This note maps the opinions of some stakeholders to the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27th November, 2017 (“White Paper”). While all responses to the White Paper are currently unavailable, responses of twenty-seven (27) stakeholders are available on Dvara Research’s blog, here.
Background
In July 2017, the Ministry of Electronics and Information Technology (“MeitY”) had constituted a Committee of Experts, chaired by Justice B.N. Srikrishna (“the Srikrishna Committee”) to frame recommendations for a data protection framework for India. In January, 2018, the Srikrishna Committee concluded a nation-wide stakeholders’ consultation on key issues of data protection. This consultation was based on two hundred and thirty (230) questions that it had raised in the White Paper. Final recommendations of the Srikrishna Committee are awaited.
Among many other issues raised, the Srikrishna Committee had flagged the grounds of processing of data as an important issue in Part III of the White Paper. As we have stated earlier, while all stakeholder submissions to the Srikrishna Committee have not been made public, Dvara Research has published a list of twenty-seven (27) publicly available comments. This note maps responses of these stakeholders on the grounds of processing of data.
The White Paper raises the following questions on grounds of processing in chapters 1, 2, 3 and 4 of Part III:
- Should consent be a primary ground for processing personal data?
- Should the proposed law have a provision prescribing an age-bar specifically for protecting children’s personal data?
- Should the law rely on the notice and choice of mechanism for operationalising consent?
- What other grounds should be included under which processing may be done?
Detailed Mapping of Responses
A detailed mapping of the responses of all the twenty-seven (27) stakeholders to questions in Chapters 1, 2, 3 and 4 of Part III of the White Paper on Data Protection Law for India is available here.
INSIGHTS
1. Consent should be a primary ground for processing personal data
1.1 Consent should be a primary ground for processing (18 responses): Access Now, BSA, iSPIRT, ITI, CIS, IDP, Harvard FXB Center, Mozilla Foundation, ORF, Prof. Graham Greenleaf, SFLC, Legal Academics and Advocates, Bhandari Kak Parsheera Rahman Sane, IFF, Privacy International, Subhasis Banerjee, Suyash Rai.
1.1.1 CIS is of the opinion that consent should be freely given.
1.1.2 Harvard FXB Center is of the opinion that clinical care and research will be negatively affected if consent to access health data becomes difficult. It is, therefore, suggested that a set standard for consent needs to be applied across the private and public healthcare delivery organizations.
1.1.3 IDP, ORF, Omidyar Network and SFLC are of the opinion that consent must be informed, meaningful, explicit, specific and unambiguous, freely given and the data subject should have the right to withdraw consent during any stage of processing.
1.1.4 ORF is of the view that consent must be simplified and multilingual.
1.1.5 Privacy International is of the view that consent shouldn’t be used as a means to disclaim liability for processing.
1.2 Consent should not be the primary ground of processing (2 responses): Takshashila Foundation and Dvara Research.
1.2.1 Takshashila Foundation is of the view that India should reply on the ‘Accountability model’ as the primary means for securing privacy.
1.2.2 Dvara Research is of the opinion that the test for legitimate interest should be the primary grounds for processing data.
1.3 No response (7 responses): CCG, Centre for Trade and Investment Law, Anupam Saraph, DEF, EFF, EPIC, The Hoot.
2 Child’s consent and provision prescribing an age-bar specifically for protecting children’s personal data in the proposed law
2.1 Child’s consent should be provided for by the provision with an age bar (8 responses): BSA, ITI, CIS, Harvard FXB Center, Prof. Graham Greenleaf, SFLC, Takshashila Foundation, Dvara Research.
2.1.1 BSA and ITI are of the opinion that India should adopt similar provisions like EU, where the age of consent for children is set at 13.
2.1.2 iSPIRT is of the opinion that a child’s consent is not valid.
2.1.3 CIS is of the opinion that the digital age of consent for children can be grouped as, below 13 years (consent to be given only by parent or legal guardian), 13 to 18 years (or possibly 16 years – with parental consent) and above 18 (consent of the user is sufficient).
2.1.4 SFLC is of the opinion that Section 11 of the Indian Contract Act, 1872 and Section 3 of the Indian Majority Act, 1875 should be followed which sets the age of majority at 18 years.
2.1.5 Takshashila Foundation is of the view that there must be an absolute prohibition on the processing of Sensitive Personal Data of all children below 14 years of age and explicit parental consent will be required in case of Sensitive Personal Data and Identified Personal Data.
2.2. No response (18 responses): Access Now, CCG, Centre for Trade and Investment Law, IDP, Mozilla Foundation, ORF, Legal Academics and Advocates, Anupam Saraph, Bhandari Kak Parsheera Rahman Sane, DEF, EFF, EPIC, IFF, Omidyar Network, Privacy International, Subhasis Banerjee, Suyash Rai, The Hoot.
3 The law should rely on the notice and choice of mechanism for operationalising consent
3.1 Notice and choice are essential for operationalising consent (14 responses): BSA, iSPIRT, Access Now, CIS, Harvard FXB Center, IDP, Prof. Graham Greenleaf, SFLC, Legal Academics and Advocates, Takshashila Foundation, Bhandari Kak Parsheera Rahman Sane, Dvara Research, Omidyar Network, Privacy International.
3.1.1 CIS has recommended the information that should be made available through a notice,
3.1.2 Harvard FXB Center is of the opinion that notice in form of audio visual should be provided to those with poor literacy.
3.2 No response (13 responses): ITI, CCG, Centre for Trade and Investment Law, Mozilla Foundation, ORF, Anupam Saraph, DEF, EFF, EPIC, IFF, Subhasis Banerjee, Suyash Rai, The Hoot.
4 Any other grounds of processing data
4.1 There should be other grounds of processing (12 responses): BSA, iSPIRT, ITI, Dvara Research, Takshashila Foundation, Mozilla Foundation, Access Now, CIS, SFLC, Harvard FXB Center, Prof. Graham Greenleaf, Subhasis Banerjee.
4.1.1 BSA is of the opinion that legitimate interest, contractual performances and compliance with law should be other grounds of processing.
4.1.2 iSPIRT is of the opinion that contractual performances, compliance with law and vital interest of data subjects should be other grounds of processing.
4.1.3 ITI, Dvara Research, Takshashila Foundation, Mozilla Foundation and Access Now have suggested legitimate interest as the other ground of processing.
4.1.4 CIS, SFLC, Harvard FXB Center and Prof. Graham Greenleaf are of the opinion that vital interest of data subjects and performance of contract should be other grounds of processing.
4.1.5 Subhasis Banerjee is of the opinion that combination of legitimate interest and purpose limitation should be adopted for privacy protection.
4.2 No responses (13 responses): CCG, Centre for Trade and Investment Law, IDP, ORF, Legal Academics and Advocates, Anupam Saraph, Bhandari Kak Parsheera Rahman Sane, EFF, EPIC, IFF, Omidyar Foundation, Suyash Rai, The Hoot.
[This post is authored by Adyasha Mohanty, a fourth-year student of Symbiosis Law School, Noida during her internship with TRA, with inputs from Pushan Dwivedi, Associate, TRA.]
Leave a Comment