DATA PROTECTION

FRAMEWORK FOR INDIA

 FOREWORD

The white paper released by the Ministry of Electronics

and Information Technology (MeitY) on the proposed
‘data protection regulatory framework for India’ in
November 2017, has discussed various aspects of
data protection and analysed pertinent issues from
the standpoint of laws in several jurisdictions. The
white paper also provides provisional views which
we believe could be the foundation for the proposed
Informational data protection legislation. Some of key issues that
find a prominent place in the white paper are the
privacy is territorial jurisdiction under the proposed law, nature

a facet of of personal data and sensitive personal data protected

and the rights associated therewith, cross border flow
the right to of data and authorities responsible for controlling and
processing data. Overall, the white paper suggests that
privacy. the proposed data protection legislation should not
only provide a means to protect personal information
but also put in place processes to regulate the
Justice K.S. mechanism for receiving, storing and processing data
Puttaswamy (Retd.) and provide remedies in instances of data breach. It is
our belief that the legislative process adopted for the
v. Union of India proposed data protection legislation, which includes
seeking inputs from stakeholders, academicians,
lawyers etc., will ensure that the data protection
regime in India is more robust, has a holistic view
and adopts international best practices in relation to
data protection.
TABLE OF CONTENTS

• Territorial Scope 06

• Personal Scope 08

• Cross Border Data Flow and Data Localization 12

• Processing, Obligations on Data Processors and Individual Rights

-- Consent and Notice 14

-- Purpose Specification and Use Limitation 18

-- Right to be forgotten 20

• Regulation and Enforcement

-- Accountability 22

-- Personal Data Breach Notification 24

-- Data Protection Authority 26

-- Adjudication Process 28
T E RRITORIA L
S COP E
 Data protection framework for India | 07

Proposed DP Law should have extra-territorial application, making

offences punishable against entities collecting personal data from Indian
residents, irrespective of their presence in India. To ensure enforceability
of the law, certain minimum, non-negotiable terms that parties must
include in their contracts should be laid down in the Proposed DP law.

Civil Matters two-fold - protection of individual rights and payment

of compensation by such entities for any violation of
Indian courts have jurisdiction over civil matters in
such laws. Additionally, compensation payable to an
which the wrong is committed in India or the place
individual should include not only wrongful loss or
of residence, employment or carrying on of business
wrongful gain (i.e. objective harm) but also subjective
is located within India. The proposed data protection
harm so that anticipated loss owing from collection
legislation (“Proposed DP Law”) should clarify the
of personal information is also covered. The test to
basis of jurisdiction on the grounds of ‘carrying on
determine jurisdiction can be any of the following
business in India’, perhaps by way of an explanation
factors - (i) processing of personal data of Indian
under the relevant section, such that persons who do
data subjects similar to the European Union’s GDPR,
business transactions with persons located in India
whether or not such processing happens in India;
may be brought under Indian jurisdiction.
(ii) the entity performing the processing undertakes
business or derives revenues or profits from Indian data
Extraterritorial Application of Indian subjects; or (iii) the processing of personal data of any
Criminal Law person takes places in India.
Extraterritorial application of Indian criminal law is Data Sharing
provided on the basis that an offence was committed
by an Indian citizen anywhere in the world or any In order to address the aspect of enforceability, the
offence committed on board a ship or airplane Proposed DP Law should prescribe certain minimum,
registered in India. Further, any offence that is targeted, non-negotiable terms to be included in the contract
by any person from any location, against a computer, between: (i) the data subject and the entity collecting
computer system, computer network or computer personal data; and (ii) such entity and any other person
resource located in India would confer jurisdiction upon to whom such entity hands over the tasks of storage,
Indian courts. use or processing of personal data. Such mandatory
contractual terms could include a compulsory
The effect of the offence being felt in India or a threat acceptance of Indian law and the jurisdiction of Indian
to Indian security or the security of its citizens, and courts/regulators.
not presence of the offender in India, is the key to
establishing jurisdiction. Prospective Effect of Proposed DP Law
The Proposed DP Law in India should have extra- Any offence defined under the Proposed DP Law
territorial application, making punishable offences can be punished only if committed from the date on
against personal data of Indian residents by entities which the new law is made effective, even though
offering goods or services to them, regardless of the such offences may relate to data collected prior to
location of the data processor or their presence in the enactment of the Proposed DP Law. This owes
India. In this context, it would be necessary to ensure its origin to principles of retrospective application of
that the governing law and jurisdiction in the contract criminal law under Article 20(1) of the Constitution
(including terms of use and privacy policy) between of India. Therefore, provision of a transitory time for
the individual and such foreign entity should be companies to come into compliance with the new law
India. Alternatively, the governing law and jurisdiction should be provided before the new standards and
should not restrict the individual’s right to take action procedures for data protection are made completely
under the Proposed DP Law. The benefit will be enforceable.
PE RS ONAL
S COP E
 Data protection framework for India | 09

