India Privacy Framework

For ease of reference and responding, we have extracted some key aspects of the data protection framework for your views.

1. While responding keep in view:
a. The reference slide numbers, where applicable, are mentioned against the questions below.
b. Share aspects you think are unnecessary, and are likely to put disproportionate burden on organizations while not benefitting data subjects significantly and which of them are useful and can be complied to.
c. Aspects that have possibility of creating ambiguity while implementing
d. All categories of data subjects who are associated with your business, such as employees, customers, vendors, job applicants, website visitors, shareholders etc
e. Possibility of conflict with other domestic or foreign laws that may apply to your industry
f. Potential areas of conflict with monitoring for data security & digital surveillance
g. Balance between privacy and other rights in a democratic society such as freedom of expression, right to information etc.
h. Aspects in DP law that are important to make India a data safe country to make it a suitable destination for businesses, and possibility of India being considered for adequacy status by EU and other jurisdictions
i. Data privacy need not be looked at from compliance perspective alone – it could also be used as a business differentiator
j. Effort, cost and time required for complying with the law, vis a vis the benefit to data subjects
k. Business continuity

2. If there are any provisions missing in the white paper, please list them in the last question with justifications for consideration

3. Choose one or more responses that are most appropriate in your view.
a. If your response is not part of the options listed, then tick ‘others’ and briefly enumerate your response
b. Your views are being mainly sought from your organization perspective, and to a lesser extent as an Indian citizen (data subject)
c. Before providing your response, we recommend you review the white paper.
d. Link of overview slide …………………………….
e. If certain aspects do not impact you, you may choose not to respond

A summary of the key aspects and how they are connected to the industry is provided in the overview slides, but the slides are not a substitute for white paper.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The questions and response options do not reflect NASSCOM DSCI position on Data Protection..
The questions are on key aspects related to data protection framework. Responses will be aggregated and wherever possible will be leveraged to develop Industry response to the White paper on date protection.

Name of Company: *

Name of Employee: *

Designation and Function in the Organisation: *

Contact email: *

P2.C1: Territorial application of law – location of the entities for personal data originating from India.

Territorial application of law – location of the entities for personal data originating from India.

	Entities located in India only
	Entities and their vendors located in India
	Entities and their vendors located abroad
	Entities and their vendors located abroad based on country level treaty
	Others (please specify)

P2.C1: Territorial application of law – how to ensure effective compliance from entities located outside India?

	Entities abroad should mandatorily declare their representative for India
	Entities abroad should mandatorily have a branch office (minimum representation) in India.
	Entities abroad should register the personal data processing activities in India and further renew it every 2 years.
	Others (please specify)

P2.C2: Whose personal data should be protected by the law?

	Living individuals
	Deceased individuals
	Operational entities
	Non-operational entities
	Robots
	Others (please specify)

P2.C2: To which category of agency/entity the law should be applicable?

	Private Sector
	Public Sector
	Voluntary Sector (non-profit)
	Government
	Others
	Others (please specify)

P2.C2: Effective date from when the law should be applicable

	Enactment date
	Retrospective i.e. applicable for personal data collected before the enactment date to the extent of current processing activities.
	Others (please specify)

P2.C2: Effective date from when the law should be enforced

	Enactment date
	Enactment date + 18 months
	Others (please specify)

P2.C3: What should be the data elements in the scope of law termed as?

	Personal data
	Personal information
	Personal data and personal information
	Personally identifiable information (PII)
	Sensitive Personally identifiable information (SPII)
	Others (please specify)

P2.C3: Scope of personal data – Definition

	Any data or information that can reasonably identify an individual
	Any data or information, which is not publicly available, that can reasonably identify an individual
	Any data or information, which is not publicly available and that can reasonably identify an individual, irrespective of whether it is from the individual’s private or professional life.
	Others (please specify)

P2.C4: Scope of personal data – categories

The law should cover:

	Non-business Personal Data (e.g., your photo, date of birth, mobile phone, family details, behavioral aspects)
	Business personal data (employee ID, company email, phone No., performance rating, disciplinary actions,..etc)
	Sensitive Personal Data (e,g, health, financial, biometric data)
	Others (please specify)

P2.C4: Definition of sensitive personal data

Personal data related to –

	Health
	Finance
	Government Issued IDs (Aadhaar details, Passport Number, PAN,..)
	Natural Characteristics such as Biometrics, Genetics
	Sexual orientation
	Criminal convictions
	anything that causes significant harm to the individual
	Others (please specify)

P2.C4: Should the law apply to pseudonymised data ?

	Yes, completely
	Yes, with exemptions
	No
	Others (please specify)

P2.C5: Data processing should include –

	Collection
	Use
	Transmission, Transfer
	Storage
	Deletion
	Others (please specify)

P2.C5: Type of data processing should include –

	Automated
	Manual
	Others (please specify)

P2.C6: Extent of applicability of the law to the different entities in the data ecosystem

	Applicable to different entities.
	Applicable based on the role played by each entity.
	Applicable to the main entity, while the other entities which support/service the main entity are obligated to protect personal data as per the agreement with the main entity
	Others (please specify)

P2.C6: Should the different entities be termed as “Data Controller”, “Data Processor”, “Sub-processor”, etc; based on their role in data processing

	Yes
	Data Controller – Entity which decides the means and purpose of processing. Any entity which is not a Data Controller is a Data Processor
	No
	Others (please specify)

P2.C7: Do some of the data processing activities be exempted from the law?

Yes, data processing for the following purposes should be exempted -

	Domestic/household
	Journalistic/Artistic/ Literary Purpose
	Research/Historical/Statistical Purpose
	Investigation and Detection of Crime, National Security
	Prevention of crime
	Assessment and collection of tax in accordance with the relevant statutes
	Others (please specify)

P2.C8: What should be the legal basis for the transfer of personal data out of India for a legitimate purpose?

	The data importing country has an equally adequate data privacy law
	The data importing entity has signed the appropriate data privacy clauses
	Consent or vital interest of the individual to whom the data identifies.
	Any of the above
	Others (please specify)

P2.C8: What should be the legal basis for the transfer of sensitive personal data out of India for a legitimate purpose?

	Legally permitted by Indian laws & regulations
	Consent or vital interest of the individual to whom the data identifies, but not superseding the above point.
	Data importing country with equally adequate law
	Data importing entity has signed the appropriate data privacy clauses
	Others (please specify)

P2.C9: Should Data localization be adopted in India ?

	Yes, all personal data that is generated in India, should be stored in India only
	Yes, specific personal data that is generated in India should be stored in India only e.g. Government issued ID details.
	Yes, a copy of personal data that is generated in India should be stored in India prior to transferring it abroad.
	No, personal data that is generated in India could be stored abroad with adequacy measures
	Others (please specify)

P2.C9: Data localization should be applicable to –

	Government issued identity documents, unless the documents are designed for use abroad e.g. passport (to be stored within India only)
	Social media contents (local copy should be maintained in India)
	Tele-communications (to be stored within India only)
	None, as long as the data importing entity abroad has agreed to protect the personal data as per the data privacy principles, laws & regulations
	Others (please specify)

P2.C9: Will Data localization negatively impact the data processing industry?

	India based industry wouldn’t be impacted.
	India based industry will be impacted.
	Foreign companies with business activities in India, but data centers abroad, will be impacted.
	Others (please specify)

Should Government Agencies have the right to access personal data being processed by the entity ?

	Yes, personal data which is generated in India and being processed in India.
	Yes, personal data which is generated in India and being processed abroad.
	Yes, personal data which is generated abroad and being processed in India.
	Others (please specify)

P2.C10: In case of overlap with existing laws and future laws & regulations, which law should supersede?

	DP law should supersede other laws & regulations
	The other laws & regulations should supersede the DP law
	The superior requirement (from DP perspective) of either laws supersedes
	Others (please specify)

P3.C1: Should the individual’s Consent be considered sufficient for processing the individual’s data, including transferring the data outside India ?

	Yes
	Yes, but consent shouldn’t supersede applicable law & regulations.
	Yes, but consent shouldn’t be a forced.
	No, consent shouldn’t be the basis for processing.
	Others (please specify)

P3.C1: What is the appropriate scenario when a consent should be sought from the individual?

	Collecting personal or sensitive personal data which is not mandatorily required for the purpose of engagement
	Collecting personal or sensitive personal data from an individual with whom there is no prior business relationship.
	No, consent shouldn’t be the basis for processing.
	Others (please specify)

P3.C2: What is the individual’s age below which the child data privacy related requirements should be applicable?

	18 years
	13 years
	To be decided by the Data Protection Authority
	To be decided by the entity collecting the personal data
	Others (please specify)

P3.C2: What should be the additional data privacy requirements applicable for processing children’s personal data?

	Parental written consent
	Children’s personal data should be permitted only in the field education, medical, sports, …
	Children’s personal data shouldn’t be permitted for sales & marketing purposes targeted at children.
	Others (please specify)

P3.C3: Is a Notice mandatory to be given to individuals for processing their personal data?

	Yes
	No
	No, but only when the purpose of processing and corresponding details are not obvious to individual
	Others (please specify)

P3.C3: What should be the minimum components of a Notice?

	Legal name of the entity collecting the personal data
	Purpose of processing
	Legal name of the Vendors involved
	Country of data storage
	Guarantee of security
	Others (please specify)

P3.C4: What should be grounds of lawful processing?

	Legal obligation
	Contractual obligation
	Vital interest of the individual
	Required for providing goods/service
	Public interest
	Statistical and Analysis purposes
	Others (please specify)

P3.C5: Should purpose of processing be only limited to that declared in the Notice to the individual at the time personal data collection?

	Yes
	No, data can be used for other purposes but related to the original purposes, without notifying the individual
	No, data can be used for other purposes but related to the original purposes, post notifying the individual
	No, data can be used for other lawful purposes without notifying the individual
	No, data can be used for other lawful purposes post notifying the individual
	Others (please specify)

P3.C6: When should processing of sensitive personal data be considered lawful?

	Legally permitted by Indian laws & regulations
	Consent or vital interest of the individual to whom the data identifies, but not superseding the above point.
	Public interest
	Others (please specify)

P3.C6: What should be the additional data privacy requirements for processing of sensitive personal data?

	Stringent security controls
	To be used for legal purposes only
	Higher penalties in case of data breach
	Others (please specify)

P3.C7: Should personal data be permanently deleted when it is no more required after using it for the purpose for which it was collected?

	Yes, personal data shouldn’t be retained indefinitely
	No, personal data should be retained indefinitely
	No, Personal data should be retained indefinitely but in a pseudonymised form.
	No, Personal data should be retained indefinitely but in an anonymized form.
	Others (please specify)

P3.C7: Should the retention period of personal data be defined in the DP law?

	Yes
	No, retention period should be as required by other laws which require collection and processing of personal data
	No, retention period can be decided by the entities as per their requirement.
	Others (please specify)

P3.C8: What rights should be provided to the individual to whom the personal data identifies or relates to, subject to legitimate reasons?

	Access
	Rectification
	Objection to processing
	Deletion
	Data Portability
	Right to be forgotten
	Others (please specify)

P3.C8: Should a fee be charged from the individual for exercising their rights on their personal data?

	No
	Yes, fee should be decided by the DPA appointment by the Govt.
	Yes, fee should be decided by the entity servicing the individuals
	Others (please specify)

P3.C9: Should automated decision making be prohibited?

	Yes, with specific exemptions in the medical field.
	No
	Others (please specify)

P3.C9: Should “Profiling” of an individual be permitted for certain lawful and legitimate purposes ?

Yes, for

	Marketing
	Sales
	Recruitment
	Medical/Health
	Banking
	Insurance
	Others (please specify)

P3.C10: What are the scenarios when right to be forgotten should be denied to the individual ?

	National security
	Lawful or Legitimate interest of the entity holding the individual’s personal data
	Public interest
	Research purposes
	Others (please specify)

P4.C2: Accountability and liability of entities and its vendors in case of harm to an individual

	Main entity only
	Joint between the main entity and its vendors to extent responsible for harm
	Joint between the main entity and its vendors to extent agreed in the agreement

P4.C2: In case of an instance of harm caused to an individual, what are factors to be considered for deciding the accountability and liability on the entities involved?

	Organisational measures for protecting personal data
	Technical measures for protecting personal data
	Records of privacy impact assessments
	Inventory of personal data and its processing
	Contractual protection with vendors, partners and group entities
	Inventory of personal data and its processing
	Others (please specify)

P4.C2: Should codes of practice be developed and enforced for processing certain personal or sensitive personal data?

	No
	Yes, for the personal or sensitive personal data in the following domain: Medical, Health, Financial, Banking, Employment, Educational, Nation security, Journalism, Research
	Others (please specify)

P4.C2: Who should develop the codes of practice ?

	Law makers
	Data Protection Authority (DPA) appointed by the Government
	Corresponding industry body along with the DPA
	Others (please specify)

P4.C2: What should be considered as a data breach?

