Comments Sought on Data Protection Law ComponentsCommittee Invites Feedback on Draft of Ideas for New Legislation
The government of India is seeking comments on a draft of ideas for the components of a data protection law.
A 10-member government-appointed committee has drafted a white paper that includes recommendations for components of the law and outlines experiences in other countries. Feedback on the report will be accepted through Dec. 31 at the Ministry of Electronics and Information Technology.
"On the basis of the responses received, we will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject," according to a statement from the committee.
The committee is seeking insights on, for example, how best to gain consumers' consent to use their data and how to define personal data that must be protected.
"This is an interesting development and it will be worth putting in our comments," says Sriram Natarajan, chief risk officer at Quattro, a global services company. "This is a very welcome step that will turbocharge India's digital revolution."
The white paper lists seven key principles of data protection law:
- Technology agnosticism;
- Holistic application;
- Informed consent;
- Data minimization;
- Controller accountability;
- Structured enforcement; and
- Deterrent penalties.
One issue under consideration is whether India should use the concept of a data controller as spelled out in the EU's General Data Protection Regulation, which will be enforced starting in May.
Under GDPR, organizations that handle European's data must designate a data controller, who determines the purposes and means of processing data, plus a data processor who processes data on behalf of the controller.
The white paper seeks to clearly define the roles and responsibilities of people involved in data collection.
"If an entity handles personal information in any manner, it is expected to be accountable for it, irrespective of how they process the information or with whom they share it," says Shivangi Nadkarni, CEO at Arka Consulting, an advisory firm on data security. "Therefore, this entity taking accountability has to be clearly defined. The usual definition for this is that of a data controller - and hence, I would say, it makes sense to go with the accepted definition."
But because data travels through multiple layers, it's not always in control of a data controller, says C.N. Shashidhar, founder SecurIT Consultancy Services. "And hence, it is important to get data processors and third parties under the ambit of the law too," he says.
The Issue of Consent
The committee is seeking suggestions on how to make the process of gaining consumer's consent to use their personal data more effective and whether different standards of consent must be followed for different practices.
"Different standards for different transactions would result in added complexity and dilution in implementation," Shashidhar says. "It is recommended that one single standard be adopted for all types of transactions."
The issue of consent is particularly tricky in India, where so many individuals lack the ability to read and comprehend the implications of granting consent.
"In this case, a different type of instrument/mechanism may be required to be looked at," Nadkarni says. "A while ago, in one of its papers, the RBI had proposed a rights-based approach - where some basic rights for certain personal information should be embedded in the law itself, independent of an individual's consent. Hence, in a country like ours, a balance between notice and consent and a rights-based approach would be the appropriate way to go forward."
Definition of Personal Data
The definition of personal information or personal data is a critical element that determines the zone of informational privacy guaranteed by data protection legislation, the committee states.
So the panel is seeking input on what components under personal data should be termed sensitive and whether it should be categorized under personal data or personal information.
In 2011, the government identified the following for protection as sensitive personal data:
- Financial information, such as bank account, credit card, debit card or other payment instrument details;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history; and
- Biometric information.
"I think we must use personal data as it [is] a wider term than personal information," Natarajan says. "Information is really static variables - date of birth, sex, place of birth, account number, among other things, while data is a much wider term including your card spend, your preferences, your social media history, etc."
Some practitioners say the committee should take into account the definition of sensitive personal information used in other countries.
"Usually, around the world, there is quite a bit of convergence around what constitutes sensitive personal data," Nadkarni says. "It would make sense to go with the same kind of categorization while adding/deleting what may/may not make sense from the Indian context."