International Journal of Pure and Applied Mathematics

Volume 119 No. 17 2018, 919-931

ISSN: 1314-3395 (on-line version)
url: http://www.acadpubl.eu/hub/
Special Issue
http://www.acadpubl.eu/hub/

An Overview of the Changing Data Privacy

Landscape in India with Regard to the Role of Data
Controllers
1
S. Sandesh Saravanan and 2M. Kannappan
1
Saveetha School of Law,
Saveetha Institute of Medical and Technical Sciences,
Saveetha University, Chennai.
[email protected]
2
Saveetha School of Law,
Saveetha Institute of Medical and Technical Sciences,
Saveetha University, Chennai.
[email protected].
Abstract
Technology is one of the major forces transforming our lives. However,
its misuse causes detrimental effects. The digital era has opened up a host
of various concerns such as Data Theft, Scams, Eavesdropping,
Cyberbullying, to name a few, with the overarching concern on the
intrusion to the privacy of Individuals. In an Indian context, various factors
such as Nuclear families and cultural views, have for ages, stifled the need
for personal space and privacy. However, urbanization, digitization and
changing lifestyles have resulted in a growing demand amongst Indians for
Privacy and protection of the Information they share, specifically on digital
platforms. In the wake of recent developments and the Supreme Court
holding 'Right to privacy' as a fundamental right lays the cornerstone for a
strong data privacy regime in India. The data protection framework,
proposed by the Committee of Experts under the chairmanship of former
Supreme Court judge Shri B N Srikrishna, is the first step in India's Data
Privacy journey. In addition to policies, procedures and processes, a well
configured and comprehensive technology stack helps an Organization to
demonstrate how it protects and safeguards personal data. It is vital for
Organizations to plan, assess and evaluate its existing technology stack so
that it may be leveraged to ensure and demonstrate compliance with the
Data protection law once it becomes effective.
Key Words:Data privacy, framework, data controller, regulation,
restriction.

919
International Journal of Pure and Applied Mathematics Special Issue

1. Introduction
The world has progressed from the Industrial Revolution, which came about
with the advent of rapid industrialisation, to the age of the Information
Revolution, which is distinguished by an economy based on information,
computerisation and digitalisation. However, increasing globalisation and
digitalisation have brought a lot of challenges. There has been an alarming rise
in cyber crimes on a global scale. With India also moving towards a digital
economy with the adoption of Aadhaar and an ever-increasing dependency on
information, the concerns over cyber security, data protection and privacy are
justified.

Further, in the wake of the Supreme Court ruling that privacy is a fundamental
right, there is a growing sense of urgency in India to have in place a proper
legislative framework to address the concerns over cyber security, data
protection and privacy. Given the growing concerns, the Central Government of
India had set up a Committee of Experts, headed by Justice B. N. Srikrishna, to
study the challenges surrounding data protection in India and provided their
valuable suggestions and principles on which to base the data privacy legislative
framework. The objective is to ‘ensure growth of the digital economy while
keeping personal data of citizens secured and protected’.(Cate & Cate 2012)

The paper identifies seven key principles on which the data protection
framework must be built:
 Technology agnosticism: The law must be technology agnostic. It must
be flexible enough to take into account changing technologies and
standards of compliance.(Nettleton 2014)
 Holistic application: The law must apply to both private sector entities
and the government.
 Informed consent: Consent is an expression of human autonomy. For
such expression to be genuine, it must be informed and meaningful.
 Data minimisation: Data that is processed ought to be minimal and
necessary for the purposes for which such data is sought and other
compatible purposes beneficial for the data subject.
 Controller accountability: The data controller shall be held accountable
for any processing of data, whether by itself or by entities with whom it
may have shared the data for processing.
 Structured enforcement: Enforcement of the data protection framework
must be by a high-powered statutory authority with sufficient capacity.
 Deterrent penalties: Penalties on wrongful processing of data must be
adequate to ensure deterrence.

