The Committee of Experts on a Data Protection Framework for India was constituted in August 2017 to examine issues related to data protection, recommend methods to address them, and draft a data protection Bill. Since it was chaired by Justice B. N. Srikrishna, it popularly came to be known as the Srikrishna Committee. And finally, on July 27, 2018, The Committee submitted its report and draft Bill to the Ministry of Electronics and Information Technology. Here is everything you need to know about SriKrishna Committee and Personal Data Protection Bill.
Current status of SriKrishna committee report and Personal Data Protection bill –
24th August marked the 1st anniversary of the historic judgement on the right to privacy by a Supreme Court bench. AADHAAR card became the “Aadhar” for many debates surrounding right to privacy and the question was on the constitutionality of AADHAAR. After weeks of secrecy, denial of information in RTIs about the proceedings of the Committee, the report as well as the draft legislation have now been placed in public domain. It is a welcome step to see a comprehensive data protection and privacy framework finally publicly proposed for India – home to over 1/5th of the world’s population and the second largest internet user base. However, the bill is still pending in the parliament in the draft stage.
Major Highlights of Personal Data Protection Bill –
The Committee observed that the regulatory framework has to balance the interests of the individual with regard to his personal data and the interests of the entity or a service provider who has access to this data. Therefore, the service provider processing the data is under an obligation to deal fairly and use the individual’s personal data for the authorised purposes only.
The Bill sets out the following obligations of the entity who has access to the personal data in order to prevent abuse:
(i) implementation of policies with regard to processing of data,
(ii) maintaining transparency with regard to its practices on processing data,
(iii) implementing security safeguards (eg. encryption of data), and
(iv) instituting grievance redressal mechanisms to address complaints of individuals.
The Committee also recommended setting up a regulator to enforce the regulatory framework. The Authority will have the power to inquire, investigate and take requisite actions with regard to any violations of the data protection regime.
The Bill provides for the establishment of a Data Protection Authority. The Authority is empowered to:
(i) take steps to protect the interests of individuals,
(ii) prevent misuse of personal data, and
(iii) ensure compliance with the Bill.
Orders of the Authority can be appealed to an Appellate Tribunal of the central government.
Grounds for processing sensitive personal data:
Sensitive data is related to intimate matters where there is a higher expectation of privacy (e.g., caste, religion, sexual orientation of the individual, passwords, financial data, biometric data, genetic data or political beliefs, or any other category of data specified by the Authority. Sensitive personal information should require the explicit consent of the individual.
The bill provides for the processing of sensitive personal data is allowed only on the grounds of :
(i) based on the explicit consent of the individual,
(ii) if necessary for any function of Parliament or state legislature, or, if required by the state for providing benefits to the individual, or
(iii) if required under law or for the compliance of any court judgement.
Transfer of data outside India and Data Localisation:
Personal data will need to be stored on servers located within India, and transfers outside the country will need to be subject to safeguards. Critical personal data, however, will only be processed in India. Personal data (except sensitive personal data) may be transferred outside India under the following conditions:
(i) where the central government has prescribed that transfers to a particular country are permissible, or
(ii) where the Authority approves the transfer in a situation of necessity.
Participation rights of the ‘data principals’: As they say, “data is the new oil”, protecting the rights of individuals in the circumstances where the line between public welfare and individual integrity seems to be blurred, assumes supreme importance. The rights of the individual are based on the principles of autonomy, self-determination, transparency, and accountability to give individuals control over their data. The Committee categorised these rights into three categories:
(i) the right to access, confirmation and correction of data.
(ii) the right to object; to data processing, automated decision making, direct marketing and the right to data portability.
(iii) the right to be forgotten: when the data principal withdraws consent from disclosure of their personal data or once the purpose of disclosing the data is fulfilled.
Offenses and Penalties: this provision is definitely the most iconic on in the draft bill. Srikrishna committee in its report and draft bill provide for severe monetary penalties.
Under the Bill, the Authority may levy penalties for various offenses by the fiduciary including
(i) failure to perform its duties,
(ii) data processing in violation of the Bill, and
(iii) failure to comply with directions issued by the Authority.
For example, under the Personal Data Protection Bill, the fiduciary is required to notify the Authority of any personal data breach which is likely to cause harm to the individual. Failure to promptly notify the Authority can attract a penalty of the higher of Rs 5 crore or 2% of the worldwide turnover of the fiduciary.
Amendments to other laws:
Personal Data Protection Bill, 2018 notes that various allied laws are relevant in the context of data protection because they either require or authorise the processing of personal data. The Personal Data Protection Bill makes consequential amendments to the following acts:
(i) The Committee has suggested recommendations to the Aadhaar Act 2016 to ensure the autonomy of the UIDAI and “bolster data protection”. These include offline verification of Aadhaar numbers and new civil and criminal penalties – through the ability to file complaints will remain with the UIDAI alone.
(ii) The Committee recommends the amendment to section 8(1)(j) of the RTI Act that pertains to the disclosure of personal information in the larger public interest. The old 8(1)(j) said there would be no obligation to reveal personal information which was not related to “public activity or interest”, or would be an invasion of privacy. It is a question of public interest vs. harm to the individual.
Will the Personal Data Protection Bill Make It To The Parliament?
Even though, prior to the release of the Srikrishna Committee report, there were speculations that the proposed draft bill might be introduced in the monsoon session of the parliament itself. However, according to a recent statement by IT Minister Ravi Shankar Prasad, “Being a very monumental law,…”, the ministry wants to ensure a wide parliamentary consultation before going ahead. The government plans to table the draft personal data protection bill submitted by Justice BN Srikrishna committee in Parliament by December after holding consultations with different ministries, industry representatives, and the public.