Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights

As the Government of India conducting nationwide public consultation programs on the Data Protection Law proposed to be drafted on the basis of the Justice Srikrishna Committee, I would like to place before the ministry, some of my key ideas.

Big Idea 1: Data Trusts

The global regime of data protection including the EU GDPR recognizes the role of

  1. a Data Protection Authority for the nation,
  2. Data Controllers who collect data from the subject and/or determine how the personal data is to be used,
  3. Data Processors who process personal data on the instructions of the Data Controller
  4. Data Protection officers at the industry level as compliance officers.

I propose a new category of agency called “Data Trust” which operates between the Data Subject and the Data Collector and works as an escrow agent for the personal data of the individual. It will be a specialised institution which

  1. has the necessary wherewithal to secure the data entrusted to it by the public
  2. has the ability to classify the personal data entrusted to it by the public into different data category packages such as “Basic”, “Basic-identity”,”Sensitive identity”, “Confidential” \or such other categories as they may chose to logically group
  3. has the ability to decode the consent forms and privacy notices of data collectors and grade the data controllers
  4. has the ability to determine which category of data is required to be supplied to which category of data controller
  5. has the ability to process a realtime request from the data subject to supply appropriate data to the data collector during a service registration process
  6. is registered with the Data protection authority
  7. is subject to being reviewed both by the strength of their performance and an audit by the authority
  8. is able to keep an arms length relationship with the Data collectors
  9. is able to monetize the data for the benefit of the data subject
  10. is able to issue a pseudonomization Id to its members which can be used instead of the real information when personal data is to be provided to data collectors.

The creation of this intermediary would be a unique suggestion that will make Indian law different from the rest of the world and meet the requirements of our country where there are a large number of less literate persons operating mobiles.

Big Idea 2: Jurisdictional Umbrella

Since Data Protection is a global concept and just as India is imposing responsibilities under Indian law, many of the Indian processors are already under obligation to international data protection agencies including GDPR authorities where huge penalties are likely to be imposed on the Indian companies through contractual obligations.

Indian law therefore has to also decide on the jurisdiction of the proposed law and how it will handle the disputes arising between Indian processors (or controllers) with the GDPR counterparts.

It is proposed that Indian law is made primarily applicable to the Indian Citizens for the protection of their rights on personal information privacy.

Impact of this law on non citizens arising due to the collection of their personal data during their activities which come under the Indian legal jurisdiction is not an obligation of the country but could be accepted in the interest of projecting India as a country that can be trusted for data protection for cross border transactions.

However, when it comes to enforcement of the rights of any foreign agency including private citizens as well as GDPR authorities or even the Contractual beneficiaries aborad, on any Indian Citizen or Indian Data Controller or Data Processor, it should be mandatory that the dispute is resolved only with the involvement of the Indian Data Protection Authority.

Indian Data Protection Authority shall be the sole adjudicating authority for all disputes in which an Indian Citizen or an Indian Corporate or an Indian Government agency is a party.

Big Idea 3: Reciprocal Enforcement Rights

Recognition of any data protection law of any country outside India shall be only on a reciprocal basis where equal rights are available from the other country which may include

a) Enforcement of the privacy rights of an Indian Citizen or a Company in the foreign jurisdiction

b) Enforcement of penalty of any description on an Indian Citizen or a Company vis a vis similar rights for the Indian companies or individuals on the foreign citizens and companies.

I urge the Ministry to incorporate the above three ideas into the proposed law in appropriate terms.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged , , , , , . Bookmark the permalink.

2 Responses to Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights

  1. Pingback: Cambridge Analytica and Indian Cyber Laws - Naavi.org

  2. Pingback: Innovation of “Offline Authentication of Aadhaar” – Privacy Knowledge Center

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.