white_paper_on_data_protection_in_india_171127_final_v2
could be high compliance costs on data processors. 270 Concerns relating to enforceability of contracts and enforcement capabilities in India must also be taken into account while attempting to precisely allocate responsibility by identifying multiple actors in processing of data. On the other hand, there remains the possibility that the new law could be the catalyst for mature transactions in data processing and the market may adapt to the new norms, however specific they are. 6.3 Provisional Views 1. To ensure accountability, the law may use the concept of ‗data controller‘. The competence to determine the purpose and means of processing may be the test for determining who is a ‗data controller‘. 2. The need to define data processors, third parties or recipients depends on the level of detail with which the law must allocate responsibility. This has to be determined on an assessment of the likely impact of imposing obligations on processors and the compliance costs involved, amongst other things. 6.4 Questions 1. What are your views on the obligations to be placed on various entities within the data ecosystem? 2. Should the law only define ‗data controller‘ or should it additionally define ‗data processor‘? Alternatives: a. Do not use the concept of data controller/processor; all entities falling within the ambit of the law are equally accountable. b. Use the concept of ‗data controller‘ (entity that determines the purpose of collection of information) and attribute primary responsibility for privacy to it. c. Use the two concepts of ‗data controller‘ and ‗data processor‘ (entity that receives information) to distribute primary and secondary responsibility for privacy. 3. How should responsibility among different entities involved in the processing of data be distributed? Alternatives: a. Making data controllers key owners and making them accountable. 270 Dr. Detlev Gebel and Tim Hickman, ‗Chapter 11: Obligations of processors – Unlocking the EU General Data Protection Regulation‘, White & Case (22 July 2016), accessible at: https://www.
. Clear bifurcation of roles and associated expectations from various entities. c. Defining liability conditions for primary and secondary owners of personal data. d. Dictating terms/clauses for data protection in the contracts signed between them. e. Use of contractual law for providing protection to data subject from data processor. 4. Are there any other views on data controllers and processors which have not been considered above? 51
- Page 9 and 10: 9.1 Introduction ..................
- Page 11 and 12: 1. A Digital India in a Digital Wor
- Page 13 and 14: information can then be used to cre
- Page 15 and 16: Privacy is a complex concept that h
- Page 17 and 18: The FIPPS were soon followed by the
- Page 19 and 20: In light of these developments, the
- Page 21 and 22: OECD Guidelines, 68 and sought to a
- Page 23 and 24: Constitution - the right against un
- Page 25 and 26: visits at night and regular surveil
- Page 27 and 28: or necessary for legal compliance.
- Page 29 and 30: Aadhaar based authentication which
- Page 31 and 32: tested as per the contemporary Indi
- Page 33 and 34: man and woman must be kept in mind.
- Page 35 and 36: of the law. Second, the ease of cro
- Page 37 and 38: ambit of the term organisation. 191
- Page 39 and 40: 1. What are your views on what the
- Page 41 and 42: 2.2 Horizontality of Application (P
- Page 43 and 44: a. The law could regulate personal
- Page 45 and 46: This distinction between data and i
- Page 47 and 48: (iv) Pseudonymisation and Anonymisa
- Page 49 and 50: that the information is not in the
- Page 51 and 52: CHAPTER 4: SENSITIVE PERSONAL DATA
- Page 53 and 54: protection. Subject to an evaluatio
- Page 55 and 56: South Africa The POPI Act defines p
- Page 57 and 58: a. All personal data processed must
- Page 59: an employee of the controller who g
- Page 63 and 64: 7.2 Specific Exemptions and Interna
- Page 65 and 66: In India, collection of statistical
- Page 67 and 68: of imposition of similar nature.‘
- Page 69 and 70: mechanism to provide prior approval
- Page 71 and 72: 1. What are your views on including
- Page 73 and 74: To facilitate the cross-border tran
- Page 75 and 76: (ii) Binding Corporate Rules BCR ar
- Page 77 and 78: individual to take action to enforc
- Page 79 and 80: CHAPTER 9 : DATA LOCALISATION 9.1 I
- Page 81 and 82: (iii) IT-BPO/BPM Industrial Growth
- Page 83 and 84: amounts of computer hardware, they
- Page 85 and 86: In Indonesia, the regulation regard
- Page 87 and 88: Distribution of Insurance Products)
- Page 89 and 90: Another advantage of relying on con
- Page 91 and 92: individuals may find it impossible
- Page 93 and 94: that the collection is reasonably n
- Page 95 and 96: CHAPTER 2: CHILD’S CONSENT 2.1 In
- Page 97 and 98: the cloud service provider as to st
- Page 99 and 100: The PIPEDA does not specifically de
- Page 101 and 102: 7. How can the requirement for pare
- Page 103 and 104: mechanism still continues to play a
- Page 105 and 106: 3.3 International Practices Despite
- Page 107 and 108: (CALOPPA) 466 and the GLB Act requi
- Page 109 and 110: CHAPTER 4: OTHER GROUNDS OF PROCESS
. Clear bifurcati<strong>on</strong> of roles and associated expectati<strong>on</strong>s from various entities.<br />
c. Def<strong>in</strong><strong>in</strong>g liability c<strong>on</strong>diti<strong>on</strong>s for primary and sec<strong>on</strong>dary owners of pers<strong>on</strong>al <strong>data</strong>.<br />
d. Dictat<strong>in</strong>g terms/clauses for <strong>data</strong> protecti<strong>on</strong> <strong>in</strong> the c<strong>on</strong>tracts signed between them.<br />
e. Use of c<strong>on</strong>tractual law for provid<strong>in</strong>g protecti<strong>on</strong> to <strong>data</strong> subject from <strong>data</strong><br />
processor.<br />
4. Are there any other views <strong>on</strong> <strong>data</strong> c<strong>on</strong>trollers and processors which have not been<br />
c<strong>on</strong>sidered above?<br />
51