The Proposed Regulation of DNA Profiling Raises Critical Privacy Concerns

The Union Cabinet recently approved the DNA Technology (Use and Application) Regulation Bill, 2018 (“DNA Profiling Bill”), which is scheduled to be introduced in Parliament today (31st July). The Bill is largely based on the 2017 Law Commission Report on “Human DNA Profiling – A draft Bill for the Use and Regulation of DNA-Based Technology”, which seeks to expand “the application of DNA-based forensic technologies to support and strengthen the justice delivery system of the country.

Apart from identifying suspects and maintaining a registry of offenders, the Bill seeks to enable cross-matching between missing persons and unidentified dead bodies, and establishing victim identity in mass disasters.

Features of the Bill:

The Bill envisages the setting up of a DNA profiling board which shall function as the regulatory authority and lay down guidelines, standards and procedures for the functioning of DNA laboratories and grant them accreditation. The board will also assist the government in setting up new data banks and advise the government on “all issues relating to DNA laboratories”. In addition, it will make recommendations on legislation and practices relating to privacy issues around storage and access to DNA samples.  

DNA data banks will also be established, consisting of a national data bank as well as the required number of regional data banks. Regional data banks must mandatorily share all their information with the national data bank. Every data bank shall maintain databases of five categories of data – crime scenes, suspects or undertrials, offenders, missing persons, and unknown deceased persons.

The 2017 draft has made significant changes to address concerns raised about the previous 2015 draft. These include removing the index of voluntarily submitted DNA profiles, deleting the provision allowing the DNA profiling board to create any other index as necessary, detailing serious offences for DNA collection, divesting the database manager of discretionary powers, and introducing redressal mechanisms by allowing any aggrieved person to approach the courts. Additionally, it has added legislative provisions authorising licensed laboratories, police stations and courts to collect and analyse DNA from certain categories of people, store it in data banks and use it to identify missing/ unidentified persons and as evidence during trial.

The new Bill has attempted to address previous concerns by limiting the purpose of DNA profiling, stating that it shall be undertaken exclusively for identification of a person and not to extract any other information. Safeguards have been put in place against misuse in the form of punishments for disclosure to unauthorised persons.

The Bill mandates consent of an accused before collection of bodily substances for offences other than specified. However, any refusal, if considered to be without good cause, can be disregarded by a Magistrate if there is reasonable cause to believe that such substances can prove or disprove guilt. Any person present during commission of a crime, questioned regarding a crime, or seeking a missing family member, may volunteer in writing to provide bodily substances. The collection of substances from minors and disabled persons requires the written consent of their parents or guardians. Collection from victims or relatives of missing persons requires the written consent of the victim or relative. Details of persons who are not offenders or suspects in a crime cannot be compared to the offenders’ or suspects’ index, and any communication of details can only be to authorised persons.

Areas of Concern:

Although the Bill claims that DNA testing is 99.9% foolproof, doubts have recently been raised about the possibility of a higher error rate than previously claimed. This highlights the need for the proposed legislation to provide safeguards in the event of error or abuse.

The issue of security of all the data concentrated in data banks is of paramount importance in light of its value to both government and private entities. The Bill fails to clearly spell out restrictions or to specify who has access to these data banks.

Previous iterations of the Bill have prompted civil society to express their reservations about the circumstances under which DNA can be collected, issues of consent to collection, access to and retention of data, and whether such information can be exploited for purposes beyond those envisaged in the legislation. As in the case of Aadhaar, important questions arise regarding how such valuable genetic information will be safeguarded against theft or contamination, and to what extent this information can be accessed by different agencies. The present Bill has reduced the number of CODIS loci that can be processed from 17 to 13, thus restricting identification only to the necessary extent. However, this provision has not been explicitly stated in the provisions of the legislation itself, casting doubt over the manner in which it will be implemented.

Written consent is mandatory before obtaining a DNA sample, however withholding of consent can be overruled by a Magistrate if deemed necessary. An individual’s DNA profile can only be compared against crime scene, missing person or unknown deceased person indices. A court order is required to expunge the profile of an undertrial or a suspect, whose profile can also be removed after filing of a police report. Any person who is not a suspect or a convicted offender can only have their profile removed on a written petition to the director of the data bank. The consent clause is also waived if a person has been accused of a crime punishable either by death or more than seven years in prison. However, the Bill is silent on how such a person’s profile is to be removed on acquittal.

