This submission is to the Committee of Experts on a Data Protection Framework for India on its White Paper, structured around the ‘Provisional Views’ set out by the Committee in each Chapter of the White Paper. A few of the main points made in the Submission are as follows. The White Paper mistakenly assumes ‘that there are two distinct models in the field of data protection’, an EU model, and a US model, whereas in fact over 120 countries have enacted data privacy laws, and the current global standard of data privacy laws even outside Europe, is closer to the EU Directive than the OECD Guidelines. There is one global standard – and then there is the US, increasingly isolated. As a result of the Supreme Court’s Puttaswamy decision, India’s position is, in general, the same as the EU’s position: privacy is a fundamental inalienable right, with the ability of governments to derogate from it requiring considerable justification. There are many other reasons why India should adopt a global ‘gold standard’ data privacy law, but Puttaswamy also adds an element of necessity. In addition, a new data protection law for India, coupled with Puttaswamy’s implications, will create a completely new opportunity to obtain a positive ‘adequacy’ finding from the EU. More specific submissions concerning the White Paper’s approach include the following: • The White Paper is deficient in not sufficiently recognizing the role of privacy by design and default. • Indian governments need to allocate sufficient resources to fund data protection authorities (DPAs) with ‘sufficient capacity’ to effectively administer data protection at both national and state levels. • India should assert jurisdiction where goods and services are offered remotely to those in India, or where there is a business with an establishment in India, and consider including processing which involves monitoring activities of persons in India, from outside India. • Some limited exemptions from the law, in both the public and private sectors, should apply but should have to meet the tests set out in Puttaswamy. • The standard international definition of ‘personal data’, based on identifiability, needs to be extended somewhat to provide protection against technologies which include information enabling interactions with the person on the basis of their personal characteristics, even without identifiability. • Extra protection for categories of ‘sensitive information’ should apply to biometic data, and any identifiers of general application (including Aadhaar). • India should deal with data export limitations in a way similar to the EU’s ‘adequacy’ approach, with its DPA having the ability to determine which countries meet such criteria. An Indian DPA could also decide to trust the decisions concerning adequacy that are made by one or more other international data protection authorities (e.g., under EU or Council of Europe instruments). • Data minimisation (‘the practice of limiting the collection of personal information to that which is necessary to accomplish a specified purpose’) has not been made irrelevant by technological developments, and should be re-asserted. • If a ‘reasonable expectations’ test is used as means of determining what are compatible / incompatible proposed additional uses of data, it is important these do not include ‘expectations’ that are formed because of what data controllers say they intend to do with data, irrespective of whether data subjects wish such uses to be made. • Both (i) automatic deletion or de-identification, and (ii) deletion on request are now recognised as normal rights of data subjects, and should be part of India’s law. • Data portability is a necessary new right, with social networks, and with any other online systems where individuals have invested a considerable amount of time in curating information produced by themselves (UGC, user-generated content). • The White Paper is mistaken in its support for co-regulatory models, which have had little successful take-up anywhere in the world. ‘Flexibility’ can be achieved by other means. • Adjudication officers (AOs) under the IT Act do not have the necessary independence to investigate government, and the existing system has been a complete failure in relation to privacy issues. • It is reasonable to require data subjects to complain first to data controllers only when those data subjects have an easily identifiable Data Protection Officer (DPO) or grievance redressal officer. Otherwise, data subjects should have the option to approach the DPA directly. • Data subjects should always have the right to appeal to a court/tribunal against the actions of a DPA, even when the DPA has not made a formal ‘decision’. • Where the DPA takes suo moto (on its own motion) action it is essential that the DPA can exercise all of the same remedial actions it can take when it receives a complaint. • The Indian government needs to give sufficient resources and independence not only to its DPA, but also to the body that hears appeals from the DPA. The Telecom Disputes Settlement and Appeals Tribunal (TDSAT) is a dubious choice. • Both civil penalties and compensation are now part of most modern data privacy laws. • There is no reason why the DPA itself cannot award compensation, with a right of appeal to a court or tribunal. It will not help India to develop good data protection policies, and consistent remedies, if initial investigation of some complaints is done by the DPA, and others by the NCDRC. • The preferable approach to civil penalties (fines) is that the DPA set fines subject to an upper limit linked to a variable parameter such as a percentage of the annual turnover of the defaulting data controller.