Data Protection in India- Part II

We live in a complex web of social relationships, which are influenced by several factors that are alien to any other country. The extent to which one wishes to be left alone depends on the nature of relationships in the web, which are sometimes more divergent than one can imagine. The privacy world of an individual in her relational web is multi-dimensional, dynamic and contextual, and suffers from predictability ambiguities. The challenge of defining the nature, scope, and extent of privacy through simple semantics is therefore very challenging, if not impossible. To put it in patent language, privacy is one of the most nonobvious among rights, and suffers from the vices of immaturity, unpredictability and ambiguity.
Our observations about privacy in this post and thereafter are therefore no more than those of a person in the well of knowledge blinded by bias. We will be very surprised if readers do not disagree with us and take offense to some of our comments.
You can read our earlier post on the white paper here
This chapter deals with the borderless nature of the Internet and the jurisdictional issues raised in relation to data protection. The Group of Experts found that the primary test for applicability of a data privacy law may be processing of personal information which takes place in the territory of India by entities which have a presence in India. The term processing involves any action with respect to data including collection, use or disclosure of data.
Question 1: What are your views on what the territorial scope and the extra-territorial application of data protection law in India should be?
Our response: The law must have extra-territorial effect with respect to data of Indian residents, and must provide appropriate redressal mechanisms for privacy violations outside India if the infringer has a business presence in India.
Question 2: To what extent should the law be applicable outside the territory of India in cases where data of Indian residents is processed by entities who do not have any presence in India?
Our response: The applicability of the law should be limited to data controllers in India, who share the information with the entity outside India.
Question 3: While providing such protection, what kind of link or parameters or business activities should be considered?
Our response: Any business activities of the entity in India through an affiliate or subsidiary, under a contract, or any other business arrangement may be considered for enforcing privacy violations. For purposes of imposing liability, any activity that gives rise to direct or indirect business or commercial benefit, and/or that amounts to infringement of the right may be considered irrespective of financial harm.
Alternative Views  mentioned in the white paper for Question 3: 

  •  Cover cases where processing wholly or partly happens in India irrespective of the status of the entity.
  • Regulate entities which offer goods or services in India even though they may not have a presence in India (modelled on the EU GDPR).
  • Regulate entities that carry on business in India (modelled on Australian law), business meaning consistent and regular activity with the aim of profit

Our response:  All the three aforestated alternatives may be merged in the Indian privacy law.
Question 4: What measures should be incorporated in the law to ensure effective compliance by foreign entities inter alia when adverse orders (civil or criminal) are issued against them?
Our response: Non-compliance must be dealt with stringently by incorporating provisions  for statutorily defined penalties that form a percentage of the business entity’s revenues.
Question 5: Are there any other views on the territorial scope and extraterritorial application of a data protection law in India, other than the ones considered above?
Our response: Well defined provisions against the contractual determination of governing law, jurisdiction and dispute resolution may be considered to ensure that foreign entities comply with Indian law, and do not find ways of working around it by way of contracts or by other means.
The Group of Experts after examining best practices followed by other jurisdictions found that the proposed data protection law may apply only to natural persons as the primary object of such legislation is to protect the privacy right of an individual and not to protect the data of companies. Further, the law should be applicable for both data about natural persons processed by both private and public sector companies.
Question 1: What are your views on the issues relating to applicability of a data protection law in India in relation to(i) natural/juristic persons;  (ii) public and private sector; and (iii) retrospective application of such law?
Our response: (i) Privacy law must be applicable only to natural persons or association of natural persons, which are not body corporates. Both natural and juristic persons must, however, comply with privacy requirements under the law.
(ii) Both public and private sectors must come within the purview of the law.
(iii) The law must be applicable to private information/data collected before the law comes into force to the extent required to bring about compliance with the law within a defined timeline. Any retrospective violations may not be brought under the purview of the law.
Question 2: Should the law seek to protect data relating to juristic persons in addition to protecting personal data relating to individuals?
Our response: The data of juristic persons may not be brought within the scope of the law.
Question 3:  Should the law be applicable to government/public and private entities processing data equally? If not, should there be a separate law to regulate government/public entities collecting data?
Our response: The law must be applicable to government, public and private entities equally. Assuming that this law will be a general law on privacy, laws with respect to specific aspects may have additional privacy provisions for the Government, the public sector, or specific institutions.
Alternative Views  mentioned in the white paper for Question 3: 

  • Have a common law imposing obligations on Government and private bodies as is the case in most jurisdictions. Legitimate interests of the State can be protected through relevant exemptions and other provision.
  • Have different laws defining obligations on the government and the private sector.

Our response: In our opinion, the first alternative is most suitable for India.
Question 4: Should the law provide protection retrospectively? If yes, what should be the extent of retrospective application? Should the law apply in respect of lawful and fair processing of data collected prior to the enactment of the law?
Our response: The law must apply  for the data collected before the law comes into effect. All private data must be stored, managed and processed in compliance with the law irrespective of when it was collected. No exceptions with respect to grounds of processing must be provided for retrospectively collected data. A provision to acquire  consent once again with respect to  purpose of use of data collected retrospectively may be considered.
Question 5: Should the law provide for a time period within which all regulated entities will have to comply with the provisions of the data protection law?
Our response: Yes, the law must provide a timeline of one (1) year to bring about compliance.
Question 6: Are there any other views relating to the above concepts?
Our response: Entities may be required to make disclosures of personal data in their possession before the effective date of the privacy law to the regulator, or the person from whom such data was collected, with respect to what data they are holding, how they have used the data so far and how they plan to use it in the future, have they analyzed the data in any way and to what extent has such  analysis has been ananonymized or pseudonimized, what steps are they taking to protect privacy, and  what is their grievance redressal mechanism for any issues.

Leave a comment