Moreover, the Bill states that “the information contained in the crime scene index shall be retained”. The crime scene index captures a much wider data set as compared to the offenders’ index, since it includes all DNA evidence found around the crime scene, on the victim, or on any person who may be associated with the crime. The indefinite retention of most of these categories of data is unnecessary, as well as contrary to earlier provisions that provide for such data to be expunged. However, the government has claimed that such information will be removed “subject to judicial orders”. Importantly, the Bill does not contain a sunset provision that would ensure that records are automatically expunged after a prescribed period.

While the Bill provides strict penalties for deliberate tampering or contamination of biological evidence, the actual mechanisms for carrying out quality control and analysis have been left out of the parent legislation and left to the purview of the rules.

Crucially, the Bill has not explicitly defined privacy and security protections such as implementation of safeguards, use and dissemination of genetic information, security and confidentiality and other privacy concerns within the legislation itself – leaving such considerations to the purview of regulation (and out of parliamentary oversight). The recently released Personal Data Protection Bill, 2018 does little to allay these concerns. As per this Bill, DNA Banks will be classified as significant data fiduciaries, and thus subject to audits, data protection impact assessments, and appointment of a special data protection officer. However, although genetic information is classified as sensitive personal data, the Data Protection Bill does not provide sufficient safeguards against the processing of such data by the State. In light of the proposed data protection framework, and the Supreme Court confirming that the right to privacy (including the right to bodily integrity) is a fundamental right, the DNA Profiling Bill as it stands in its present form cannot be implemented without violating the fundamental right to privacy.

Advertisements

The Personal Data Protection Bill, 2018

After months of speculation, the Committee of Experts on data protection (“Committee”), led by Justice B N Sri Krishna, has submitted its recommendations and a draft data protection bill to the Ministry of Electronics and Information Technology (“MEITY”) today. As we sit down for some not-so-light weekend reading to understand what our digital futures could look like if the committee’s recommendations are adopted, this series puts together a quick summary of the Personal Data Protection Bill, 2018 (“Bill”).

Scope and definitions

The Committee appears to have moved forward with the idea of a comprehensive, cross-sectoral data protection legislation that was advocated in its white paper published late last year. The Bill is meant to apply to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; and (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person / body of persons incorporated or created under Indian law. It also applies to any persons outside of India that engage in processing personal data of individuals in India. It does not apply to the processing of anonymised data.

The Bill continues to use the 2-level approach in defining the type of information that the law applies to. However, the definitions of personal data and sensitive personal data have been expanded upon significantly when compared to the definitions in our current data protection law.

Personal data includes “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”. The move towards relying on ‘identifiability’, when read together with definitions of terms such as ‘anonymisation’, which focuses on irreversibility of anonymisation, is welcome, given that section 2 clearly states that the law will not apply in relation to anonymised data. However, the ability of data processors / the authority to identify whether an anonymisation process is irreversible in practice will need to be examined, before the authority sets out the criteria for such ‘anonymisation’.

Sensitive personal data on the other hand continues to be defined in the form of a list of different categories, albeit a much more expansive list, that now includes information such as / about official identifiers, sex life, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs.

Interestingly, the Committee has moved away from the use of other traditional data protection language such as data subject and data controller – instead arguing that the relationship between an individual and a person / organisation processing their data is better characterised as a fiduciary relationship. Justice Sri Krishna emphasised this issue during the press conference organised at the time of submission of the report, noting that personal data is not to be considered property.

Collection and Processing

The Bill elaborates on the notice and consent mechanisms to be adopted by ‘data fiduciaries’, and accounts for both data that is directly collected from the data principal, and data that is obtained via a third party. Notice must be given at the time of collection of personal data, and where data is not collected directly, as soon as possible. Consent must be obtained before processing.

The Committee’s earlier white paper, and the report accompanying the Bill have both discussed the pitfalls in a data protection framework that relies so heavily on consent – noting that consent is often not informed or meaningful. The report however also notes that it may not be feasible to do away with consent altogether, and tries to address this issue by way of adopting higher standards for consent, and purpose limitation. The Bill also provides that consent is to be only one of the grounds for processing of personal data. However, this seems to result in some catch-all provisions allowing processing for ‘reasonable purposes’. While it appears that these reasonable purposes may need to be pre-determined by the data protection authority, the impact of this section will need to be examined in greater detail. The other such wide provision in this context seems to allow the State to process data – another provision that will need more examination.

