A brief summary of the proposed Data Protection Framework

A brief summary of the proposed Data Protection Framework

Varun Marwah

The much-awaited report of the Committee on Data Protection was released yesterday, along with the The Personal Data Protection Bill, 2018.

The Committee was chaired by Former Supreme Court Judge, Justice B N Srikrishna. Most of the principles and findings in the report have also been hardcoded in the draft legislation. The entire Parliamentary process, to convert this bill into a legislation, is still left.

The proposed data protection framework will be replacing Section 43A of the Information Technology Act and will  require amendments to  be made to as many as 50 other laws, including the Aadhar Act and the Right To Information Act.

While recognising various other data protection regimes across the globe, the report recorded that such regimes have acceptability in their respective jurisdiction because they ‘capture the zeitgeist of the citizen-state relationship that exists in each’. But at the same time, the report records, ‘it  is trite that neither is India’s understanding citizen-state relationship, nor its motivations for a data protection law, exactly coincident with each of the aforementioned jurisdictions.

The report and the draft law introduces the concept of ‘data principal’ and ‘data fiduciary’. Data principal, simply, would be the natural person to whom the data relates whereas data fiduciary would be any person, including the State, a company, any juristic entity or any individual who determines the purpose and means of processing of personal data.

The report and draft law also propose the establishment of a an independent Data Protection Authority (DPA) to act as a regulator for enforcement of the data protection framework with the following functions (i) monitoring and enforcement; (ii) legal affairs, policy and standard setting; (iii) research and awareness; (iv) inquiry, grievance handling and adjudication.

Following are some of the key features of the Report:


The law (not having retrospective application) will have jurisdiction over the processing of personal data if such data has been ‘used, shared, disclosed, collected or otherwise processed in India’;  with exceptions to such companies which only process the personal data of foreign nationals not present in India.

However, in respect of processing by fiduciaries that are not present in India, the law will apply to those carrying on business in India or other activities such as, profiling which could cause privacy harms to data principals in India.

Processing of data

Processing of data by both, public and private entities will covered. The definition of personal data will be based on identifiability and, the DPA further has the authority to issue guidance explaining the standards in the definition applicable to different categories of personal data in different contexts.

The principle of granting protection to community data has also been recognised by the Committee, which will be facilitated through another suitable law.

While consent is one of the key principles of data processing, processing activities carried out by the State under draft law will be covered under Non-Consensual Grounds of Processing, ensuring that it is in furtherance of public interest and governance.

Several exemptions, some absolute while some discretionary, have been granted such as for, Security of the State, Disclosure for the Purpose of Legal Proceedings, Research Activities, journalistic purposes.

Obligations of data fiduciary

The report imposes certain obligation on the data fiduciaries, which include the principles of collection and purpose limitation.

Further, a principle of transparency is incumbent on data fiduciaries from the time the data is collected to various points in the interim. Most prominently, a data fiduciary is obliged to provide notice to the data principal no later than at the time of the collection of her personal data.

Data Principal rights

The right to confirmation, access and correction form part of the  draft law.  Further, the right to data portability, also find place in the draft law.

The draft law also adopts the right to be forgotten which may be given effect to, by the Adjudication Wing of the DPA while determining its applicability on the basis of a five-point criteria laid down.

Transfer of personal data outside India

Cross border data transfers of personal data, other than critical personal data, will be through done through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.

While some jurisdictions will get green-light transfers in consultation with DPA, intra-group schemes will be applicable for cross-border transfers within group entities.

(Image taken from here)

(Read the Report)

Bar and Bench - Indian Legal news