white_paper_on_data_protection_in_india_171127_final_v2
For a fuller discussion, see page 30 above. Questions 1. What are your views on the issues relating to applicability of a data protection law in India in relation to: (i) natural/juristic person; (ii) public and private sector; and (iii) retrospective application of such law? 2. Should the law seek to protect data relating to juristic persons in addition to protecting personal data relating to individuals? Alternatives: a. The law could regulate personal data of natural persons alone. b. The law could regulate data of natural persons and companies as in South Africa. However, this is rare as most data protection legislations protect data of natural persons alone. 3. Should the law be applicable to government/public and private entities processing data equally? If not, should there be a separate law to regulate government/public entities collecting data? Alternatives: a. Have a common law imposing obligations on Government and private bodies as is the case in most jurisdictions. Legitimate interests of the State can be protected through relevant exemptions and other provisions. b. Have different laws defining obligations on the government and the private sector. 4. Should the law provide protection retrospectively? If yes, what should be the extent of retrospective application? Should the law apply in respect of lawful and fair processing of data collected prior to the enactment of the law? Alternatives: a. The law should be applicable retrospectively in respect of all obligations. b. The law will apply to processes such as storing, sharing, etc. irrespective of when data was collected while some requirements such as grounds of processing may be relaxed for data collected in the past. 5. Should the law provide for a time period within which all regulated entities will have to comply with the provisions of the data protection law? 206
6. Are there any other views relating to the above concepts? 3. Definition of Personal Data The definition of personal information or personal data is the critical element which determines the zone of informational privacy guaranteed by a data protection legislation. Thus, it is important to accurately define personal information or personal data which will trigger the application of the data protection law. For a fuller discussion, see page 34 above. Questions 1. What are your views on the contours of the definition of personal data or information? 2. For the purpose of a data protection law, should the term ‗personal data‘ or ‗personal information‘ be used? Alternatives: a. The SPDI Rules use the term sensitive personal information or data. b. Adopt one term, personal data as in the EU GDPR or personal information as in Australia, Canada or South Africa. 3. What kind of data or information qualifies as personal data? Should it include any kind of information including facts, opinions or assessments irrespective of their accuracy? 4. Should the definition of personal data focus on identifiability of an individual? If yes, should it be limited to an ‗identified‘, ‗identifiable‘ or ‗reasonably identifiable‘ individual? 5. Should anonymised or pseudonymised data be outside the purview of personal data? Should the law recommend either anonymisation or psuedonymisation, for instance as the EU GDPR does? [Anonymisation seeks to remove the identity of the individual from the data, while pseudonymisation seeks to disguise the identity of the individual from data. Anonymised data falls outside the scope of personal data in most data protection laws while psuedonymised data continues to be personal data. The EU GDPR actively recommends psuedonymisation of data.] 6. Should there be a differentiated level of protection for data where an individual is identified when compared to data where an individual may be identifiable or reasonably 207
- Page 165 and 166: with developing certain baseline ac
- Page 167 and 168: ENFORCEMENT TOOLS 2.6 Introduction
- Page 169 and 170: Australia The Privacy Act makes ext
- Page 171 and 172: B. PERSONAL DATA BREACH NOTIFICATIO
- Page 173 and 174: eputation, and loss of confidential
- Page 175 and 176: There is a need to put in place a n
- Page 177 and 178: C. CATEGORISATION OF DATA CONTROLLE
- Page 179 and 180: The Treasury Board of Canada Secret
- Page 181 and 182: Under the EU GDPR, only certain dat
- Page 183 and 184: 5. What range of additional obligat
- Page 185 and 186: D. DATA PROTECTION AUTHORITY 2.18 I
- Page 187 and 188: and approval of the appointment by
- Page 189 and 190: The supervisory authority shall pro