Sensitive personal data

Higher standards have been proposed for the processing of sensitive personal data, as well as personal / sensitive personal data of children. The emphasis on the effect of processing of certain types of data, keeping in mind factors such as the harm caused to a ‘discernible class of persons’, or even the provision of counselling or child protection services in these sections is welcome. However, there remains a wide provision allowing for the State to process sensitive personal data (of adults), which could be cause for concern.

Rights of data principals

The Bill also proposes 4 sets of rights for data principals: the right to confirmation and access, the right to correction, the right to data portability, and the right to be forgotten. There appears to be no right to erasure of data, apart from a general obligation on the data fiduciary to delete data once the purpose for collection / processing of data has been met. The Bill proposes certain procedural requirements to be met by the data principal exercising these rights – an issue which some have already pointed out may be cause for concern.

Transparency and accountability

The Bill requires all data fiduciaries to adopt privacy by design, transparency and security measures.

Each data fiduciary is required to appoint a data protection officer, conduct data protection impact assessments before the adoption of certain types of processing, maintain records of data processing, and conduct regular data protection audits. These obligations are applicable to those notified as ‘significant data fiduciaries’, depending on criteria such as the volume and sensitivity of personal data processed, the risk of harm, the use of new technology, and the turnover of the data fiduciary.

The requirements for data protection impact assessments is interesting – an impact assessment must be conducted before a fiduciary undertakes any processing involving new technologies, or large scale profiling or use of sensitive personal data such as genetic or biometric data (or any other data processing which carries a risk of significant harm to data principals). If the data protection authority thinks that such processing may cause harm (based on the assessment), they may direct the fiduciary to cease such processing, or impose conditions on the processing. The language here implies that these requirements could be applicable to processing by the State / private actors, where new technology is used in relation to Aadhaar, among other things. However, as mentioned above, this will be subject to the data fiduciary in question being notified as a ‘significant data fiduciary’.

In a welcome move, the Bill also provides a process for notification in the case of a breach of personal data by data fiduciaries. However, this requirement is limited to notifying the data protection authority, which then decides whether there is a need to notify the data principal involved. It is unfortunate that the Committee has chosen to limit the rights of data principals in this regard, making them rely instead on the authority to even be notified of a breach that could potentially harm them.

Cross border transfer of data

In what has already become a controversial move, the Bill proposes that at least one copy of all personal data under the law, should be stored on a server or data centre located in India. In addition, the central government (not the data protection authority) may notify additional categories of data that are ‘critical’ and should be stored only in India.

Barring exceptions in the case of health / emergency services, and transfers to specific international organisations, all transfer of personal data outside India will be subject to the approval of the data protection authority, and in most cases, consent of the data principal.

This approval may be in the form of approval of standard contractual clauses applicable to the transfer, or a blanket approval of transfers to a particular country / sector within a country.

This provision is ostensibly in the interest of the data principals, and works towards ensuring a minimum standard of data protection. The protection of the data principal under this provision, like many other provisions, including those relating to data breach notifications to the data principal, will be subject to the proper functioning of the data protection authority. In the past, we have seen that simple steps such as notification of security standards under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, have not been undertaken for years.

In the next post in this series, we will discuss the functions of the authority, and other provisions in the Bill, including the exemptions granted, and penalties and remedies provided for.

The General Data Protection Regulation and You

A cursory look at your email inbox this past month presents an intriguing trend. Multiple online services seem to have taken it upon themselves to notify changes to their Privacy Policies at the same time. The reason, simply, is that the European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, 2018.

The GDPR marks a substantial overhaul of the existing data protection regime in the EU, as it replaces the earlier ‘Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.’ The Regulation was adopted by the European Parliament in 2016, with a period of almost two years to allow entities sufficient time to comply with their increased obligations.