Right to protection of personal data only extends to individuals.

Personal data should be broadly defined. Any data which is reasonably
sufficient to allow direct or indirect identification of an individual
constitutes personal data. Data collected by non-human controlled data
processing systems should also be covered under the definition.

As recognised under the European Union’s GDPR, the internet, without such individuals actually delivering the
concepts of privacy and autonomy are available only data or even being aware that data is being collected
to natural persons and not companies. By affording or analysed. For this reason, the definition of “personal
constitutional protection to ‘right of privacy’, state data” needs to be broad in its scope and application.
instrumentalities have been made accountable to a
greater degree in terms of data protection. Accordingly, The term “personal data” needs to be defined widely,
it is suggested that the Proposed DP Law should and to the extent possible, be technology-neutral.
provide protection for individuals against the State and Any data or information that is reasonably sufficient
its undertakings, as well as against privately-owned to allow direct or indirect specific identification of an
entities. For the purpose of protecting the interests of individual must be included within the definition.
the State, the reasonable restrictions prescribed under
Article 19 of the Indian Constitution may be extended Any information which in conjunction with other data
even in cases of breach of privacy. It is also important helps to ‘reasonably identify’ an individual should be
to note that a company’s valuable information, such as covered in the definition of personal data, regardless
confidential information, trade secrets and intellectual of whether the data was subject to anonymization or
property rights, are protected under contract law pseudonomyzation.
or intellectual property law, and therefore, it is
submitted that there is no specific need to extend the Further, in our view the definition of “personal data”
Proposed DP Law to protecting a company’s business must include both facts (such as name, age, address,
information. etc.) as well as other data (such as credit score, online
activity history, hobbies, interests, etc.) whether or
Personal Data not such data constitutes fact or opinion, whether or
not there is an overt act of disclosure of data by an
It is imperative that the definition of “personal individual, and regardless of accuracy. Data collected
data” or “personal information” (irrespective of the by non-human controlled data processing systems,
nomenclature) in the Proposed DP Law should be without the knowledge of a data subject, must also be
robust to meet the multiple ways in which technology included within the definition.
is used to attract information. Modern technologies
such as targeted online advertising, which make use There may of course be certain exemptions from
of an individual’s online activity trends to customise what is treated as personal data, on the grounds of
advertising, can be intrusive on a person’s privacy sovereignty and integrity of the country, security interest
and autonomy without actually accessing any and national peace. However, when personal data or
“identifiable” information. This data may not be personal information is shared with other regulators or
independently “identifiable”, however, collectively such law enforcement authorities under applicable law, there
data may result in identifying an individual, thus being should be a specific obligation on such regulators or
a violation of privacy. Technologies associated with law enforcement authorities to keep the information
artificial intelligence and internet of things may access confidential and take due care to ensure that it is not
individuals’ data already present in various systems used for any purpose other than that which it has been
including computers, servers, cloud storage or on the collected.
10 | Data protection framework for India

