The Justice BN Srikrishna committeesubmitted its report on the data protectionlaw on Friday. The report was keenly awaited by all for its implications on data handling and processing practices by both Indian as well as foreign companies along with government departments.
Justice Srikrishna handed over the report to union minister for electronics and IT, law and justice, Ravi Shankar Prasad.
Prasad said that government will go through the draft bill and apply its mind, take stakeholder comments along with taking Cabinet approval before finalizing the legislation. “The entire Parliamentary process will be followed,” he said without setting a timeline for it.
The government had set up the committee under the chairmanship of retired Supreme Court judge Srikrishna in August last year.
Justice Srikrishna said data privacy is a burning issue and there are three parts to the triangle. “The citizen’s rights have to be protected, the responsibilities of the states have to be defined but the data protection can’t be at the cost of trade and industry.”
The report has proposed penalities for violations, criminal proceedings, setting up of a data authority, provision of withdrawal of consent and concept of consent fatigue.
The government had earlier expected the committee to submit its report by June end.
The committee’s recommendations on key issues such as consent, setting up of a data authority, definition of personal data and sensitive personal data along with data localisation are keenly awaited for their implications on tech majors such as Google, Facebook and Twitter among others.
Here are the major highlights of the report
- The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
- Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
- The law will not have retrospective application and it will come into force in a structured and phased manner. The Aadhaar Act needs to be amended to bolster data protection.
- The data protection law will set up a DPA which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. The Central Government shall establish an appellate tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA.
- Penalties may be imposed for violations of the data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher.
- The state can process data without consent of the user on ground of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment, and Reasonable purpose.
- The law will cover processing of personal data by both public and private entities.
- Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.
- Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent thereby making the data fiduciary liable for harms caused to the data principal.
- Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee. Personal data determined to be critical will be subject to the requirement to process only in India (there will be a prohibition against cross border transfer for such data).
Telecom secretary Aruna Sundararajan, Unique Identification Authority of India CEO Ajay Bhushan Pandey, National Cyber Security coordinator Gulshan Rai and Vidhi Centre for Legal Policy research director Arghya Sengupta are other members of the committee along with Gopalakrishnan S, joint secretary, Ministry of Electronics and IT.
The other members of the committee will include Ajay Kumar, additional secretary, MeitY, Rama Vedashree, CEO of Data Security Council of India, Rishikesha T Krishnan, director of IIM, Indore and Rajat Moona, director of IIT, Raipur.