The GDPR is an attempt to harmonize and strengthen data protection across Member States of the European Union. CCG has previously written about the Regulation and what it entails here. For one, the instrument is a ‘Regulation’, as opposed to a ‘Directive’. A Regulation is directly binding across all Member States in its entirety. A Directive simply sets out a goal that all EU countries must achieve, but allows them discretion as to how. Member States must enact national measures to transpose a Directive, and this can sometimes lead to a lack of uniformity across Member States.

The GDPR introduces, among other things, additional rights and protections for data subjects. This includes, for instance, the introduction of the right to data portability, and the codification of the controversial right to be forgotten. Our writing on these concepts can be found here, and here. Another noteworthy change is the substantial sanctions that can be imposed for violations. Entities that fall foul of the Regulation may have to pay fines up to 20 million Euros, or 4% of global annual turnover, whichever is higher.

The Regulation also has consequences for entities and users outside the EU. First, the Regulation has expansive territorial scope, and applies to non-EU entities if they offer goods and services to the EU, or monitor the behavior of EU citizens. The EU is also a significant digital market, which allows it to nudge other jurisdictions towards the standards it adopts. The Regulation (like the earlier Directive) restricts the transfer of personal data to entities outside the EU to cases where an adequate level of data protection can be ensured. This has resulted in many countries adopting regulation in compliance with EU standards. In addition, with the implementation of the GDPR, companies that operate in multiple jurisdictions might prefer to maintain parity between their data protection policies. For instance, Microsoft has announced that it will extend core GDPR protections to its users worldwide. As a consequence, many of the protections offered by the GDPR may in effect become available to users in other jurisdictions as well.

The implementation of the GDPR is also of particular significance to India, which is currently in the process of formulating its own data protection framework. The Regulation represents a recent attempt by a jurisdiction (that typically places a high premium on privacy) to address the harms caused by practices surrounding personal data. The lead-up to its adoption and implementation has generated much discourse on data protection and privacy. This can offer useful lessons as we debate the scope and ambit of our own data protection regulation.

Towards a Data Protection Framework (CCG Privacy Law Series)

Smitha and I are writing a series of papers on a data protection law for India, based on our research. We hope that our discussion of the options before us and their relative merits and demerits will help other engage with these difficult questions in a nuanced manner.

The first paper sets out the context for the data protection law. It discusses the
reasons and purpose for regulation and what specifically will be regulated.
It also discusses who will be regulated, since this is important while
considering the regulatory strategies to use while implementing the data
protection principles. It is available here.

Back to the Basics: Framing a New Data Protection Law for India

Over the past decade or so, the use of personal and big data has changed the way many businesses and governments operate. Regulators and legislative bodies have been struggling to keep up with the changes in technology, and increasing concerns about what it means for the privacy of individuals.

In India, we have worked with the Information Technology Act, 2000 (IT Act)[1], and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Data Protection Rules) for a few years now[2]. These rules were arguably put together as a response to claims that Indian law did not meet European data protection standard, and for the purpose of ensuring that Indian companies do not lose cross border business (with the European Union)[3]. The rules are fraught with inconsistencies, right from the scope of the rules, to the manner in which they can be enforced[4].

Barring these rules, we have had minimal regulations on the use of personal data in certain sectors[5].

The Committee of Experts (Committee), constituted by Ministry of Electronics and Information Technology (MEITY), is currently working on recommendations regarding a new legal and regulatory framework for protection of personal data in India[6]. With all signs pointing only towards an increase in not only data driven businesses, but also data driven solutions to problems in many aspects of our life, it is imperative that we get it right this time.

The constant change and development in tech over the past few decades has shown us that it may be difficult to predict the way our technology and the internet will look in 10 years. It may be even more difficult to put in place the perfect legal system that addresses such technology. However, ensuring that the basic premise of the data protection law – what / who does it aim to protect, what the scope of the law is, and what principles the law is meant to uphold – is balanced and robust, will go a long way in ensuring that we have a strong, yet flexible legal framework[7].

In my paper titled ‘Back to the Basics: Framing a New Data Protection Law for India’, I take a preliminary look at each of these three concepts, while focusing largely on some of the principles that data protection laws have traditionally relied on, and how they can be revisited in today’s context.

