a dynamic and context sensitive regulatory framework. We also highlight the importance of ex-ante enforcement tools and incentives that can engender better data practice before a data breach occurs.
7) Systemically important data entities: Drawing from financial sector thinking, we propose entities processing personal data be categorised into systemically important data, normal risk and low risk entities, based on the risk of harm they pose. A detailed methodology and framework should be created to operationalise this approach, taking into relevant factors in the context of data regulation. Such a gradation would allow future supervisory and enforcement activities to be better targeted in a complex data economy while state capacity continues to develop.
8) Liability: We propose a two tier liability model where (i) a strict liability standard for most well-defined obligations where these relate to conduct requirements set out by the law and fleshed out by regulation (ii) a reasonable efforts standard for entities to avoid causing harm or infringing informational privacy.
9) Inter-sectoral Coordination: An important aspect for data regulation to be successful in the future is inter-sectoral coordination. Such co-ordination between sectoral regulators and the regulator for data protection shall allow the creation of specific and nuanced regulations for various sectors, improve supervision, reduce risk of regulatory arbitrage. We propose such co-ordination be achieved using suitable Memorandum of Understanding between the relevant regulators.
Our detailed response to the several sections of the White Paper is available here, and a skeletal legislative document here. We reiterate that this is a limited and non-expert document, that merely seeks to holistically represent the different, interlinking parts of our thinking. We welcome feedback, comments and challenge on this as a learning document to refine and extend thinking on these matters.
The White Paper raises key issues which are relevant to any data protection regime in the world. The questions it poses are at the frontiers of law, policy and regulation. We humbly submit our thinking on these issues as it currently stands, and look forward to continuing research to feed into a constructive national and global dialogue on these important questions.