Sensitive Personal Data The Information Technology (Reasonable

Security Practices and Procedures and
Based on the definitions of “sensitive Sensitive Personal Data or Information)
personal information” from various Rules, 2011 (“SPDI Rules”) defines six
jurisdictions around the world, there categories of information as being “sensitive
seem to be two broad reasons why such personal data or information”, and provides
sub-classification may be necessary: (i) for rules relating to the collection, use,
some information is considered as being processing and disclosure/ transfer of such
“intimate” or “extremely personal” to information. It is our view that this position
the individual; and (ii) such categories be retained under the Proposed DP Law.
of data may be used to discriminate In addition, it is suggested that biometric
against an individual. information, religion, race, caste, gender
and criminal record be included under the
Any personal data including an individual’s definition of “sensitive personal information”.
religion, race, caste, sexual orientation, In this context, the legislators may also
marital status, health conditions, place consider creating certain reasonable
of birth, descent or place of residence exceptions, for e.g. disclosure of a record of
or such other details that the individual offences involving moral turpitude when the
so designates may be presumed to be individual is applying for a job involving care
“sensitive”. An individual should be given of children or elderly people.
the option to refuse to divulge these details
(particularly since it may form the basis
for discrimination) unless it is quintessential
for the purpose for which it is being sought.
The disclosure of such information must
be made voluntary on the part of the
individual, and the forum interacting with an
individual must not insist on disclosure of
such information or make non-disclosure of
such information the basis of rejecting the
benefits sought by such individual.
CROS S B ORDE R DATA
FL OW AND DATA
L OCAL IZ AT ION
 Data protection framework for India | 13

Along with the “comparable level of protection” test, the “adequacy”

test must also be implemented. Further, sensitive personal data should
only be transferred outside the country, when absolutely necessary and
some sensitive personal data that is required to be transferred out of
India must still be located on a server or a datacentre within India.

regulators to have India recognized as a country that

The Proposed DP Law Law must cater to both (i) satisfies the legal requirements of that other country.
cross-border transfer of personal data of Indian data
Thus, along with the “comparable level of protection”
subjects; and (ii) cross-border receipt, and thereafter
test, the “adequacy” test must also be implemented.
processing, of foreign data subjects in India. For this
purpose, the standards specified for such transfer In terms of cross-border transfers and data localisation,
must be equivalent to or higher than those laid down
neither a blanket prohibition on cross-border transfer
in other countries with developed data protection
of personal data nor a blanket rule requiring localization
regimes.
of all personal data, are desirable or practical. A
balance has to be struck between national interests
Transfer of sensitive personal data under the SPDI and ease of doing business. In the interest of national
Rules is only permitted if the receiver (Indian or foreign) security, sensitive personal data such as biometric
implements data security standards and procedures information of Indian data subjects are not required
at least as stringent as in the Rules. Rule 8 of the to be transferred abroad in any reasonable business
SPDI Rules lays down the standards and procedures context, and such sensitive personal data must be kept
required to comply with the Rules, these must be within the country. Some sensitive personal data that
checked against the most stringent requirements is required to be transferred out of India must still be
existing in other counties and any consequent gaps located on a server or a datacentre within India. This
must be addressed. It is our view that the Indian will also provide a resolution to the question of territorial
Government must work with the foreign data protection jurisdiction of the Proposed DP Law.
 PROCE SSING ,
OB L IGAT IONS ON DATA
PROCE SSORS AND
INDIVIDUAL RIGHT S
- CONSE NT AND NOT ICE
 Data protection framework for India | 15

For free and valid consent a clear notice of the fact of collection and
processing of data must be provided to the data subject along with the
opportunity to clearly, transparently and explicitly signify consent. Implied
consent, inactivity or pre-checked boxes signifying consent should not be
acceptable modes of consent. This should equally apply to data collected
through manual and through automated processes. Adopting a standard
form of notice and outlining the type and method of data collection would
be a cost – effective method for ensuring that the requirements of consent
and notice (two pillars of right to privacy) are adequately met.