The paper is available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3113536

 

 

[1] Information Technology Act, 2000, available at https://indiankanoon.org/doc/1965344/ (last visited on January 30, 2018)

[2] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, available at http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf (last visited on January 30, 2018)

[3] Krishna Prasad, Smitha, (Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules (December 30, 2017). Available at SSRN: https://ssrn.com/abstract=3094792 (last visited on January 30, 2018)

[4] Krishna Prasad, Smitha, (Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules (December 30, 2017). Available at SSRN: https://ssrn.com/abstract=3094792 (last visited on January 30, 2018)

[5] International Comparative Legal Guide, Chapter on Data Protection in India, 2017, https://iclg.com/practice-areas/data-protection/data-protection-2017/india (last visited on January 30, 2018)

[6] http://meity.gov.in/writereaddata/files/meity_om_constitution_of_expert_committee_31072017.pdf (last visited on January 30, 2018)

[7] Krishna Prasad, Smitha, “Defining ‘personal info’ broadly key to protecting it”, January 21, 2018, available at:  http://m.deccanherald.com/?name=http://www.deccanherald.com/content/655012/defining-personal-info-broadly-key.html (last visited on January 30, 2018)

Call for Applications – Civil Liberties

Update: Deadline to apply extended to January 15, 2018! 

The Centre for Communication Governance at the National Law University Delhi (CCG) invites applications for research positions in its Civil Liberties team on a full time basis.

About the Centre

The Centre for Communication Governance is the only academic research centre dedicated to working on the information law and policy in India and in a short span of four years has become a leading centre on information policy in Asia. It seeks to embed human rights and good governance within communication policy and protect digital rights in India through rigorous academic research and capacity building.

The Centre routinely works with a range of international academic institutions and policy organizations. These include the Berkman Klein Center at Harvard University, the Programme in Comparative Media Law and Policy at the University of Oxford, the Center for Internet and Society at Stanford Law School, Hans Bredow Institute at the University of Hamburg and the Global Network of Interdisciplinary Internet & Society Research Centers. We engage regularly with government institutions and ministries such as the Law Commission of India, Ministry of Electronics & IT, Ministry of External Affairs, the Ministry of Law & Justice and the International Telecommunications Union. We work actively to provide the executive and judiciary with useful research in the course of their decision making on issues relating to civil liberties and technology.

CCG has also constituted two advisory boards, a faculty board within the University and one consisting of academic members of our international networks. These boards will oversee the functioning of the Centre and provide high level inputs on the work undertaken by CCG from time to time.

About Our Work

The work at CCG is designed to build competence and raise the quality of discourse in research and policy around issues concerning civil liberties and the Internet, cybersecurity and global Internet governance. The research and policy output is intended to catalyze effective, research-led policy making and informed public debate around issues in technology and Internet governance.

The work of our civil liberties team covers the following broad areas:

  1. Freedom of Speech & Expression: Research in this area focuses on human rights and civil liberties in the context of the Internet and emerging communication technology in India. Research on this track squarely addresses the research gaps around the architecture of the Internet and its impact on free expression.
  2. Access, Markets and Public Interest: The research under this area will consider questions of access, including how the human right to free speech could help to guarantee access to the Internet. It would identify areas where competition law would need to intervene to ensure free, fair and human rights-compatible access to the Internet, and opportunities to communicate using online services. Work in this area will consider how existing competition and consumer protection law could be applied to ensure that freedom of expression in new media, and particularly the internet, is protected given market realities on the supply side. We will under this track put out material regarding the net neutrality concerns that are closely associated to the competition, innovation, media diversity and protection of human rights especially rights to free expression and the right to receive information and particularly to substantive equality across media. It will also engage with existing theories of media pluralism in this context.
  3. Privacy, Surveillance & Big Data: Research in this area focuses on surveillance as well as data protection practices, laws and policies. The work may be directed either at the normative questions that arise in the context of surveillance or data protection, or at empirical work, including data gathering and analysis, with a view to enabling policy and law makers to better understand the pragmatic concerns in developing realistic and effective privacy frameworks. This work area extends to the right to be forgotten and data localization.

Role

CCG is a young and continuously evolving organization and the members of the centre are expected to be active participants in building a collaborative, merit led institution and a lasting community of highly motivated young researchers.

Selected applicants will ordinarily be expected to design and produce units of publishable research with Director(s)/ senior staff members. They will also be recommending and assisting with designing and executing policy positions and external actions on a broad range of information policy issues.