The paper is divided into three major parts:

Part II – Scope and exemptions;

920
International Journal of Pure and Applied Mathematics Special Issue

Part III – Grounds of processing, obligations on entities and individual rights;

and

Part IV – Regulation and enforcement.

Each part consists of brief notes on various aspects envisioned to be a part of

the data protection framework. Each note, in turn, sets out the key issues that
need to be considered, international practices relevant in this regard, provisional
views of the committee based on its research and deliberations, and questions
for public consultation.
Objectives of the Study
 To understand the new understanding of the Data privacy Framework
for framing a new Law.
 To formulate the accountability and responsibilities of the Data
Controller of a Company in regards to Data Privacy.
Hypothesis

Active data-handling corporates in India are not up to date with the evolved
structure of the new Global Data Privacy Regime Regulations and are in dire
need to update their policies in order to continue functioning securely in India.
Research Methodology

The research methodology adopted by the researcher is a doctrinal research.

However the researcher with a view to compliment and substantiate this
research paper corroborated the study with other forms of legal research such as
comparative legal research, case studies and also critical analysis.It also throws
light on the list of study materials and data and their sources, procured by the
researcher as the instrument to conduct the research.

2. Scope & Exemptions

Territorial and Personal Scope

As per the principle of territoriality, a state can exercise its jurisdictional

powers within its territories. However, the borderless nature of the Internet
raises several jurisdictional issues with respect to data protection. A single act
of processing of personal data could very easily occur across multiple
jurisdictions (outside the state territory), where the state might not have the
authority to exercise its jurisdiction. To address this, at minimum, the paper
states that the data protection framework shall apply to entities (both public and
private) within India and processes involving the personal data of Indian
residents and citizens. However, extraterritorial applicability and jurisdiction is
a major concern.(Kenny 1985)

The paper recognises the need to extend the applicability of the data protection
framework to any entity that processes the personal data of Indian citizens or
residents irrespective of where they may be located. However, the extent of its
applicability is still under discussion.

921
International Journal of Pure and Applied Mathematics Special Issue

Natural/Juristic Persons

At its heart, any data privacy law has a person (data subject) and that person’s
right to privacy is what the data privacy law intends to safeguard.

In the eyes of the law, two kinds of person exist, a natural person and juristic
person.

The framework recognises a natural person as a living person. On the other

hand, a juristic person is a bearer of rights and duties that a natural person does
not have (that is, this person is not a human being) but which is given a legal
personality by the law—for example, a company.

The framework provides that the data protection legislation would apply to
only to a natural person and not a juristic person.(ITGP Privacy Team 2017)
Personal Data

The framework defines personal data as follows:

‘Data from which an individual is identified or identifiable/reasonably

identifiable may be considered to be personal data. The identifiability can be
direct or indirect.’

The framework also recognises that data about/relating to an individual that

would be the subject matter of protection under the law. It further speculates
that data in this context ought to include any kind of information, including
opinions or assessments, irrespective of their accuracy. Additionally, the
framework recognises that all data within the category of information identified
as personal data is not qualitatively similar. The following definition has been
provided for sensitive personal data:(Zhao n.d.)

‘Such types of data are termed as sensitive, and may include religious beliefs,
physical or mental health, sexual orientation, biometric and genetic data, racial
or ethnic origin and health information.’(Blume 2015)
Public Sector vs Private Sector

The paper recognises that both public and private sector entities process
personal data about data subjects. It further identifies the need to protect an
individual’s informational privacy rights through a comprehensive data
protection framework which covers both public sector and private sector
entities.(Friedewald & Pohoryles 2016)
What about Past Processing–Retrospective Application

Compliance with any law becomes mandatory after it comes into effect. The
white paper suggests that, ordinarily, the regulation will impact the processing
activities performed on data (e.g. collection, use, storage, disclosure, retention)
after the legislation comes into force. This means that all processing activities
carried out once the legislation is active will come under the ambit of the law.

922
International Journal of Pure and Applied Mathematics Special Issue

However, ensuring that the past processing activities are carried out and meet
the standards and requirements laid out under the new law remains a challenge.

