Unboxing India's Data Protection Framework – Part One of Many

In this article, infosec writer Ninad dissects the Indian Data Protection Framework and breaks it down for us so that we can better understand it.

Unboxing India's Data Protection Framework – Part One of Many

India is a mobile crazy nation. According to a KPMG and Yourstory Report of May 2018, India has 450 million internet users and is the second largest market after China. No wonder Mark Zuckerberg and Sundar Pichai are frequent visitors to India - after all, this is where their largest consumer base resides.

According to the same report, about 59 percent of the country's population is expected to have internet access and about 2 billion devices are expected to be connected on the network by 2021. These trends are expected to grow in the near future and India is on the edge of witnessing a digital revolution.

India is the second largest country in terms of population and given its diverse mix of cultures and languages, opportunities for digital products are limitless and only the sky is the limit. Government and private ventures are betting big on digital startups and products and this trend is expected to onboard more population on the digital wagon.

With all of this happening, it was already imperative for India to develop a framework for data protection and to quote the Data Protection committee -

A firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment, and equal access.

Let's first take a look at the chronology of the events that led to the development of this draft Bill. (Figure 1 - Chronology of events)

Figure 1 - Chronology of events

‌‌In numbers, the proposed Bill has 60+ pages and 15 Chapters and proposes to amend The Information Technology Act, 2000 (21 of 2000) and The Right to Information Act, 2005 (22 of 2005)

Let's begin to unbox this Bill in a phased manner. In this part of the series, we will look at the proposed requirements in Chapters 1, 2 and 3.

Chapter 1

An introductory chapter and covers the Extent, Application, and Definitions.

The Bill applies to the whole of India and specifically in the following situations:

  1. Personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India
  2. Processing of personal data by the State or equivalent institutions
  3. Processing of personal data by data fiduciaries or data processors not present within the territory of India - but is in connection with the activities involving data principals within India
The Bill shall not apply to the processing of anonymized data.

Some of the most important definitions that this Bill proposes to include:

Some of the important terms, amongst others, include:

  1. Data
  2. Data Fiduciary
  3. Data Principal
  4. Data Processor
  5. Financial, Health and Genetic data
  6. Personal data
  7. Sensitive Personal Data

These definitions will help build a common vocabulary for all the professionals.

Chapter 2

Outlines the data protection obligations.

The Bill mandates, fair and reasonable processing of personal data to respect the privacy of the data principal.

It enforces this mandate throughout the life-cycle of data, including – Purpose definition, Collection, processing, managing data quality, data storage, and accountability related constraints.

Some of the key constraints include-

Personal data shall be processed only for purposes specified or for any other incidental purpose and only for purposes that are clear, specific and lawful

Collection of personal data shall be limited to such data that is necessary for the purposes of processing

The Bill mandates a data fiduciary to provide data principal with a Notice comprising of multiple attributes covering – purpose, categories of data collected, contact details, rights of data principal, source, cross-border transfers, etc.

The data fiduciary shall take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated, with regard to the purposes. This is applicable for any other entities, that the data fiduciary may share the data with – which is a great leap in data protection – ensuring accountability down the stream

Data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. Where it is not necessary for personal data to be retained by the data fiduciary then such personal data must be deleted in a manner as specified and agreed with data principal.

The data fiduciary shall be responsible for complying with all obligations set out in this Act in respect of any processing undertaken by it or on its behalf and demonstrate the same, upon request – whether undertaken by it or on its behalf.

Chapter 3

Outlines the ground for the processing of personal data.

Figure 2 - Grounds for the processing of personal data
Figure 3 - Requirements for grounds under which processing of personal data is permitted
Figure 4 - Requirements for grounds under which processing of personal data is permitted
Figure 5 - Requirements for grounds under which processing of personal data is permitted

Overall, I believe this Act demonstrates a firm commitment from the Government of India to ensure data protection in a digital economy – that India envisions to ride on in the coming decades

In the next part of this series, we will unbox the provisions of the following chapters:






Views and opinions expressed in this article are my own and no attribution/reference of any kind whatsoever be made to my employer. All readers are encouraged to validate the facts/interpretation on their own.





The artwork used to head this article is called 'Indian Auto' and it was created by Srinivas Babu.