GoI releases seven key principles for data protection; invites public opinion

Government of India has introduced a whitepaper and have invited the public to present their views on making a data protection bill by January 31.

Prajeet Nair Jan 22nd 2018

A data protection framework in India must be based on the following seven principles, released by Government of India:


Technology agnosticism


Holistic application


Informed consent


Data minimisation


Controller accountability


Structured enforcement


Deterrent penalties


Government of India has introduced a whitepaper on data protection framework and has constituted a committee of experts under the chairmanship of former Supreme Court Justice B.N. Srikrishna.

In order to give a perfect shape to the data protection law, the government has asked for public comments by the end of this month.

However, the whitepaper released by the government, with the majority of the committee members outlines following integration in the law:

  1. Relevant experiences from other countries and concerns regarding their incorporation.
  2. Certain provisional views based on an evaluation of the issues vis-à-vis the objectives of the exercise.

A data protection framework in India must be based on the following seven principles, released by Government of India:

1. Technology agnosticism- The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.

2. Holistic application- The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.

3. Informed consent- Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.

4. Data minimisation- Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.

5. Controller accountability- The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing.

6. Structured enforcement- Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.

7. Deterrent penalties- Penalties on wrongful processing must be adequate to ensure deterrence.

The idea is to study various issues relating to data protection in the country with prime objective of ensuring growth of the digital economy while keeping personal data of citizens secure and protected.

The committee have also released a set of questions for the public. On the basis of the responses received, the committee will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject.