A Free and Fair Digital Economy Protecting Privacy, Empowering Indians Committee of Experts under the Chairmanship of Justice B.N. Srikrishna TABLE OF CONTENTS GLOSSARY OF TERMS ................................................................................................................ 1 CHAPTER 1: A FREE AND FAIR DIGITAL ECONOMY ................................................................ 3 A. Existing Approaches to Data Protection ....................................................................... 3 B. Understanding the Contours of the Indian Approach ................................................... 4 C. Data Principals and Data Fiduciaries ............................................................................ 7 D. Following Puttaswamy ............................................................................................... 10 E. Chapters in the Report ................................................................................................ 11 F. Methodology ............................................................................................................... 13 G. Summary: A Fourth Way to Privacy, Autonomy and Empowerment ........................ 13 CHAPTER 2: JURISDICTION AND APPLICABILITY ................................................................... 15 A. White Paper and Public Comments ............................................................................ 15 B. Analysis ...................................................................................................................... 16 I. Jurisdiction.................................................................................................................. 16 (a) Conceptual Understanding of Jurisdiction ................................................................. 16 (b) Prescriptive Jurisdiction ............................................................................................. 17 (c) The Case for Data Non-Exceptionalism ..................................................................... 18 (d) Putative Bases for Jurisdiction ................................................................................... 18 II. Retrospective and Transitional Application of the Data Protection Law ................... 21 RECOMMENDATIONS ............................................................................................................... 23 CHAPTER 3: PROCESSING ....................................................................................................... 24 A. White Paper and Public Comments ............................................................................ 24 B. Analysis ...................................................................................................................... 27 I. Building Blocks of the Law ........................................................................................ 27 (a) Personal Data .............................................................................................................. 27 (b) Sensitive Personal Data .............................................................................................. 30 II. Consent ....................................................................................................................... 32 (a) A revised operational framework for consent ............................................................ 33 (b) Consequences of such a Framework .......................................................................... 34 (c) Enforcement of the Revised Framework .................................................................... 35 (d) Standard of Consent ................................................................................................... 36 (e) Different Standards for Different Types of Personal Data Processing ...................... 37 (f) Consent Dashboard and Avoiding Consent Fatigue ................................................... 38 (g) Consent and Contractual Necessity ............................................................................ 40 III. Protection of Children‘s Personal Data ...................................................................... 42 (a) Identification of guardian data fiduciaries .................................................................. 43 (b) Who is a child? ........................................................................................................... 43 (c) Barred Practices .......................................................................................................... 44 (d) Regulatory Approach ................................................................................................. 44 IV. Community Data......................................................................................................... 45 V. Entities to which the Law Applies .............................................................................. 46 i RECOMMENDATIONS ............................................................................................................... 48 CHAPTER 4: OBLIGATIONS OF DATA FIDUCIARIES ............................................................... 49 A. White Paper and Public Comments ............................................................................ 49 B. Analysis ...................................................................................................................... 51 I. Fair and Reasonable Processing ................................................................................. 51 II. Purpose Limitation and Data Minimisation................................................................ 52 III. Big Data Challenges to Data Minimisation and Purpose Limitation ......................... 54 IV. Transparency .............................................................................................................. 58 V. Organisational Obligations on Data Fiduciaries ......................................................... 59 VI. Storage Limitation ...................................................................................................... 60 VII. Data Quality ................................................................................................................ 62 VIII. Notification for Data Breach ...................................................................................... 62 (a) Need for Data Breach Notification ............................................................................. 62 (b) What constitutes a Personal Data Breach? ................................................................. 63 (c) When does it need to be notified to the DPA? ........................................................... 64 (d) When does it need to be notified to individuals? ....................................................... 64 IX. Data Security .............................................................................................................. 65 RECOMMENDATIONS ............................................................................................................... 67 CHAPTER 5: DATA PRINCIPAL RIGHTS .................................................................................. 68 A. Access, Confirmation and Correction ........................................................................ 68 I. White Paper and Public Comments ............................................................................ 68 II. Analysis ...................................................................................................................... 69 B. Rights to Objection, Restriction and Portability ......................................................... 71 I. White Paper and Public Comments ............................................................................ 72 II. Analysis ...................................................................................................................... 73 C. The Right to be Forgotten ........................................................................................... 75 I. White Paper and Public Comments ............................................................................ 76 II. Analysis ...................................................................................................................... 77 (a) Balancing the Right with Competing Rights and Interests ........................................ 78 (b) Appropriate Entity for the Approval of Requests ...................................................... 79 (c) Breadth of Application of Orders ............................................................................... 80 RECOMMENDATIONS ............................................................................................................... 81 CHAPTER 6: TRANSFER OF PERSONAL DATA OUTSIDE INDIA ............................................... 82 A. White Paper and Public Comments ............................................................................ 82 B. Analysis ...................................................................................................................... 83 I. Cross-Border Transfer of Personal Data .................................................................... 83 II. Exceptions to Free Transfer of Personal Data Outside India ..................................... 87 ii (a) Benefits ....................................................................................................................... 88 (b) Costs ..........................................................................................................................