The government-appointed committee of experts, under the chairmanship of former Supreme Court Justice BN Srikrishna, on 27 November, released the white paper for data protection framework for India.
The paper has raised some key questions to the stakeholders like "What are your views on what the territorial scope and the extra-territorial application of a data protection law in India?"
-"To what extent should the law be applicable outside the territory of India, in cases, where data of Indian residents is processed by entities who do not have any presence in India?"
-"Instrumentally, a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access," it said.
-"A carefully formulated data protection law is necessary for fulfilling both these objectives. It is our Committee's view that the law we draft must be cognisant of international and comparative practices in this regard," it added.
The white paper has been drafted to solicit public comments on what shape a data protection law must take.
"The white paper outlines the issues that a majority of the members of the Committee feel require incorporation in a law, relevant experiences from other countries and concerns regarding their incorporation, certain provisional views based on an evaluation of the issues vis-a-vis the objectives of the exercise, and specific questions for the public," it said.
"On the basis of the responses received, the Committee will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject," it added.
The paper said a data protection framework in India must be based on seven principles, technology agnosticism, holistic application, informed consent, data minimization, controller accountability, structured enforcement and deterrent penalties.
It further asked, "What measures should be incorporated in the law to ensure effective compliance by foreign entities inter alia when adverse orders (civil or criminal) are issued against them?"
The paper stated the definition of personal information or personal data is the critical element which determines the zone of informational privacy guaranteed by a data protection legislation.
"Thus, it is important to accurately define personal information or personal data which will trigger the application of the data protection law," it said.
In the 243-page document, it also asked, "should the definition of personal data focus on identifiability of an individual? If yes, should it be limited to an 'identified', 'identifiable' or 'reasonably identifiable' individual?"
It said while personal data refers to all information related to a person's identity, there may be certain intimate matters in which there is a higher expectation of privacy. "Such a category widely called 'sensitive personal data' requires precise definition," it added.