	Exposure of data leading to harm to an individual
	Exposure of data which is contained before causing any harm to the individual
	Any undesired event related to data
	Others (please specify)

P4.C2: Who should be notified by the entity in case of a data breach ?

	The individual(s) whom the data identifies
	Data Protection Authority (DPA) appointed by the Government
	Corresponding industry body along with the DPA
	Others (please specify)

P4.C2: On what basis should Data Controllers be further categorized (e.g. Red, Orange, Green) and the extent of applicability of the DP law be varied across categories to minimize compliance burden?

	Type of personal or sensitive personal data processed e.g. Health, Finance, Genetics, Govt. Issued IDs etc;
	Volume of personal data processed
	Volume of sensitive personal data processed.
	Others (please specify)

P4.C2: Do Data Controllers need to register with the Data Protection Authority ?

	No
	Yes, Red category Data Controllers should register with the DPA
	Yes, Red or Orange category Data Controllers should register with the DPA
	Others (please specify)

P4.C2: When should a Data Protection Impact Assessment be done ?

	Always, whenever a new process, application is being deployed for collecting and processing personal or sensitive personal data.
	Only when a new process, application is being deployed for collecting and processing sensitive personal data.
	Whenever there is a breach involving personal or sensitive personal data.
	Others (please specify)

How should data privacy be ensured by default ?

	Implement Privacy by design
	Follow data privacy principles
	Implement appropriate technical and organisational measures
	Others (please specify)

Should security controls be prescribed in the DP law ?

	Yes
	Yes, only those controls applicable to sensitive personal data
	No
	Others (please specify)

P4.C2: Should external audits be mandatory for entities handling personal or sensitive personal data ?

	No
	Yes, once in 2 years for the Red Category Data Controllers
	Yes, once in 3 years for the Orange category Data Controllers
	Others (please specify)

P4.C2: Should appointing a Data Protection Officer be mandatory for entities handling personal or sensitive personal data ?

	No
	Yes, for the Red Category Data Controllers
	Yes, Red or Orange category Data Controllers
	Others (please specify)

P4.C2: Is a separate, independent Data Protection Authority (DPA) required to ensure compliance with data protection laws in India?

	Yes, one DPA for the entire country
	Yes, one DPA for each state
	Yes, one DPA for each region (group of states in N-E-W-S)
	No
	Others (please specify)

P4.C2/3: DPA should be part of which one of the following ?

	Government
	Equivalent to Judiciary
	Equivalent to an Ombudsman
	Privacy entity
	Others (please specify)

P4.C2/3: What should be the role and responsibilities of the DPA ?

	Enforce the DP Law
	Increase public awareness
	Guide the Data Controllers and Data Processors for compliance
	Hear and adjudicate complaints from individuals, data controllers, data processors
	Facilitate development of Codes of Practice, including final approval
	Conduct audits, where necessary
	Others (please specify)

P4.C4: What kind of acts of omission by the data controller or data processor should be considered as a Civil violation ?

P4.C4: What should be the penalty for civil violation?

	Red category data controller – flat 50,00,000 INR
	Orange category data controller – flat 25,00,00 INR
	Green category data controller – flat 5,00,000 INR
	Others (please specify)

P4.C4: What kind of acts by the data controller or data processor should be considered as a Criminal offence ?

P4.C4: What should be the penalty for Criminal offense ?

	Red category data controller – flat 100,00,000 INR
	Orange category data controller – flat 50,00,00 INR
	Green category data controller – flat 25,00,000 INR
	Others (please specify)

P4.C4: What should be compensation to the affected individual in case of civil or criminal violation by the data controller or data processor ?

Civil Violation

	Red category data controller – flat 50,00,000 INR
	Orange category data controller – flat 25,00,00 INR
	Green category data controller – flat 5,00,000 INR
	Others (please specify)

What should be compensation to the affected individual in case of civil or criminal violation by the data controller or data processor ?

Criminal Offence

	Red category data controller – flat 100,00,000 INR
	Orange category data controller – flat 50,00,00 INR
	Green category data controller – flat 25,00,000 INR
	Others (please specify)

	Consent from the individual
	Notice to the individual
	Non-excessive data collection
	Lawful purpose of processing
	Organisational safeguards
	Technical safeguards
	Cross-border data transfer procedures
	DP agreements with vendors, partners, intragroup entities
	Data breach causing harm to the affected individual
	Others (please specify)