To address this challenge, the paper briefly talks about the concept of a
transition period, which is provided to entities to comply with the regulation in a
consistent manner. An organisation that collects personal data from the
consumer and determines the purpose and manner in which the personal data is
to be used is a data controller. Personal data can be sent outside the boundaries
of the controller for further processing. Organisations that merely store, collect
and process data on behalf of a controller are data processors. (Friedewald &
Pohoryles 2016; Harbinja 2013)
Where does the Accountability Lie?

Accountability is a central principle in data protection. To translate data

protection norms into action, a widely used method is to identify the party
accountable for compliance with these norms. For this purpose, the concept of
control over data is used.

In such systems, control over data refers to the competence to take decisions
about the contents and use of data. An organisation that collects and processes
personal data for its business transactions can fall under two broad categories—
data controller and data processor. The framework recognises the concept of a
‘data controller’ to ensure accountability. However, the need to define ‘data
processors’, ‘third parties’ or ‘recipients’ is currently under discussion in order
to define the level of detail with which the law must allocate
responsibility.(Jackson 1997)

3. Key Concepts Put Forth in the Framework

Consent

Consent has been globally recognised as an effective means of processing

personal data as data subjects use it to allow or deny organisations the right to
process their personal data.
Other Grounds for Processing

Although the paper recognises consent as a very important part of data

processing activities, it acknowledges the need for other legally recognised
grounds to permit the processing of personal data. The paper recognises
contractual necessity, compliance with legal obligations, and situations of
medical emergency as grounds to permit personal data processing.

It also considers other grounds adopted by the GDPR such as:

 Public interest; Vital interest;
 Legitimate interest; and
 Other residuary grounds of interest.(Abraham & Hickok 2012)

923
International Journal of Pure and Applied Mathematics Special Issue

Organisations will be required to:

 Issue privacy notices to all data subjects prior to the collection or use of
their personal data.
 The notice should be designed in a manner that is easily understood by
the data subject.

Despite considerable discussion on and criticism of privacy notices, the paper

recognises it as the means of placing individuals in a position that allows them
to make an informed decision about the collection and use of their personal
data. Like various laws, the paper provides that a privacy notice should be
designed keeping the end user always in mind. Further, it also recognises the
need for privacy notices to be concise, intelligible and provided in an easily
accessible form. The paper has also put forth the following views that are
currently under discussion:
 Define requirements on the form and substance of the notice.
 Require data protection authorities to issue guidelines and codes or
practice to guide organisations in designing effective privacy
notices.(ITGP Privacy Team 2017)
 Use privacy impact assessments and other enforcement tools to evaluate
the effectiveness of privacy notices.(Sagar J et al. 2016)
Sensitive Personal Data

The paper notes that there are certain categories of personal data which, if
compromised, may result in greater harm to an individual in the form of social,
financial and reputational repercussions. The paper recognises this requirement
as crucial to protect the interests of individuals when collecting and processing
critical data.(Iyengar 2011; Goel et al. 2017)

However, the paper identifies the following topics for discussion:

 Evaluation of personal types categorised as sensitive under section 43 A
of the IT Act (SPDI Rules) in the context of the Indian socio-economic
environment; (Iyengar 2011)
 Need to identify controls for protection while processing sensitive
personal data.(Mantelero 2016)
Storage Limitation and Data Quality

The paper notes that most of the comprehensive data privacy laws and
regulations have identified requirements for storage limitation and data quality
when handling personal data. However, the paper mentions that this
requirement would be identified in the Indian data protection laws at a later
stage of maturity.
Right to be Forgotten

International practices such as the General Data Protection Regulation

(GDPR)(ITGP Privacy Team 2017) in Europe and Personal Information
Protection and Electronic Documents Act (PIPEDA) in Canada envisage the

