In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI (available here), in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise.
In our previous posts, we discussed the background against which we have provided our responses and recommendations, and the need for a separate regulatory framework for data within the telecom sector, in the context of the jurisdiction and powers of the TRAI.
In this post, we look at the basic data protection principles that we recommend form the basis for any new data protection regulation. Several of these principles are also discussed in the white paper of the Committee of Experts on a Data Protection Framework for India.
Any new data protection regulation, whether applicable across industries and sectors, or applicable only to the telecom sector, should be based on sound principles of privacy and data protection. As discussed in the Consultation Paper, the Report of the Group of Experts on Privacy (GOE Report) identified 9 national privacy principles to be adopted in drafting a privacy law for India. These principles are listed below:
- Notice: A data controller, which refers to any organization that determines the purposes and means of processing the personal information of users, shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include disclosures on what personal information is being collected; purpose for collection and its use; whether it will be disclosed to third parties; notification in case of data breach, etc.
- Choice and consent: A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices.
- Collection limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection.
- Purpose limitation: Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed.
- Access and correction: Individuals shall have access to personal information about them held by a data controller and be able to seek correction, amendments, or deletion of such information, where it is inaccurate.
- Disclosure of Information: A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure.
- Security: A data controller shall secure personal information using reasonable security safeguards against loss, unauthorised access or use and destruction.
- Openness: A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.
- Accountability: The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies, including training and education, audits, etc.
With the growth of businesses driven by big data, there is now a demand for re-thinking these principles, especially those relating to notice and consent.
While notice, consent and the other principles set forth in the GOE Report have formed the basis for data protection laws for many years now, additional principles have been developed in many jurisdictions across the world. In order to ensure that any new regulations in India are up to date and effective, it will be prudent to study such principles and identify the best practices that can then be incorporated into Indian law.
Graham Greenleaf has compared data protection laws across Europe and outside Europe and found that today, second and third generation ‘European Standards’ are being implemented across jurisdictions. These ‘European Standards’, refer to standards that are applicable under European Union (EU) law, in addition to the original principles developed by the Organisation for Economic Co-operation and Development (OECD). The second generation European Standards that are most commonly seen outside the EU are:
- Recourse to the courts to enforce data privacy rights (including. compensation, and appeals from decisions of DPAs)
- Destruction or anonymisation of personal data after a period
- Restricted data exports based on data protection provided by recipient country (‘adequate’), or alternative guarantees
- Independent Data Protection Authority (DPA)
- Minimum collection necessary for the purpose (not only ‘limited’)
- General requirement of ‘fair and lawful processing’ (not only collection)
- Additional protections for sensitive data in defined categories
- To object to processing on compelling legitimate grounds, including to ‘opt-out’ of direct marketing uses of personal data
- Additional restrictions on some sensitive processing systems (notification; ‘prior checking’ by DPA.)
- Limits on automated decision-making (including right to know processing logic)
He also notes that there are several new principles put forward in the EU’s new General Data Protection Regulation (GDPR) itself, and that it remains to be seen which of these will become global standards outside the EU. The most popular of these principles, which he refers to as ‘3rd General European Standards’ are:
- Data breach notifications to the DPA for serious breaches
- Data breach notifications to the data subject (if high risk)
- Class action suits to be allowed before DPAs or courts by public interest privacy groups
- Direct liability for processors as well as controllers
- DPAs to make decisions and issue administrative sanctions, including fines.
- Opt-in requirements for marketing
- Mandatory appointment of data protection officers in companies that process sensitive personal data.
We note that there exist other proposed frameworks that aim to regulate data protection and ease compliances required by businesses. Such additional frameworks may also be considered while formulating new data protection principles and regulations in India. However, it is recommended that the ‘European Standards’ described above, i.e. those set out in the GDPR may be adopted as the base on which any new regulations are built. This would ensure that India has greater chances of being recognised as having ‘adequate’ data protection frameworks by the EU, and improve our trade relations with the EU and other countries that adopt similar standards.
Professor Greenleaf’s studies suggest that the 2nd and 3rd General European Standards are being adopted by several countries outside the European Union. We note here that adoption of principles that are considered best practices across jurisdictions would also assist in increasing interoperability for businesses that operate across borders.
While adoption of these practices is likely to raise the cost of compliance, it is also likely to ensure that India remains a very competitive market globally for the outsourcing of services. In the long term, this will benefit Indian industry and the Indian economy. It will also safeguard the privacy rights of Indian citizens in the best possible manner.
 Report of the Group of Experts on Privacy, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf
 Report of the Group of Experts on Privacy, Chapter 3, as summarised in the TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, pages 7-9
 TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, Page 9; and Rahul Matthan, Beyond Consent: A New Paradigm for Data Protection, available at http://takshashila.org.in/takshashila-policy-research/discussion-document-beyond-consent-new-paradigm-data-protection/ (last visited on November 5, 2017)
 Graham Greenleaf, European data privacy standards in laws outside Europe, Privacy Law and Business International Report, Issue 149
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited on November 5, 2017)
 General Data Protection Regulation, Regulation (EU) 2016/679
 Graham Greenleaf, Presentation on 2nd & 3rd generation data privacy standards implemented in laws outside Europe (to be published and available on request).