This note maps the opinions of some stakeholders on the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27 November, 2017 (“White Paper”).
While all responses to the White Paper are currently unavailable, responses of twenty-seven (27) stakeholders are available on Dvara Research’s blog, here.
Background
In July 2017, the Ministry of Electronics and Information Technology (“MeitY”) had constituted a Committee of Experts, chaired by Justice B.N. Srikrishna (“the Srikrishna Committee” or “the Committee”) to frame recommendations for a data protection framework for India. In January 2018, the Srikrishna Committee concluded a nation-wide stakeholders’ consultation on key issues of data protection. This consultation was based on two hundred and thirty (230) questions that it had raised in the White Paper. Final recommendations of the Srikrishna Committee are awaited.
Among many issues raised, the Srikrishna Committee had flagged the scope of the proposed data protection law as an important issue in Chapter 1 and Chapter 2 of Part II of the White Paper. As we have stated earlier, while all stakeholder submissions to the Srikrishna Committee have not been made public, Dvara Research has published a list of twenty-seven (27) publicly available comments. This note maps responses of these stakeholders on the scope of the proposed data protection law.
The White Paper raises the following questions on scope of the proposed data protection law in Chapter 1 and Chapter 2 of Part II:
- What are your views on what the territorial scope and the extra-territorial application of a data protection law in India should be?
- What measures should be incorporated in the law to ensure effective compliance by foreign entities inter alia when adverse orders (civil or criminal) are issued against them?
- What are your views on the issues relating to applicability of a data protection law in India in relation to (i) natural/juristic persons; (ii) public and private sector; and (iii) retrospective application of such law?
- Should the law provide for a time period within which all regulated entities will have to comply with the provisions of the data protection law?
- Are there any other views relating to the above concepts?
Detailed Mapping of Responses
A detailed mapping of the responses of all the twenty seven (27) stakeholders to questions in Chapter 1 and Chapter 2 of Part II of the White Paper on Data Protection Law for India is available here.
INSIGHTS
1. Extra-territorial application of data protection law in India:
The Srikrishna Committee is of the opinion that, the data protection law shall be applicable to any entity which does not have a presence in India but offers a good or service to Indian residents over the Internet or carries on business in India. This ensures that the law is applicable to anyone who would processes personal data of the data subject. It is also proposed that the extent of jurisdiction may not be so wide as to constitute an unnecessary interference with the jurisdiction of other states or have the effect of making the law a general law of the Internet. The Committee’s call for views on this issue has generated the following responses, broadly:
1.1 Extra-territorial application of data protection law should be adopted (13 responses): iSPIRT, Access Now, CCG, CIS, Harvard FXB Center, IDP, Professor Graham Greenleaf, SFLC, Legal Academics and Advocates, Takshashila Foundation, Dvara Research, Omidyar Network, Privacy International.
1.1.1 Access Now is of the opinion that the jurisdictional scope of the law should not be from an “establishment” perspective but from a user’s perspective.
1.1.2 CIS is of the opinion that the proposed law must be applicable to India entirely and to any offence or contravention committed outside India by any person, if it is related to the personally identifiable information of an Indian resident.
1.1.3 Harvard FXB Center, IDP, SFLC, Legal Academics and Advocates, Omidyar Network and Privacy International proposed that the law should be applicable to an entity which does not have a presence in India but offers a good or service to Indian residents over the Internet, or carries on business in India or processes personal data of Indian residents, irrespective of its location.
1.1.4 Professor Graham Greenleaf and Takshashila Foundation is of the view that the proposed law should not be applicable simply because a website is accessible in India.
1.2 Extra-territorial application of data protection law should not be adopted (2 responses): BSA and ITI.
1.2.1 BSA and ITI are of the opinion that the proposed law should be applicable to entities/data subjects established or residing in a certain country.
1.3 Extra-territorial application of data protection law may be adopted (4 responses): (1) Mozilla Foundation; (2) Bhandari, Kak, Parsheera,Rahman and Sane; (3) Suyash Rai; (4) The Hoot.
1.3.1 Mozilla foundation is of the view that is suggested that India should adopt a GDPR-like model and its several mechanisms of regulating entities which offer goods or services in India.
1.3.2 The Hoot has suggested that the data protection authority cannot have jurisdiction over the Indian media.
1.3.3 Suyash Rai has suggested that it might be difficult and expensive to establish jurisdiction over foreign organizations.
1.4 No response (8 responses): (1) Centre for Trade and Investment Law; (2) ORF; (3) Anupam Saraph; (4) DEF; (5) EFF ; (6) EPIC; (7) IFF ; (8) Subhasis Banerjee.