924
International Journal of Pure and Applied Mathematics Special Issue

right to be forgotten in some form and manner. The paper also recognises the
need to incorporate this right. However, it also highlights the following areas for
discussion:
 Organisations will need to have a defined and robust communication
channel (internally and externally) to be able to fulfil requests for right
to access, right to rectification, etc., within a reasonable time.
 Organisations will have to completely map the capture, usage and
storage of personally identifiable information to enable the deletion of
data based on the request received from the data subject.(ITGP Privacy
Team 2017; Voigt & von dem Bussche 2017c)

4. Regulation and Enforcement

Regulatory Model

It is very important to have a governmental enforcement and industry

perspective when defining a data protection framework. Given this context,
choosing the right model for the Indian context is of great significance.
Although the paper talks about three models (command and control, self-
regulated [US being the best example here] and co-regulated), given the large-
scale presence of almost all industries in India, it is imperative to consider
industry perspectives while developing a data privacy framework.(Giurgiu
2017)
Accountability

The paper primarily focuses on data controller accountability/obligations and

brings out, on a very high level, cases where the data controller shall be held
liable. However, there is very little or no mention of a data processor obligation,
which is also very important in this context.

The paper also touches upon the existing privacy framework in India. Rule 8 of
the SPDI Rules mentions the importance of having security controls in place in
order to safeguard sensitive personal information. This can only be achieved by
having a very comprehensive information security programme in alignment
with the current landscape of threats. (Bremmer 2018; Nicolaidou & Georgiades
2017)

Further, the importance of performing regular audits has been discussed in this
paper in order to maintain proof of compliance for data controllers. However,
the paper does not bring out the periodicity at which the audits are required to
be performed.(Giurgiu 2017; Kolah 2018)
Categorisation of Data Controllers

The paper also calls out various obligations of a data controller, including:
 Registering with the supervisory authority,
 Conducting data protection impact assessments before processing
personal data that could pose potential risks to individuals,

925
International Journal of Pure and Applied Mathematics Special Issue

 Conducting data protection audits,

 Appointing data protection officers, etc.

However, the paper also understands and emphasises the fact that the above-
mentioned aspects can only be applicable in cases where the data controller
processes high volumes of data or performs high-risk processing activities.

With respect to data protection audits, the paper proposes that data protection
audits may be conducted by third parties or by the regulators themselves.
Importantly, the paper also highlights the need for external auditors who are
registered/empanelled with a data protection authority to maintain oversight in
companies.

The following points need to be considered:

 To ensure compliance and showcase accountability, data controllers/
processors may consider implementing adequate security safeguards
(ISO 27001, NIST) or techniques such as data pseudonymisation.(Voigt
& von dem Bussche 2017d)
 Further, organisations may need to implement a governance programme
to ensure that processing of personal information is carried out in a legal
manner and the necessary proofs of compliance are maintained.(It
Governance Privacy Team 2017)
 The paper proposes that breach notification requirements be dependent
on the size and scale of the organisations and the quantum of the data
breach. Accordingly, bigger organisations may be faced with the
challenge of stringent breach notification requirements, while smaller
organisations might be given some leeway with the same.(Bremmer
2018)
Various Tools Proposed for Enforcement

Data breach notifications: The paper calls out the significance of defining a
personal data breach and has provided some guidance on it. There is also
reference to the EU GDPR and US laws to bring in a broader perspective on a
personal data breach, which is nothing but a subset of a security breach. For
example, all security breaches may not be data privacy related breaches. 1(Dixon
2017) However, every personal data breach is a security breach. Thus, it is
important to have a comprehensive information security programme, as
mentioned in the previous section.(Mittal et al. 2017)
Adjudicating Process

The paper stresses the importance of adjudication as an integral part of any law
enforcement and ascertains the rights and obligations of parties involved in a
dispute, prescribing corrective actions and remedies. Various geographies have
identified and granted powers to a commission or a supervising authority to
regulate and investigate complaints relating to the breach of any rights of a data
1

926
International Journal of Pure and Applied Mathematics Special Issue

subject.(Anon n.d.)
Penalties, Compensation and Offences

The paper highlights the shortcomings of the IT Act, 2000 (and subsequent
amendments to it in 2008 and 2011), in relation to data protection violations.
Based on the inputs from other legislations, the paper has put forward three
different models for the calculation of civil penalties.