Equally, they will also be expected to participate in other work, including writing opinion pieces, blog posts, press releases, memoranda, and help with outreach. The selected applicants will also represent CCG in the media and at other events, roundtables, and conferences and before relevant governmental, and other bodies. In addition, they will have organizational responsibilities such as providing inputs for grant applications, networking and designing and executing Centre events.

Qualifications

The Centre welcomes applications from candidates with advanced degrees in law, public policy and international relations.

  • All candidates must preferably be able to provide evidence of an interest in human rights / technology law and / or policy / Internet governance/ national security law as well. In addition, they must have a demonstrable capacity for high-quality, independent work.
  • In addition to written work, a project/ programme manager within CCG will be expected to play a significant leadership role. This ranges from proactive agenda-setting to administrative and team-building responsibilities.
  • Successful candidates for the project / programme manager position should show great initiative in managing both their own and their team’s workloads. They will also be expected to lead and motivate their team through high stress periods and in responding to pressing policy questions.

However, the length of your resume is less important than the other qualities we are looking for. As a young, rapidly-expanding organization, CCG anticipates that all members of the Centre will have to manage large burdens of substantive as well as administrative work in addition to research. We are looking for highly motivated candidates with a deep commitment to building information policy that supports and enables human rights and democracy.

At CCG, we aim very high and we demand a lot of each other in the workplace. We take great pride in high-quality outputs and value individuality and perfectionism. We like to maintain the highest ethical standards in our work and workplace, and love people who manage all of this while being as kind and generous as possible to colleagues, collaborators and everyone else within our networks. A sense of humour will be most welcome. Even if you do not necessarily fit requirements mentioned in the two bulleted points but bring to us the other qualities we look for, we will love to hear from you.

[The Centre reserves the right to not fill the position(s) if it does not find suitable candidates among the applicants.]

Positions

Based on experience and qualifications, successful applicants will be placed in the following positions. Please note that our interview panel has the discretion to determine which profile would be most suitable for each applicant.

  • Programme Officer (2-4 years’ work experience)
  • Project Manager (4-6 years’ work experience)
  • Programme Manager (6-8 years’ work experience)

A Master’s degree from a highly regarded programme might count towards work experience.

CCG staff work at the Centre’s offices at National Law University Delhi’s campus. The positions on offer are for duration of one year and we expect a commitment for two years.

Remuneration

The salaries will be competitive, and will usually range from ₹50,000 to ₹1,20,000 per month, depending on multiple factors including relevant experience, the position and the larger research project under which the candidate can be accommodated.

Where candidates demonstrate exceptional competence in the opinion of the interview panel, there is a possibility for greater remuneration.

Procedure for Application

Interested applicants are required to send the following information and materials by December 30, 2017 to ccgcareers@nludelhi.ac.in.

  1. Curriculum Vitae (maximum 2 double spaced pages)
  2. Expression of Interest in joining CCG (maximum 500 words).
  3. Contact details for two referees (at least one academic). Referees must be informed that they might be contacted for an oral reference or a brief written reference.
  4. One academic writing sample of between 1000 and 1200 words (essay or extract, published or unpublished).

Shortlisted applicants may be called for an interview.

 

CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part III

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI (available here), in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise. 

In our previous posts, we discussed the background against which we have provided our responses and recommendations, and the need for a separate regulatory framework for data within the telecom sector, in the context of the jurisdiction and powers of the TRAI.

In this post, we look at the basic data protection principles that we recommend form the basis for any new data protection regulation. Several of these principles are also discussed in the white paper of the Committee of Experts on a Data Protection Framework for India.

Any new data protection regulation, whether applicable across industries and sectors, or applicable only to the telecom sector, should be based on sound principles of privacy and data protection. As discussed in the Consultation Paper, the Report of the Group of Experts on Privacy[1] (GOE Report) identified 9 national privacy principles to be adopted in drafting a privacy law for India. These principles are listed below[2]:

  • Notice: A data controller, which refers to any organization that determines the purposes and means of processing the personal information of users, shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include disclosures on what personal information is being collected; purpose for collection and its use; whether it will be disclosed to third parties; notification in case of data breach, etc.
  • Choice and consent: A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices.
  • Collection limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection.
  • Purpose limitation: Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed.
  • Access and correction: Individuals shall have access to personal information about them held by a data controller and be able to seek correction, amendments, or deletion of such information, where it is inaccurate.
  • Disclosure of Information: A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure.
  • Security: A data controller shall secure personal information using reasonable security safeguards against loss, unauthorised access or use and destruction.
  • Openness: A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.
  • Accountability: The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies, including training and education, audits, etc.

