The legal framework that governs the extractive industries rests inside a broader set of rules governing the organization of the state and economic activities. A well-designed legal architecture should provide rules for how state institutions are structured; how companies acquire and manage licenses; the fiscal terms governing payments between companies and the state; environmental management; relationships between extractive projects and neighboring communities; the behavior of public officials active in the sector; public information disclosure and accountability; and how the government 2 Legal Framework will manage natural resource revenues. When companies begin to engage in a country, they must check that they are in compliance, or following, all of the rules in the legal framework of a country.
Legal frameworks comprise a set of documents that include the constitution, legislation, regulations, and contracts. How these documents relate to one another, which has more force than the other, is often referred to as a legal hierarchy
Moving from the bottom of the pyramid to the top, each instrument becomes increasingly detailed or specific. Each instrument on the pyramid should be consistent with the instruments below it. In a properly ordered legal hierarchy, a country would not agree to terms in a contract that conflict with rules established in regulation, legislation or the constitution. Also, laws and policy are supposed to have more authority than a contract—take precedence, in legal speak. In practice, however, contracts can also be written to explicitly override the laws and regulations.
DATA PROTECTION FRAMEWORK
India has no explicit statute relating solely to data protection and privacy. However, in the context of digital data processing, certain aspects of data protection are covered under the Information Technology Act of 2000 (‘IT Act’) and the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules of 2011 (‘Data Protection Rules’).
Government bodies and individuals engaged in data processing are not covered under the Data Protection Rules. Only companies, including firms, sole proprietorships, and associations of individuals engaged in commercial/professional activities (collectively, the ‘body corporate’) fall under the purview of these Rules.
In the context of data protection measures for data processing, the Rules distinguish between ‘sensitive personal data or information’ and other ‘personal information.’ ‘Personal information’ comprises information relating to a natural person which, in combination with other information, is directly or indirectly capable of identifying such natural person, and within its ambit exists the smaller subset of ‘sensitive personal data or information’: exhaustively pertaining to passwords, finances, health conditions, sexual orientation, medical records and history, and biometric information.
The key limitation of the Data Protection Rules is that ‘personal information’ is confined to information capable of identifying a particular person. Information of personal nature pertaining to other persons that are knowingly or unknowingly captured in the background—as in the case of the internet of things—is not covered by these Rules. The limited scope of ‘sensitive personal data or information’ is an additional limitation. As technology like the ‘internet of things,’ facilitates ubiquitous data collection, other sensitive personal information.
legal framework for protection big data in india and its adequacy