The first two models proposed in the paper mostly refer to the models followed
by other regulations. However, the most interesting model is to have penalties
per day, which could be the highest form of deterrence, with a major impact on
small and medium business (SMB). (Naqvi et al. 1992)With respect to
compensation, the paper refers to section 43A of the IT Act, 2000, and clearly
calls out factors that are being used by adjudicating officers to arrive at
compensation. However, it is very clear that these aspects are only applicable to
body corporates and not to government entities and public authorities. The
proposed framework should look to have more stringent models around this by
adopting similar points from other regulations such as the EU GDPR and the
UK Data Protection Act.(Voigt & von dem Bussche 2017a)

At the given point in time, there is no clarity on what activities could qualify as
criminal offences under the proposed data protection framework. The view is
that there should be more stringent penalties and compensation in cases where
sensitive personal information is recklessly disclosed or sold by
organisations.(Voigt & von dem Bussche 2017a; Voigt & von dem Bussche
2017b)

It remains to be seen how the enforcement model will be designed and how the
penalties will be enforced. However, we can reasonably assume that large
organisations, such as major telecom, banking, healthcare and IT/ITeS
organisations, will need to consider stringent data breach notification norms,
along with higher penalty limits in case of any offences.

5. Conclusion
Given the proposed regulations in the white paper on ensuring the data privacy
of individuals, it is very important that organizations start aligning their
processes and IT investments in such a way that the regulation, once enacted,
does not affect them. Although the paper does not clearly outline anything on
past processing activities or retrospective action, CIOs/CISOs are advised to see
how capable their existing IT infrastructure is and what it requires to handle the
changing data privacy landscape in India.(Mraznica 2017)

However, it is not possible to conclusively demarcate all the aspects requiring

protection in this manner as the relevant concerns arise in varying contexts.
Privacy does not arise only in some special, unchanging space like the home or
the family but also in various situations including in public spaces(Voigt & von

927
International Journal of Pure and Applied Mathematics Special Issue

dem Bussche 2017a). Different norms of privacy can exist in different spheres
of life. For example, an individual may be willing to disclose certain things to a
doctor or psychologist that she would not even tell her spouse or friends. Rules
of data protection and privacy are designed in such a way that they allow
individuals the freedom to determine how their personal information will be
collected, used and disclosed. This is because individuals themselves are best
equipped to understand how they will be benefited or harmed in the many
unique contexts which involve their personal information.(Voigt & von dem
Bussche 2017d)

As the paper is based on global best practices on data protection from the
European Union, especially the upcoming GDPR, the United Kingdom, Canada
and the United States, organizations can start referring to business cases in these
markets and understand how they have defined processes and planned IT
investments. In the new data protection regime, timely planning/action will help
them to continue their business as usual, protect them from penalties and
enhance business reputation, particularly in the light of the proposed data trust
scores that will be assigned to organizations.

References
[1] Abraham, S. & Hickok, E., 2012. Government access to private-
sector data in India. International Data Privacy Law, 2(4),
pp.302–315.
[2] Anon, GDPR ENFORCEMENT. In EU General Data Protection
Regulation (GDPR): An Implementation and Compliance Guide -
Second edition. pp. 280–292.
[3] Blume, P., 2015. An alternative model for data protection law:
changing the roles of controller and processor. International Data
Privacy Law, 5(4), pp.292–297.
[4] Bremmer, I., 2018. Us vs. Them: The Failure of Globalism,
Penguin UK.
[5] Cate, F.H. & Cate, B.E., 2012. The Supreme Court and
information privacy. International Data Privacy Law, 2(4),
pp.255–267.
[6] Dixon, P., 2017. A Failure to “Do No Harm” -- India’s Aadhaar
biometric ID program and its inability to protect privacy in relation
to measures in Europe and the U.S. Health and technology, 7(4),
pp.539–567.
[7] Friedewald, M. & Pohoryles, R.J., 2016. Privacy and Security in
the Digital Age: Privacy in the Age of Super-Technologies,
Routledge.
[8] Giurgiu, A., 2017. GDPR Implementation Series ∙ Luxembourg:
Reshaping the National Context to Adjust to the GDPR.