2. Applicability of a data protection law in India to natural/juristic persons:
The Srikrishna Committee is of the opinion that the data protection law may apply to natural persons only. Protection of the informational privacy right of an individual is the objective of the proposed legislation. It should not be extended to include data relating to juristic entities.
2.1 The proposed data protection law should be applicable to natural person (8 responses): (1) BSA; (2) CIS; (3) IDP; (4) Professor Graham Greenleaf; (5) SFLC; (6) Takshashila Foundation; (7) Dvara Research; (8) Privacy International.
2.1.1 BSA, CIS, IDP, SFLC, Takshashila Foundation, Dvara Research and Privacy International are of the opinion that the data protection law should not be applicable to juristic persons.
2.1.2 Professor Graham Greenleaf suggests that the data protection law should not be applicable to a deceased person.
2.2 The proposed law should be applicable to both natural and juristic persons (3 responses): (1) iSPIRT; (2) CCG; (3) Harvard FXB Center.
2.2.1 iSPIRT, CCG and Harvard FXB Center are of the opinion that the data protection law may extend to both natural as well as juristic persons.
2.3 No response ( 13 responses): (1) ITI; (2) Access Now; (3) Centre for Trade and Investment Law; (4) Mozilla Foundation; (5) Legal Academics and Advocates; (6) Anupam Saraph; (7) Bhandari, Kak, Parsheera, Rahman and Sane; (8) DEF; (9) EFF; (10) EPIC; (11) IFF; (12) Omidyar Network; (13) The Hoot.
3. Applicability of a data protection law in India to the public and private sector:
The Srikrishna Committee has proposed that the law may apply to data about natural persons processed both by the public and private entities with limited exemptions for well-defined categories of public or private sector entities.
3.1 The proposed data protection law should be applicable to public and private sector (11 responses): (1) iSPIRT; (2) Access Now; (3) CCG; (4) CIS; (5) Harvard; (6) SFLC; (7) Takshashila Foundation; (8) Dvara Research; (9) Privacy International,; (10) Suyash Rai; (11) Subhasis Banerjee.
3.1.1 Takshashila Foundation is of the opinion that law should be horizontally applicable to both government/ public and private sectors.
3.1.2 Suyash Rai is of the opinion that small sector organizations should be exempted from being subject to the new data protection law.
3.1.3 Subhasis Banerjee is of the view that the same privacy protection principles cannot be horizontally applied to the state and other essential bureaucracies.
3.2 The proposed data protection law should not be applicable to public and private sector (0 responses).
3.3 No response (13 responses): (1) ITI; (2) BSA; (3) Centre for Trade and Investment Law; (4) Mozilla Foundation; (5) Legal Academics and Advocates; (6) Anupam Saraph; (7) Bhandari, Kak, Parsheera, Rahman and Sane; (8) DEF; (9) EFF (10) EPIC; (11) IFF; (12) Omidyar Network; (13) The Hoot.
4. Retrospective application of data protection law:
The Srikrishna Committee has suggested that the law may have a transitory provision to address the issue of retrospective application.
4.1 The proposed data protection law should have retrospective application (3 responses): (1) IDP; (2) CIS; (3) Harvard FXB Center.
4.1.1 CIS is of the opinion that the data protection law can be retrospective in respect of the continued processing of data, but not to the extent that may require re-obtaining of consent.
4.1.2 Harvard FXB Center and IDP suggested that the proposed data protection law may have a transitory provision to address the issue of retrospective application.
4.2 The proposed data protection law should not have retrospective application (2 responses): (1) ITI and (2) Takshashila Foundation
4.2.1 Takshashila Foundation is of the opinion that the retrospective applicability of the law would impose significant and unwarranted challenges for entities collecting and processing data.
4.3 No response (17 responses): (1) Access Now; (2) iSPIRT; (3) BSA; (4) CCG; (5) Centre for Trade and Investment Law; (6) Mozilla Foundation; (7) SFLC; (8) Dvara Research; (9) Legal Academics and Advocates; (10) Anupam Saraph; (11) Bhandari, Kak, Parsheera, Rahman and Sane; (12) DEF; (13) EFF; (14) EPIC; (15) IFF; (16) Omidyar Network; (17) The Hoot.
[This post is co-authored by Adyasha Mohanty, a fourth-year student of Symbiosis Law School, Noida, Karan Dhingra, a fifth-year student of Jindal Global Law School, and Raghav Mudgal, a fourth-year student of RGNUL during their internships with TRA, with inputs from Nehaa Chaudhari, Public Policy Lead, TRA and Pushan Dwivedi, Associate, TRA.]
Leave a Comment