Scribd
Upload
5 views3 pages

Data Protection Committee Report Removed (1)

Uploaded by

Kanu Priya Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views3 pages

Data Protection Committee Report Removed (1)

Uploaded by

Kanu Priya Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

A Free and Fair Digital Economy

Protecting Privacy, Empowering Indians

Committee of Experts under the Chairmanship of Justice B.N.


Srikrishna
network. This will not make the company subject to the Indian data protection
law.
On the other hand, there may be cases of fiduciaries not physically present in
the territory of India operating websites which must be regulated under Indian
law. These include cases where such fiduciaries carry on business or
systematically offer goods or service in India through the internet. This would
go towards covering those entities that have a significant economic presence
in India. Courts in India, while adapting conventional rules of jurisdiction to
businesses carried on over the internet have distinguished between passive
websites and others which target viewers in the forum state for commercial
transactions resulting in harm in the forum state.60 Recognising the nature of
transactions over the internet, courts have interpreted the Trademarks Act and
the Copyright Act to apply to persons not resident in India who nonetheless
carry on business within the jurisdiction of the court.61

In addition to any link on the basis of systematic commercial activity, the law
must also apply to activities such as profiling which pose considerable privacy
harms which could be undertaken by fiduciaries that are not present within the
territory of India. This would go towards covering those entities which have a
significant digital presence for Indians though they may not have a significant
economic presence. It is critical that such activities are regulated under Indian
law.

An appropriate balance between these interests would be to restrict the


application of the law in case of fiduciaries not present in India to those
carrying on business in India or other activities such as profiling which could
cause privacy harms to data principals in India.

b. Processing of data that is not personal data of persons present in India by


an entity in India:
This is an exception to the principle of territoriality based on policy
considerations of India having a large business process outsourcing industry
handling large amounts of personal data of foreign nationals. 62 While the

60
Banyan Tree Holding v. Murali Krishna 2010 (42) PTC 361 ―This Court holds that jurisdiction of the forum
court does not get attracted merely on the basis of interactivity of the website which is accessible in the forum
state. The degree of the interactivity apart, the nature of the activity permissible and whether it results in a
commercial transaction has to be examined‖. Further see Justice S. Muralidhar, Jurisdictional issues in
Cyberspace, 6 The Indian Journal of Law and Technology (2010), “a lone trap transaction may not demonstrate
the ―purposeful‖ targeting by the defendant of the forum State or of ―aiming‖ at particular customers therein. A
more systematic behaviour over a series of transactions will have to be shown as having been entered into by the
defendant.‖
61
Icon Health and Fitnes, Inc. v. Sheriff Usman and Ors. 2017 SCC OnLine 10481 relying upon World
Wrestling Entertainment v. M/S Reshma Collection & Ors 2014 SCC OnLine Del 2031.
62
The IT-business process management sector revenues were estimated at around USD 130 billion in FY 2015-
16 and USD 154 billion in FY 2016-17. The contribution of the IT sector to India‘s GDP stood at 7.7% in 2016.
It is estimated that the sector will expand at a compound annual growth rate of 9.5% to USD 300 billion by

20
general principle of jurisdiction would require compliance with Indian law, to
facilitate smooth continuance of business, an exemption may be provided to
such industries on the condition that no personal data of Indians are collected
or further processed there. This would constitute an exception to putative
bases (ii) discussed above.

On this basis, the proposed law should apply to:

1. Processing of personal data collected, used, shared, disclosed or otherwise


processed in India (Territoriality).
2. To ensure that the jurisdiction under clause (1) is not overbroad, personal data
collected of persons present in India, directly by fiduciaries not present in
India who are not carrying on business in India or offering goods and services
in a targeted and systematic manner to persons in India, or processing personal
data in connection with profiling of data principals in India, may be excluded;
3. Personal data collected, used, shared, disclosed or otherwise processed by
Indian companies, irrespective of where it is actually processed. However, the
data protection law may empower the Central Government to exempt such
processors which only process the personal data of foreign nationals not
present in India (Territoriality).

II. Retrospective and Transitional Application of the Data Protection Law

The time at which the data protection law comes into effect will have to take into account the
twin interests of effective enforcement and fairness to data fiduciaries. It is thus
commonsensical that the law will not have retrospective application, i.e. it will not apply to
any processing activity that has been completed prior to this law coming into effect.

However, it is essential to keep in mind that if there is any ongoing processing activity at the
time the law comes into effect, then the data fiduciary must ensure that it is in compliance
with this law in relation to that activity. The subject matter of application of a data protection
law is the processing of personal data and not personal data itself. This means that merely
because some personal data has been collected prior to the commencement of the law, such
personal data is not excluded from the application of the law. In this context, the term
‗processing‘ is a broad term understood to include any kind of operation on personal data,
ranging from complex analysis and indexing to mere storage. As long as such processing is
ongoing after the law coming into force, it will be covered. On the other hand, if the
processing is complete before the law comes into force, the law will not be applicable to such
processing. For example, if a bank has retained the personal data of an account holder, the
law will be applicable to such storage as soon as it comes into force. However, if the bank has
deleted the personal data before the law comes into force so as to close the account, the law
will not be applicable.

2020. See IT & ITeS Industry in India, Indian Brand Equity Foundation, available at
<https://www.ibef.org/industry/information-technology-india.aspx> (last accessed on 23 April 2018).

21

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy