Personal Data Protection Bill, 2018: Justice Srikrishna Committee submits report on data protection
For data processors outside India, the law will apply to those carrying on business in India or other activities such as data profiling which could cause privacy harms to data principals in India.
Justice BN Srikrishna Committee on July 27, 2018 submitted its report on the data protection law to Union Minister for Electronics and IT, law and justice, Ravi Shankar Prasad.
The Bill will apply to processing of personal data within India, including the State.
Provisions of the draft bill
• The draft Personal Data Protection Bill, 2018 proposes that critical personal data of Indian citizens shall be processed in centres located within the country.
• Personal data will be processed on the basis of the consent of the data principal, thus, the processing of sensitive personal data will be on the basis of “explicit consent.”
• The draft law leaves it to the Central Government to notify categories of personal data that will be considered as critical.
• Some of the personal data can be transferred outside the territory of India with some riders. However, at least one copy of the data will need to be stored in India.
• For data processors outside India, the law will apply to those carrying on business in India or other activities such as data profiling which could cause privacy harms to data principals in India.
• It recommends for setting up of a Data Protection Authority (DPA) to prevent misuse of personal information and also provides for setting up an Appellate Tribunal.
• The data principal will have the right to restrict or prevent continuing disclosure of personal data by a data processor.
• Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe and religious beliefs of an individual.
• It provides for penalties for data processor as well as compensation to data principal to be imposed for violations of the data protection law.
• It suggests a penalty of Rs 15 crore or 4 percent of the total worldwide turnover of any data collection entity for violating provisions.
• Failure to take prompt action on a data security breach can attract up to Rs 5 crore or 2 percent of turnover as a penalty.
• The law will not have retrospective application and will come into force in a structured and phased manner.
Stringent Norms for Data protection of children
• It suggests stringent norms for protecting the data of children, recommending that companies be barred from certain types of data processing such as behavioural monitoring, tracking and any other type of processing which is not in the best interest of the child.
• The Data Protection Authority will have the power to designate websites or online services that process large volumes of personal data of children as “guardian data fiduciaries”.
• Placing the onus of properly processing the data of a child on the company, is preferable to the existing regulatory approach which is based solely on a system of parental consent.
Now, the draft law will go through the process of inter-ministerial discussions and the Cabinet as well as parliamentary approval. Once it becomes an Act, it will become a model framework for protection of personal data for the world.