Privacy is closely associated with the autonomy and

There are sufficient safeguards for data collected
identity of an individual, as recognized in the Justice through manual and human-controlled processes
K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 but organisations that may access or use personal
SCALE 1 (“Puttuswamy Judgment”) and the white data during an automated process, such as data
paper. While consent need not be the sole basis for the analytics or data mining, must provide specific notice
processing of personal data, it should be one of the to this effect along with the purpose of collection and
primary requirements for collection, processing and use proposed use, and obtain their explicit prior consent.
of personal data. Business realities, unequal bargaining
power and the development of new technologies often Further, obtaining consent should not allow the data
relegate the concept of “free consent” of an individual controller or data processor to disclaim all legal
to the status of a legal assumption. liabilities.

Thus, along with consent, the processing of data There are multitudes of business activities or purposes
must be permissible only when the data processor and personal data may be collected by various
needs to do so in order to fulfil a legal or contractual organisations which would lead to “multiplicity of
obligation, and such obligation cannot be fulfilled notices” and a “consent fatigue”. This practical difficulty
unless personal data in a regulated manner. should not be used as an argument to trivialize
consent, in fact it strengthens the need for informing
For free and valid consent, a clear notice of the fact of the data subject of the fact and purpose of collection
collection and processing of data must be provided to and processing of personal data.
the data subject along with the opportunity to clearly,
transparently and explicitly signify consent. This can As a simple and cost-effective method, a standard
be by way of a click wrap agreement but implied form of notice can be adopted containing the (i)
consent, inactivity or pre-checked boxes signifying nature of personal data collected; and (ii) purpose of
consent should not be acceptable modes of consent. collection, processing and use of data. Simple English
It is therefore important that the consents obtained are should be used and the main points should be ether
documented and retained for the period of collection, in bold type face or in a different colour. It shouldn’t
processing or use of personal data. The data subjects be hidden away in a form of URL, etc. It may also be
must also be allowed to withdraw consent. provided in Hindi or other regional language.
16 | Data protection framework for India

While consent is an important premise for enable the data subjects to object to any
the collection and processing of personal unjustified use and allow the data subject to
data, it is submitted that specifying different withdraw his/her consent, where necessary.
standards of notice and consent for different This is however based on the presumptions
forms of personal data is both difficult to that such data is traceable and accurately
practically achieve and subject to the risk recorded, organisations upload and share
of obsolescence in light of fast-evolving such data into the dashboard and the entire
technologies. At the same time, permitting cycle of collection, storage and processing
the data controllers to make context- happens through a human-controlled
specific determinations of the applicable process.
standards may result in lack of uniformity
and adoption of insufficient standards. In this regard, it is a concern that the
consent dashboard itself may constitute
However, what the law can provide for is
“sensitive personal data” and must thus
providing broad limits on the purposes
be put under the watch and control of
for which sensitive personal data may be an independent neutral regulator that
collected and processed and the manner of is brought under the framework of the
providing and documenting consent. Proposed DP Law.

However, there is currently one glitch, the If it is maintained by a government entity, it

data subject can either (i) provide blanket should not be exempted from the applicable
consent to access all services offered by rules for the purpose compliance.
data controller; or (ii) not provide consent
at all and in turn not access any of the It is submitted that recognition of
services offered by data controllers.
organisations with an excellent track
record of compliance with privacy laws is
They cannot selectively provide consent important, and must also be supported by
to access certain services offered by a system of reward in the form of lesser
the data controllers. In the context of scrutiny from the regulator under normal
modern internet-enabled businesses and circumstances. One such mechanism may
technologies, “notice and consent” aren’t be in the form of a “data trust score”, for
very straightforward. which criteria such as numbers of breaches,
complaints and rectification requests, and
What might help are Privacy Impact also factors such as proactive provision of
Assessments (“PIA”) which are to ensure “notice and choice”, transparency, ease
that the most serious risks of privacy of comprehension and robustness of
breaches are identified and addressed information security systems, may be taken
effectively but the mechanism and oversight into account. Such score may be subject to
of the same differs across jurisdictions. annual review and revision, as necessary.
Some critical sectors or industries such as The rules for calculation of such score
healthcare, finance, etc. must be identified may also differ according to the sector in
for an initial phase of PIA rollout, as it can be which the organisation operates, and may
expensive and time consuming. be administered by the data protection
regulator or a department constituted
The Proposed DP Law should consider thereunder. Such a system will also
inclusion of a “consent dashboard” which increase faith in the overall framework of the
will give the data subjects the right to Proposed DP Law, from the point of view of
access their personal data and verify the individuals and businesses alike.
lawfulness of processing and use. This will
Data protection framework for India: A white paper | 17
 PROCE SSING ,
OB L IGAT IONS ON DATA
PROCE SSORS AND
INDIVIDUAL RIGHT S
- PURPOSE
SPE CIFICAT ION AN D
USE L IM ITAT ION
 Data protection framework for India | 19

The future use must not be totally incompatible with or contrary

to the originally stated purpose, and must be something that
demonstrably has a reasonable and immediate nexus with the
originally stated purpose.

A data subject while providing personal data

Further, broadly defined purposes, such as
can legitimately expect that it is only used for
“improving user experience” or “marketing
the furtherance of a specified, explicit and lawful
purposes” must not be permitted and there must be
purpose and not for anything else. Thus this purpose a reasonable nexus between the business or service
specification and use limitation cannot be done away offered by the organisation and the list of purposes
with. It is equally important to ensure that the law stated in the notice to data subjects.
is dynamic enough to encourage new technologies
while providing a robust framework of security for and
protection of individual privacy rights. There is a need Individual Participation Rights
to strike a balance through the test of reasonability.
The future use must not be totally incompatible A data subject must always have the right to access
with or contrary to the originally stated purpose, and/or rectify personal data regardless of the
and must be something that demonstrably has a mechanism of collection or storage, or the technology
reasonable and immediate nexus with the originally using which such data may have been collected or
stated purpose. Further where initial notice does not stored. However the personal data may be accessed
provide clear insight into how data may be used in or rectified only when the data controller has expressly
the future (e.g. in cases of “Big Data”), then it must and intentionally collected personal data, whereas
be the data processor’s obligation to provide fresh such actions may not be even possible in the case
notice to the data subject regarding such new uses of automatically collected data or “data trends”. The
or purposes, and further processing must be subject view suggested in the white paper to levy a fee on
to the individual’s renewed explicit consent to the new an individual who wishes to access or rectify his/her
purpose. personal data is practical and also serves to strike
a balance between business considerations and
It would be important to identify specific sectors or individual rights.
industries, especially those which deal with sensitive
personal data or information, and define strict For enforcement of such a right, an independent data
adherence to the rules regarding purpose specification regulator may be preferable and more accessible than
and use limitation. For example, where medical history a court of law and it may also be empowered to issue
is collected for treatment of a disease, the scope of directions to data processors to provide access to or
use is limited and there is no ‘reasonably foreseeable’ rectify an individual’s personal data.
future purpose for the use of this information. For this
the data protection regulator may collaborate with the
sectoral regulators.
 PROCE SSING ,
OB L IGAT IONS ON DATA
PROCE SSORS AND
INDIVIDUAL RIGHT S
- RIGHT TO B E
FORGOT T EN
 Data protection framework for India | 21

If the necessity of notice, consent, purpose specification and use

limitation isn’t followed in entirety or in part or the purpose has been
achieved then in such instances a right to be forgotten may be given
retrospective effect. The right to be forgotten must extend to all personal
data, and not just sensitive personal data/information and must also
extend to data collected by automated processes.

