Indian policy framework has been very proactive in capturing the wave of data emergence and industry 4.0 revolution. Probyto have been following General Data Protection Regulation(GDPR) & providing its input on impact of same in Data Science applications. GDPR is also one of the leading example for Data Protection which is expected to be adopted by many other developed nations with some modifications in coming days. While, GDPR is ready to be implemented across Europe in May 2018, the move by India to establish a policy around Data Protection is commendable and well timed. The Government of India has released a white paper for discussion with stakeholders.

The whole white paper is divided into different parts and further the parts are divided into sections. A brief of the parts is reproduced for quick reading.

Part I : Context Setting

Part I sets the context of the document and framework.This refers to lot of current happenings across the world in relation to data and how India system has been responding to them.

Part II : Scope and Exemptions

This Part seeks to discuss the various issues vis-à-vis the scope of a data protection law for India with specific focus on: a) the territorial reach of the law; b) the contours of personal data; c) the application of the law to the private and the public sector; d) the entities regulated by the law; e) the activities regulated by the law; f) cross border flow of data; and g) data localisation.

Further, there are some activities, which are to be left out of the purview of a data protection law since strict regulation of such processing activities may be counter-productive. However, determining which activities may be exempt from the scope of a data protection law requires careful thought. This Part discusses the following potential exemptions: household purposes, journalistic and literary purposes and research,investigation and detection of crime, and national security.

Part III : Grounds of Processing, Obligation on Entities and Individual Rights

This Part discusses the importance of obtaining an individual’s consent prior to such processing, and examines the manner in which an entity can obtain valid and informed consent. It also examines the need to legally demarcate grounds other than consent on the basis of which personal data may be processed since obtaining consent may not be feasible or desirable in all circumstances. To allow individuals to exercise some degree of control over their personal data, a data protection law must guarantee certain rights to them.

These rights are known as individual participation rights and the following rights are specifically discussed in this Part:

(a) confirmation and access;

(b) rectification;

(c) objection to processing;

(d) objection to automated decision making;

(e) restriction of processing,

(f) data portability and

(g) right to be forgotten.

Part IV discusses various regulatory models including:

(a) the ‘command-and-control’ approach;

(b) the ‘self regulation’ approach; and

(c) ‘co-regulation’ approach.

Other regulatory tools such as codes of practice for data controllers and data breach notification obligations have also been discussed.

This Part examines the possibility of a data protection law setting out various subject matters on which these codes may be issued. The need for differentiated, or more stringent obligations on data controllers with significant processing activities has also been discussed. These obligations may include the requirement of registration with an appropriate authority, and compliance measures such as data audits and data protection impact assessments. Further, this Part also discusses the need for a separate and independent authority to oversee the implementation and enforcement of a data protection law, and the potential powers and functions that such an authority would have. Finally, the need for defining certain remedies in the form of penalties for a data processing entity for failure to comply with the obligations set out under a data protection law, and compensation to an individual whose personal data has not been processed lawfully has also been discussed.