Unboxing India's Data Protection Framework – Part Two of Many

Cybersecurity professional Ninad Dhavase takes a further deep dive into India's data protection framework, breaking it down into easily understood chunks.

Unboxing India's Data Protection Framework – Part Two of Many

Hope you enjoyed reading the part 1 of this series. In case you haven't, read the first part here.  I purposely chose the image in the title - since the logo resonates with the objectives of the Data Protection Framework. More about the logo here.

The proposed  data protection act, just like the logo symbolizes the following:

  1. Transparency
  2. A will and a desire
  3. An aspiration

In this part let us explore the Chapters 4, 5 and 6.

Chapter 4

The proposed bill explicitly distinguishes between Personal Data and Sensitive Personal Data. This chapter outlines the grounds for processing sensitive personal data.

Sensitive personal data can be processed on the following grounds:

  1. Based on explicit consent
  2. For certain functions of the state
  3. In compliance with law or any order of any court or tribunal
  4. For prompt action
  5. Other scenarios

a. To satisfy the requirements mentioned in Chapter 3 and

b. The attention of data principal was drawn, Consent was meaningful and not inferred, Specific consent was obtained

For certain functions of the State

a. Any function of Parliament or any State Legislature

b. The exercise of any function of the State authorized by law for the provision of any service or benefit

In Compliance with any Law or any Order of any Court or Tribunal

a. Explicitly mandated under any law made by Parliament or any State Legislature

b.  Necessary for compliance with any order or judgment of any Court or Tribunal in India.

For Prompt Action

a. To respond to any medical emergency involving a threat to the life or a severe threat to the health

b. To undertake any measure to provide medical treatment or health services to any individual during an epidemic or similar situation

c. To undertake any measure to ensure the safety of, or provide assistance or services to, any individual during any disaster or similar situation

Other Scenarios

The bill proposes to establish a regulator (Data Protection Authority of India) and gives this team all powers as required to implement this bill.

The authority shall specify scenarios, categories, grounds, and provisions to ensure adequate protection for personal data by considering the risk, the expectation of confidentiality, harm and adequacy requirements.

Chapter 5

This chapter is a welcome move, especially, in an era where children have greater access to digital devices. This chapter outlines the requirements for protection of Personal and Sensitive personal data of Children.

The provisions mandate that data fiduciaries process the data in a manner that protects and advances the rights and best interests of the child.

Mechanisms for age verification and parental consent are mandatory. However, the appropriateness is to be verified on the basis of Volume, Risk, Proportion and other factors as specified by the Data Protection Authority of India.

Guardian data fiduciaries shall include Operators of commercial websites/online services directed towards children and fiduciaries who process large volumes of personal data.

Such guardian data fiduciaries shall be barred from profiling, tracking, or behavioral monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child. Implementing this requirement will be quite a challenge and only time can tell, how it shapes up.

Chapter 6

This chapter outlines the rights each Data Principal has.

Right to Confirmation and Access

A data principal (DP) shall have the right to seek a confirmation, details and a summary of processing activities undertaken by data fiduciary (DF). Such information provided by DF shall be clear, concise and comprehensible generally by the DP.

Right to Correction

DP shall have the right to correct, complete, and update personal data available with the DF.

DF may choose to reject this request, however, a justification has to be provided to DP for the same. In case the DP is not satisfied with the justification, the DP shall notify DF regarding the same and DF shall ensure notification about such dispute alongside the personal data of DP.

In case DF updates the personal data, then the DF shall also notify about the changes to relevant entities/individuals as may be required.

Right to Data Portability

The DP has the right to receive the data in a structured, commonly used and machine-readable format and be able to transfer it to any other DF.

This shall be applicable for all data processed using automated means and shall exclude processing done for a state function, compliance, and trade secret.

Right to be Forgotten

Right to forget essentially means to prevent/restrict disclosure of data by DF.

Situations include where the purpose has been met; Consent has been withdrawn or is contrary to the law.

This right overrides the right to freedom of speech and right to information of any citizen. An adjudicating officer shall determine the applicability.

Conditions to Exercise the Rights in this Chapter

These rights may be exercised by:

  1. Making a written request with DF
  2. A DF acknowledging the request
  3. By charging a reasonable fee - the exception being right to correction and right to confirmation/access
  4. DF shall process the requests within the time specified by the authority
  5. DF shall not process requests in case they harm the rights of other DPs

We will explore more chapters in the next part of this series. Feedback welcome.


Views and opinions expressed in this article are my own and no attribution/reference of any kind whatsoever be made to my employer. All readers are encouraged to validate the facts/interpretation on their own.