The right to be forgotten must be understood outside If the necessity of notice, consent, purpose
the scope of: specification and use limitation isn’t followed in entirety
or in part or the purpose has been achieved then in
a. SPDI Rules which provide for an obligation on the such instances a right to be forgotten may be given
data processor to not retain sensitive personal data retrospective effect. The Proposed DP Law must clearly
or information once the purpose for which it has state the grounds for such a request and a request
been obtained has been accomplished; not made on the basis of these would be liable to
b. existing measures to protect a person’s reputation, be denied. It must be applicable to all personal data
dignity and intellectual property; not just sensitive personal data/information. Further
data may also be collected by automated processes
c. laws which place personal information such as where the data subject is not aware about the same.
court decrees, etc. in public domain; Irrespective of this, the right to be forgotten must exist
for such data as well.
d. instances of public interest or national security
which warrant the data to be continued to be The Puttaswamy Judgement and the decision of
stored; and the Karnataka High Court in Sri Vasunathan v. The
Registrar General (2017 SCC OnLine Kar 424) referred
e. information in public domain protected by right to
to in the white paper discuss the right to be forgotten
free speech or exceptions to tort such as truth.
only from the context of deletion of personal data. Like
other countries, as examined by the white paper, the
One facet of this has already been incorporated in right to further dissemination must also be included in
the SPDI Rules wherein the data subject has a right right to be forgotten. Deletion might not be possible
to withdraw consent for his/her sensitive personal in instances where it has been widely disseminated
data or information from being further collected or in the online space or resident as “passive” data in
processed. servers beyond the data processor’s control. In such
a scenario, it is important to ensure that the data
It is also possible that the data subject doesn’t consent processor takes all steps to ensure that such data does
to transfer of data and this right would thus work in the not get further disseminated or transferred to any other
context of transferring personal data to another entity. person.
 RE GUL AT ION AND
E NFORCE ME N T
- ACCOUNTAB IL ITY
 Data protection framework for India | 23

Both, data controllers and data processors should adopt specific measures
to demonstrate accountability, based on standards and regulations which
would be general and sector-specific, and should have liability affixed,
in case of data breach. The nature and extent of liability should depend
on the nature of data, the party responsible for handling data and the
measures adopted. Data controllers should mandatorily be required to
obtain insurance policies and adopt a risk management mechanism to
mitigate loss due to data breach.
The European Union based on the principle of no penalty should be levied on the data controller.
accountability requires data controllers to address two As for the latter, the person responsible should be
important facets: implementation of data protection held accountable to a greater degree and be liable to
principles after identifying them and demonstration compensate the individual as well as pay the penalty
of such implementation if required by a supervisory subject to no cap on the compensation or penalty.
authority in order to ensure greater accountability for the Breach under both categories should include both
data controller. objective and subjective harm so as to offer a spectrum
of possibilities for which the individual can seek remedy
As for organisational standards to be adopted, the
or compensation.
Proposed DP Law should contain specific rules
(including specific criteria for duty of care) to enable In this context, it is relevant to analyse Section 79 of
data controllers to demonstrate accountability. Factors the Information Technology Act, 2000 which exempts
such as current technology standards, sector specific intermediaries from liability in certain cases. The
requirements and nature and quantum of personal data exemption from Section 79 should not extend to the
being handled must be taken care of in the legislation specific event contemplated above and for this reason it
so as to make it technology compliant. Moreover, strict would be necessary to amend Section 79 to this limited
consequences for failure to adhere to these standards extent.
must be prescribed.
Given that modern data processing is complex and
It is our view that sector-specific regulators should may involve several persons, it is difficult to enjoin
also consider prescribing additional guidelines or any one person with the liability for data breach, and
compliances to be undertaken by data controllers. therefore the data controller should be ultimately
responsible and accountable for the data.
In case of a conflict, the sector-specific rules should
prevail over general ones. In terms of penalty, there However, the data controller can seek indemnities or
should not be any restriction on a data controller under affix contractual liability to third parties involved in data
the Proposed DP Law as well as under sector specific processing ensuring strict compliance. In this context, it
guidelines. Notwithstanding the aforementioned, the is suggested that the Proposed DP Law specify certain
principles under the Evidence Act, 1972 would be guidelines/standards for data controllers to appoint data
applicable for the data controller to prove that it fulfilled processors and also exercise due diligence in this regard
its duty of care to prevent or mitigate data breach. This
will help in determining the liability of the data controller Moreover, data controllers should mandatorily be
during adjudication for a data breach. required to obtain insurance policies commensurate
with the quantum of data handled by them as well
In this regard, there are two kinds of data breach: (a) as the sector in which such data controllers operate,
owing to technological failure and (b) owing to fault, covering any and all liability in case of data breach. This
whether negligent or wilful. As for the former, the person is to ensure enforcement of the claim of an aggrieved
responsible for collecting and handling data i.e. a data person as against the data controller. Besides being
controller, should be held responsible, however, there accountable, the data controllers should have a system
should be an option to cap such liability to the extent in place to prevent, detect and react to data breach
that there is evidence to establish that it took adequate and mitigate associated risks including adopting interim
measures to prevent the breach. In such instances, measures.
 RE GUL AT ION AND
E NFORCE ME N T
- PE RSONAL DATA
BRE ACH NOT IFICAT ION
 Data protection framework for India | 25