928
International Journal of Pure and Applied Mathematics Special Issue

European Data Protection Law Review, 3(3), pp.372–375.

[9] Goel, U. et al., 2017. CORPORATE GOVERNANCE: INDIAN
PERSPECTIVE WITH RELATION TO SARBANES OXLEY ACT.
Available at: http://dx.doi.org/10.17501/iced.2017.1106.
[10] Harbinja, E., 2013. Does the EU Data Protection Regime Protect
Post-Mortem Privacy and What Could Be The Potential
Alternatives? SCRIPTed, 10(1), pp.19–38.
[11] It Governance Privacy Team, 2017. EU General Data Protection
Regulation (GDPR): An Implementation and Compliance Guide,
Itgp.
[12] ITGP Privacy Team, 2017. EU General Data Protection
Regulation (GDPR): An Implementation and Compliance Guide -
Second edition, IT Governance Ltd.
[13] Iyengar, P., 2011. Privacy and the Information Technology Act in
India. SSRN Electronic Journal. Available at:
http://dx.doi.org/10.2139/ssrn.1807575.
[14] Jackson, M., 1997. The effect of the proposed national data
protection regime on the health sector in Australia. Australian
health review: a publication of the Australian Hospital
Association, 20(1), pp.1–17; discussion 18–30.
[15] Kenny, J.J.P., 1985. Data privacy and security, Pergamon.
[16] Kolah, A., 2018. The GDPR Handbook: A Guide to Implementing
the EU General Data Protection Regulation, Kogan Page
Publishers.
[17] Mantelero, A., 2016. From Group Privacy to Collective Privacy:
Towards a New Dimension of Privacy and Data Protection in the
Big Data Era. In Group Privacy. pp. 139–158.
[18] Mittal, S., Lnjn Nicfs (mha) & India, 2017. OLD WINE WITH A
NEW LABEL : RIGHTS OF DATA SUBJECTS UNDER GDPR.
International Journal of Advanced Research in Computer
Science, 8(7), pp.67–71.
[19] Mraznica, E., 2017. GDPR: A new challenge for personal data
protection. Bankarstvo, 46(4), pp.166–177.
[20] Naqvi, S.N.H., Samad, S.A. & Asian and Pacific Development
Centre, 1992. SAARC link: an econometric approach,
[21] Nettleton, D., 2014. Data Privacy and Privacy-Preserving Data
Publishing. In Commercial Data Mining. pp. 217–228.
[22] Nicolaidou, I.L. & Georgiades, C., 2017. The GDPR: New
Horizons. In EU Internet Law. pp. 3–18.

929
International Journal of Pure and Applied Mathematics Special Issue

[23] Sagar J, N. et al., 2016. Preserving Data Privacy without Secure

Channel. International Journal Of Engineering And Computer
Science. Available at: http://dx.doi.org/10.18535/ijecs/v5i6.08.
[24] Voigt, P. & von dem Bussche, A., 2017a. Enforcement and Fines
Under the GDPR. In The EU General Data Protection Regulation
(GDPR). pp. 201–217.
[25] Voigt, P. & von dem Bussche, A., 2017b. Practical
Implementation of the Requirements Under the GDPR. In The
EU General Data Protection Regulation (GDPR). pp. 245–249.
[26] Voigt, P. & von dem Bussche, A., 2017c. Scope of Application of
the GDPR. In The EU General Data Protection Regulation
(GDPR). pp. 9–30.
[27] Voigt, P. & von dem Bussche, A., 2017d. The EU General Data
Protection Regulation (GDPR),
[28] Zhao, Y., Online Privacy Protection. In Chinese Legal Reform
and the Global Legal Order. pp. 156–178.

930
931
932