As the Government of India conducting nationwide public consultation programs on the Data Protection Law proposed to be drafted on the basis of the Justice Srikrishna Committee, I would like to place before the ministry, some of my key ideas.
Big Idea 1: Data Trusts
The global regime of data protection including the EU GDPR recognizes the role of
- a Data Protection Authority for the nation,
- Data Controllers who collect data from the subject and/or determine how the personal data is to be used,
- Data Processors who process personal data on the instructions of the Data Controller
- Data Protection officers at the industry level as compliance officers.
I propose a new category of agency called “Data Trust” which operates between the Data Subject and the Data Collector and works as an escrow agent for the personal data of the individual. It will be a specialised institution which
- has the necessary wherewithal to secure the data entrusted to it by the public
- has the ability to classify the personal data entrusted to it by the public into different data category packages such as “Basic”, “Basic-identity”,”Sensitive identity”, “Confidential” \or such other categories as they may chose to logically group
- has the ability to decode the consent forms and privacy notices of data collectors and grade the data controllers
- has the ability to determine which category of data is required to be supplied to which category of data controller
- has the ability to process a realtime request from the data subject to supply appropriate data to the data collector during a service registration process
- is registered with the Data protection authority
- is subject to being reviewed both by the strength of their performance and an audit by the authority
- is able to keep an arms length relationship with the Data collectors
- is able to monetize the data for the benefit of the data subject
- is able to issue a pseudonomization Id to its members which can be used instead of the real information when personal data is to be provided to data collectors.
The creation of this intermediary would be a unique suggestion that will make Indian law different from the rest of the world and meet the requirements of our country where there are a large number of less literate persons operating mobiles.
Big Idea 2: Jurisdictional Umbrella
Since Data Protection is a global concept and just as India is imposing responsibilities under Indian law, many of the Indian processors are already under obligation to international data protection agencies including GDPR authorities where huge penalties are likely to be imposed on the Indian companies through contractual obligations.
Indian law therefore has to also decide on the jurisdiction of the proposed law and how it will handle the disputes arising between Indian processors (or controllers) with the GDPR counterparts.
It is proposed that Indian law is made primarily applicable to the Indian Citizens for the protection of their rights on personal information privacy.
Impact of this law on non citizens arising due to the collection of their personal data during their activities which come under the Indian legal jurisdiction is not an obligation of the country but could be accepted in the interest of projecting India as a country that can be trusted for data protection for cross border transactions.
However, when it comes to enforcement of the rights of any foreign agency including private citizens as well as GDPR authorities or even the Contractual beneficiaries aborad, on any Indian Citizen or Indian Data Controller or Data Processor, it should be mandatory that the dispute is resolved only with the involvement of the Indian Data Protection Authority.
Indian Data Protection Authority shall be the sole adjudicating authority for all disputes in which an Indian Citizen or an Indian Corporate or an Indian Government agency is a party.
Big Idea 3: Reciprocal Enforcement Rights
Recognition of any data protection law of any country outside India shall be only on a reciprocal basis where equal rights are available from the other country which may include
a) Enforcement of the privacy rights of an Indian Citizen or a Company in the foreign jurisdiction
b) Enforcement of penalty of any description on an Indian Citizen or a Company vis a vis similar rights for the Indian companies or individuals on the foreign citizens and companies.
I urge the Ministry to incorporate the above three ideas into the proposed law in appropriate terms.