Identification of the nature of breach is important especially in the

cases of personal data breach whereby a timely notification to the
relevant individual and proper reporting to the Authority will help
in mitigating the damage caused by it.

There are three internationally recognised forms Hence, the data controller/processor should send out
in which a personal data breach may occur a notification in case of any breach and its likely effect
– confidentiality breach, integrity breach and upon the data.
availability breach.
The timing of the notification may depend on several
The European Union’s GDPR defines a personal data factors such as whether it is sensitive personal
breach to include all these forms of breach, but defines data, the number of individuals affected, nature of
a personal data breach as a “security breach”. breach, etc. The content of the notification may be
The white paper discusses the practical difficulties standardised by providing a form in the Proposed DP
in both identification and notification of a personal Law. It may entail basic details to the individuals such
data breach and how all security breaches need not as the time of breach and the kinds of personal data
necessarily be personal data breaches. However, under threat. The notification to the Authority/regulator
persons or organisations managing or storing personal must additionally include greater details with regard
data would be typically be aware of the nature of the to the breach including the mitigation strategy of the
security breach and the likelihood of data controlled by organisation.
it to be affected by the breach.
 RE GUL AT ION AND
E NFORCE ME N T
- DATA PROT E CT ION
AUT HORITY
 Data protection framework for India | 27

An independent dedicated Authority having a specialised

structure is significant for an efficient adjudication and disposal
of data privacy issues.

