[RTI] Minutes of the third meeting of the Expert Committee on Data Protection

Data Protection

The minutes of the first and second meetings of the Committee of Experts on data protection framework held on September 11, 2017 and October 3, 2017 respectively were disclosed in February 2018 in response to an RTI request made by a private citizen. It informed us that the Committee had been divided into four working groups and each working group was tasked with specific issues related to the proposed framework.

We filed a similar RTI application to MeitY asking for the minutes of all the subsequent meetings held after October 3, 2017. However, we were only provided details of the third meeting. It was communicated to us that the third meeting took place on November 13, 2017 and a fourth meeting was scheduled to take place on December 28, 2017.

The agenda of the third meeting of the Group of Experts on Data Protection, as provided in the response was as follows:

1. Discussion of respective parts of the White Paper:

a. Presentation to be made by Working Group on Grounds of Processing;

b. Presentation to be made by Working Group on Regulation and Enforcement; and

c. Presentation to be made by Working Group on Scope and Exemptions

3. Discussion on standard-setting under the proposed bill

4. Discussion on Key Issues raised by Dr. Gulshan Rai on the Draft MeitY Bill

5. Strategy for Public Consultation / Stakeholder Consultation and timelines.

The minutes of the meeting revealed that Dr. Arghya Sengupta and his team from Vidhi Centre for Legal Policy gave a detailed presentation on the consolidated white paper. The committee members deliberated on the issues outlined in the white paper and some of the important discussion points made during the presentation are:

  • Right of the data subject and harm incurring to him due to personal data collection, use and disclosure needs to be kept at the core of the Act.

  • The definition of identified, identifiable or reasonably identifiable personal data needs to be explicitly provided.

  • The implicit / explicit consent for the purpose and its use needs to be amply clear, which is a major ground for lawful processing of personal data. A checkbox method is one such option.

  • Besides the Data controller, whether the category of data processor and others need to be defined separately?

  • For child consent, while considering two options-putting in place an age bar and obtaining parental consent for the purpose of making a valid contract through some mechanisms. It was stated that Indian Contract Act require age of 18 years or more for the ability to sign a valid contract. It was also deliberated that owing to variety of target audience, one single model of consent may not work.

  • Data Controller should be more responsible in case of child’s consent and data processing. Australian Privacy Act model may also be looked at.

  • Notice to be made comprehensible for data subject to understand the meaning and the consequences arising thereof.

  • The purpose specification, use limitation, storage limitation and data quality, automated data, processing on the automated data and right to be forgotten needs to be clearly defined for the individual participation rights. Dr. Gulshan Rai opined that the white paper may include a question like “Whether Right to be Forgotten should be there or not?” He further opined that this will also help Government to get more insight of how technology companies view this issue.

  • Liability on data controller and processor connected to dealing with data.

  • Data Protection Authority and its functional rights similar to SEBI or IRDA may be explored. Data Protection body should be an independent body.

  • Strategy to adopt when imposing a penalty- percentage of global turnover or fixed optimum rupee limit.

  • The possibility of including class action suits and provisions of other Acts for compensation/offences.

  • The problem of enforceability of law against foreign entities dealing with the data of Indian subjects.

  • The concept of co-regulation or self regulation for he data controller needs to be examined.

  • The data audit of data controller to be done internally as well as externally.

  • Definitions of journalistic, artistic, literary exemptions to be reviewed or expanded.

  • Data Localization concept needs to be clarified in the context of globalization of data and its impact on the digital economy.

  • In the adjudicating mechanism, expenditure incurred can be of very high value due to high infrastructure requirements. The judicial impact assessment of this legislation can also be part of the white paper.

  • Every chapter of the white paper should include an open ended question in respect of suggesting “Any other alternative”.

  • Provisions for security standards which can be incorporated through subordinate legislation.