- Page 191 and 192: . Advisory The functions of the OAI
- Page 193 and 194: standards be set by different entit
- Page 195 and 196: maintain reasonable security practi
- Page 197 and 198: notices‘ 827 and ‗information n
- Page 199 and 200: 5. Given that the Appellate Tribuna
- Page 201 and 202: CHAPTER 4: REMEDIES A. PENALTIES In
- Page 203 and 204: sector, size, financial and other r
- Page 205 and 206: to an overly adverse impact on smal
- Page 207 and 208: B. COMPENSATION Awarding of compens
- Page 209 and 210: United Kingdom As per the guidance
- Page 211 and 212: C. OFFENCES There are certain types
- Page 213 and 214: 4.11 Provisional Views 1. The law m
- Page 215: SCOPE AND EXEMPTIONS 1. Territorial
- Page 219 and 220: 2. Should the definition of process
- Page 221 and 222: 1. What are your views on including
- Page 223 and 224: 9. Data Localisation Data localisat
- Page 225 and 226: 2. Child’s Consent It is estimate
- Page 227 and 228: Alternatives: a. Assigning a ‗dat
- Page 229 and 230: If ‗sensitive personal data‘ is
- Page 231 and 232: 2. Should there be a restriction on
- Page 233 and 234: 3. Does a right to be forgotten add
- Page 235 and 236: 1. What are your views on the use o
- Page 237 and 238: oth for principled and practical re
- Page 239 and 240: Questions 1. What are your views on
- Page 241 and 242: 12. In cases where compensation cla
- Page 243: 3. What are the mitigating circumst
For a fuller discussi<strong>on</strong>, see page 30 above.<br />
Questi<strong>on</strong>s<br />
1. What are your views <strong>on</strong> the issues relat<strong>in</strong>g to applicability of a <strong>data</strong> protecti<strong>on</strong> law <strong>in</strong><br />
India <strong>in</strong> relati<strong>on</strong> to: (i) natural/juristic pers<strong>on</strong>; (ii) public and private sector; and (iii)<br />
retrospective applicati<strong>on</strong> of such law?<br />
2. Should the law seek to protect <strong>data</strong> relat<strong>in</strong>g to juristic pers<strong>on</strong>s <strong>in</strong> additi<strong>on</strong> to protect<strong>in</strong>g<br />
pers<strong>on</strong>al <strong>data</strong> relat<strong>in</strong>g to <strong>in</strong>dividuals?<br />
Alternatives:<br />
a. The law could regulate pers<strong>on</strong>al <strong>data</strong> of natural pers<strong>on</strong>s al<strong>on</strong>e.<br />
b. The law could regulate <strong>data</strong> of natural pers<strong>on</strong>s and companies as <strong>in</strong> South Africa.<br />
However, this is rare as most <strong>data</strong> protecti<strong>on</strong> legislati<strong>on</strong>s protect <strong>data</strong> of natural<br />
pers<strong>on</strong>s al<strong>on</strong>e.<br />
3. Should the law be applicable to government/public and private entities process<strong>in</strong>g <strong>data</strong><br />
equally? If not, should there be a separate law to regulate government/public entities<br />
collect<strong>in</strong>g <strong>data</strong>?<br />
Alternatives:<br />
a. Have a comm<strong>on</strong> law impos<strong>in</strong>g obligati<strong>on</strong>s <strong>on</strong> Government and private bodies as<br />
is the case <strong>in</strong> most jurisdicti<strong>on</strong>s. Legitimate <strong>in</strong>terests of the State can be protected<br />
through relevant exempti<strong>on</strong>s and other provisi<strong>on</strong>s.<br />
b. Have different laws def<strong>in</strong><strong>in</strong>g obligati<strong>on</strong>s <strong>on</strong> the government and the private<br />
sector.<br />
4. Should the law provide protecti<strong>on</strong> retrospectively? If yes, what should be the extent of<br />
retrospective applicati<strong>on</strong>? Should the law apply <strong>in</strong> respect of lawful and fair process<strong>in</strong>g<br />
of <strong>data</strong> collected prior to the enactment of the law?<br />
Alternatives:<br />
a. The law should be applicable retrospectively <strong>in</strong> respect of all obligati<strong>on</strong>s.<br />
b. The law will apply to processes such as stor<strong>in</strong>g, shar<strong>in</strong>g, etc. irrespective of when<br />
<strong>data</strong> was collected while some requirements such as grounds of process<strong>in</strong>g may<br />
be relaxed for <strong>data</strong> collected <strong>in</strong> the past.<br />
5. Should the law provide for a time period with<strong>in</strong> which all regulated entities will have to<br />
comply with the provisi<strong>on</strong>s of the <strong>data</strong> protecti<strong>on</strong> law?<br />
206