The white paper suggests that there should be

It is our view that the Authority should be
a separate and independent authority under the
centrally headed by the National Data Protection
Proposed DP Law. The issue of personal data Commissioner who should be given a constitutional
breach involves issues relating to privacy which is status like that of the Comptroller and Auditor
a fundamental right. Further, personal data breach General of India, for privacy is a fundamental right.
has a grave and immediate negative effect on the
concerned individual. Thus, a special and dedicated
Furthermore, the National Data Protection Commission
body is necessary to adjudicate issues relating to
should ideally have separate departments established
it than submitting to the jurisdiction of the existing
under it, each performing key functions, including: (i)
overburdened judiciary.
legislative, advisory and investigative functions as well
It is important that the authority is independent so as as technical recommendations; and (ii) judicial functions
to have an efficient system of enforcement. It is also such as enforcement and dispute resolution. However,
important to ensure that the data protection authority: a number of functions, such as standards setting and
(i) is staffed by persons of adequate qualification; (ii) has prescription of standard forms and notices, may be
sufficient jurisdiction and power to adjudicate disputes performed by the authority in consultation with subject-
(including by way of taking suo moto action) and issue matter experts as well as industry groups. This will
binding orders; (iii) has quasi-legislative functions to ensure that standards and rules are evolving along with
not only determine standards, but also prescribe rules changing technology, while also keeping the interests
and procedures concerning the operation of the law; of businesses in mind.
(iv) has the authority to monitor compliance with the
The Proposed DP Law must also differentiate between
applicable laws and procedures; and (v) can perform
penalty/fine and compensation. The penalty amount
to a great degree of independence from government
is to be retained with the Authority whereas the
intervention or influence.
compensation is to be awarded to the aggrieved
person. The circumstances for both must be laid down
clearly in the proposed legislation.
RE GUL AT ION AND
E NFORCE ME N T
- ADJUDICAT ION
PROCE S S
 Data protection framework for India | 29

The proposed Authority must be dedicated to alleviating issues

from the individuals’ end, enabling a class-action if required,
by way of both pecuniary and subject-matter jurisdiction.
Besides, presence of technical experts is essential on the panel
adjudicating complex technological issues of data breach.

The data protection authority in the Proposed DP Law

While the Proposed DP Law may specify the
must have a judicial wing. The judicial body under
pecuniary jurisdiction of the tribunals, the total
the Proposed DP Law must be an independently compensation or monetary penalties that may be
appointed tribunal having exclusive jurisdiction over awarded/ imposed by the data protection tribunals
matters involving data protection or privacy. Such must not be limited or capped by statute.
tribunal must have jurisdiction only to hear individual
complaints, thus clearly excluding companies/juristic
Furthermore, the tribunal should be staffed by
entities from addressing their grievances/complaints.
officers having legal as well as technical expertise.
This is important since the Proposed DP Law is about
This is common in the technology industry wherein
the protection of individuals’ fundamental right to
the contracting parties insist upon the presence of
privacy. There should be a provision for class-action
a technically qualified person on an arbitral tribunal.
suits where a data breach affects a large number of
The adjudication process should also permit video-
individuals. Aggrieved persons can jointly seek remedy
conferencing as an accepted means of producing
and the adjudicating process can award damages and
evidence and examining witnesses.
penalise the data controller based on the nature and
extent of data breach. Additionally, this would also be
time efficient since matters concerning multiple data
breaches by an entity can be adjudicated collectively.
w ww.in du slaw.com

AUTHORS CONTACT US
Suneeth Katarki
Partner BANGALORE
101, 1st Floor, “Embassy Classic”
Namita Viswanath # 11, Vittal Mallya Road
Partner Bangalore 560 001
T: +91 80 4072 6600
Nikita Hemmige F: +91 80 4072 6666
Associate E: [email protected]

DELHI
2nd Floor, Block D, The MIRA
Mathura Road, Ishwar Nagar
New Delhi 110 065
T: +91 11 4782 1000
F: +91 11 4782 1097
E: [email protected]

HYDERABAD
204, Ashoka Capitol
Road No.2, Banjarahills
Hyderabad 500 034, India
T: +91 40 4026 4624
F: +91 40 4004 0979
E: [email protected]

MUMBAI
1002A, Indiabulls Finance Centre
Senapati Bapat Marg, Elphinstone Road
Mumbai 400 013, India
T: +91 22 4920 7200
F: +91 22 4920 7299
E: [email protected]

Disclaimer
This alert is for information purposes only. Nothing contained herein is, purports to be, or is intended
as legal advice and you should seek legal advice before you act on any information or view expressed
herein. Although we have endeavored to accurately reflect the subject matter of this alert, we make
no representation or warranty, express or implied, in any manner whatsoever in connection with
the contents of this alert. No recipient of this alert should construe this alert as an attempt to solicit
business in any manner whatsoever.