With the growth of businesses driven by big data, there is now a demand for re-thinking these principles, especially those relating to notice and consent[3].

While notice, consent and the other principles set forth in the GOE Report have formed the basis for data protection laws for many years now, additional principles have been developed in many jurisdictions across the world. In order to ensure that any new regulations in India are up to date and effective, it will be prudent to study such principles and identify the best practices that can then be incorporated into Indian law.

Graham Greenleaf has compared data protection laws across Europe and outside Europe and found that today, second and third generation ‘European Standards’ are being implemented across jurisdictions[4]. These ‘European Standards’, refer to standards that are applicable under European Union (EU) law, in addition to the original principles developed by the Organisation for Economic Co-operation and Development (OECD)[5]. The second generation European Standards that are most commonly seen outside the EU are:

  • Recourse to the courts to enforce data privacy rights (including. compensation, and appeals from decisions of DPAs)
  • Destruction or anonymisation of personal data after a period
  • Restricted data exports based on data protection provided by recipient country (‘adequate’), or alternative guarantees
  • Independent Data Protection Authority (DPA)
  • Minimum collection necessary for the purpose (not only ‘limited’)
  • General requirement of ‘fair and lawful processing’ (not only collection)
  • Additional protections for sensitive data in defined categories
  • To object to processing on compelling legitimate grounds, including to ‘opt-out’ of direct marketing uses of personal data
  • Additional restrictions on some sensitive processing systems (notification; ‘prior checking’ by DPA.)
  • Limits on automated decision-making (including right to know processing logic)

He also notes that there are several new principles put forward in the EU’s new General Data Protection Regulation[6] (GDPR) itself, and that it remains to be seen which of these will become global standards outside the EU. The most popular of these principles, which he refers to as ‘3rd General European Standards’ are[7]:

  • Data breach notifications to the DPA for serious breaches
  • Data breach notifications to the data subject (if high risk)
  • Class action suits to be allowed before DPAs or courts by public interest privacy groups
  • Direct liability for processors as well as controllers
  • DPAs to make decisions and issue administrative sanctions, including fines.
  • Opt-in requirements for marketing
  • Mandatory appointment of data protection officers in companies that process sensitive personal data.

We note that there exist other proposed frameworks that aim to regulate data protection and ease compliances required by businesses. Such additional frameworks may also be considered while formulating new data protection principles and regulations in India. However, it is recommended that the ‘European Standards’ described above, i.e. those set out in the GDPR may be adopted as the base on which any new regulations are built. This would ensure that India has greater chances of being recognised as having ‘adequate’ data protection frameworks by the EU, and improve our trade relations with the EU and other countries that adopt similar standards.

Professor Greenleaf’s studies suggest that the 2nd and 3rd General European Standards are being adopted by several countries outside the European Union. We note here that adoption of principles that are considered best practices across jurisdictions would also assist in increasing interoperability for businesses that operate across borders.

While adoption of these practices is likely to raise the cost of compliance, it is also likely to ensure that India remains a very competitive market globally for the outsourcing of services. In the long term, this will benefit Indian industry and the Indian economy. It will also safeguard the privacy rights of Indian citizens in the best possible manner.

[1] Report of the Group of Experts on Privacy, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2] Report of the Group of Experts on Privacy, Chapter 3, as summarised in the TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, pages 7-9

[3] TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, Page 9; and Rahul Matthan, Beyond Consent: A New Paradigm for Data Protection, available at http://takshashila.org.in/takshashila-policy-research/discussion-document-beyond-consent-new-paradigm-data-protection/ (last visited on November 5, 2017)

[4] Graham Greenleaf, European data privacy standards in laws outside Europe, Privacy Law and Business International Report, Issue 149

[5]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited on November 5, 2017)

[6] General Data Protection Regulation, Regulation (EU) 2016/679

[7] Graham Greenleaf, Presentation on 2nd & 3rd generation data privacy standards implemented in laws outside Europe (to be published and available on request).