NEW DELHI: In a big step forward on data privacy, the report submitted by Justice Srikrishna calls for focus on individual users’ content. India is one step closer to having its first data privacy law after a committee headed by Justice BN Srikrishna proposed a draft Personal Data Protection Bill that could form the basis of the country’s first data privacy law.
The bill essentially provides a framework and proposes regulations on how personal data is to be handled by various entities, including the state. The committee was set up in 2017 to look into and recommend a legislative framework for data privacy and to study and identify key data protection issues.
There are exemptions to the bill such as consent under special circumstances. A key exemption here is when there is a need to access the data on citizens for national security reasons, there will be an exception made from the key rules that protects data. A key point to be made with regards to this particular exemption is that it applies only when it is authorized by law. Similar exemptions have been included for personal data when it comes to police investigations or prosecution for an offence.
The bill in question has individual consent as its main theme. The report, in a broader sense stated that a law to protect data would entail “individual privacy, ensure autonomy, allow data flows for a growing data ecosystem, and create a free and fair digital economy”. Justice Srikrishna outlines the three tenants of the policy – protection of citizens’ rights, clear definition of the responsibilities of the state and data protection not coming at the cost of trade and industry.
In the report, the committee stated that the existing laws in India did not protect an individual’s data privacy. The bill also outlines the penalties and punishments in case of any deliberate misuse of the data. For companies that violate the law, a fine ranging from Rs.5 crore or 2% of worldwide turnover to Rs.15 crore or 4% of worldwide turnover. For individuals, depending on the sensitivity of the data, a 3 or 5 year jail term.
With respect to Aadhaar and UIDAI, the committee did recommend two changes to the Aadhaar Act with respect to classifying requesting entities into two kinds - those who can request for authentication and those who are limited to verifying the identity of individuals offline. The committee wants Aadhaar data to be better safeguarded. The committee recommended that the UIDAI must be autonomous, “the UIDAI must be autonomous in its decision-making, functioning independently of the user agencies, in the government and outside it, that make use of Aadhaar”.
Former Chairman of UIDAI, Nandan Nilekani praised the report and the committee’s work saying in part, “It reflects original thinking, and addresses both opportunities and challenges that are specific to India”. The Supreme Court recently declared the right to privacy as a fundamental right.
As the new bill comes to fruition, it would apply to data being collected, processed, disclosed and shared within Indian territory. Any and all personal data will need to be stored on servers located within India. In case there is a need to transfer any data outside the country, they will be subject to safeguards.
One of the recommendations of the committee is the setting up of a Data Protection Authority which would protect the interests of data principals, prevent misuse of personal data and ensure compliance with the safeguards and obligations. This would be done under data protection frameworks of corporations, governments or another entity that processes personal data; they are known as ‘data fiduciaries’. These data fiduciaries will have conduct audits and have a data protection officer.
The introduction of the bill into parliament, when it does happen, will come at pertinent time when the conversation around data security is more widespread.