The draft personal data protection bill, 2018, submitted by Justice BN Srikrishna
Why we need data protection law
- At present India does not have a separate law for data protection which is essential for the 21st century global digital landscape
- Efficient management of data in the age of Big Data
- Big data is a term used for voluminous and diverse data; traditional data-processing application software is inadequate to deal with them.
- One of the major challenges to big data is information privacy which necessitates a robust data protection.
- Right to privacy is now a fundamental right. The right to privacy encompasses the right to have data protected.
- Unauthorized leaks, hacking, cyber-crimes, and frauds. Economic cost of data loss/theft is high
- Improve business process, and secure digital payments
- Restrict use of data by data colonizing companies such as Facebook, Whatsapp
Existing Approaches to Data Protection
BN Srikrishna committee talk about broadly three approaches to data protection that exists
- US follows a laissez-faire approach and does not have an overarching data protection framework.
- In the US, there is no single, comprehensive federal (national) law regulating the collection and use of personal data. It has system of federal and state laws and regulations which at times overlap
- EU has recently enacted the EU GDPR, which has come into force on 25 May 2018. This replaces the Data Protection Directive of1995.
- It is a comprehensive legal framework that deals with all kinds of processing ofpersonal data while delineating rights and obligations of parties in detail.
- China has approached the issue of data protection primarily from the perspective of averting national security risks.
- Its cyber security law, which came into effect in 2017,contains top-level principles for handling personal data.
BN Srikrishna committee
The Centre constituted the BN Srikrishna Committee (2017) to identify “key data protection issues” and suggest a draft data protection Bill.
Key Recommendations of committee report
- Committee tried to balance the growth of India’s digital economy and the protection of personal data. Three important aspect of report
- Citizen: citizen must be at the top
- State: Responsibility of the state have to be defined
- Trade: Data protection cannot be at the cost of trade and industry
- Applicability of the law
- The committee’s report recommends that the law should be applicable to processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India
- It covers the company which are incorporated under Indian law, irrespective of where it is actually processed in India or not.
- In case of fiduciaries that are not present in India (eg. Facebook), the law is applicable to one who carryout business in India.
- Penalties may be imposed for violations of the data protection law.
- Definition of personal data
- Personal data is information that relates to an identified or identifiable individual
- The committee has categorized into data into two – Personal data and sensitive personal data
- Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
- However the committee has given just the broad definition of personal and sensitive data. They left it to government to notify categories of data that will be critical
- Processing of personal data
- The report says that the law should cover processing of personal data by both public and private entities
- Consent should be taken before processing of personal data. There is rider on processing of sensitive personal data
- Individual have the right to withdrew concent
- Committee has proposed that critical personal data of Indian citizens be processed in centers located within the country.
- However, state can process data without consent of the user on ground of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment, and Reasonable purpose.
- Storage restriction for personal data
- The draft bill states that every data fiduciary shall ensure the storage of at least one serving copy of personal data on a server or data centre located in India.
- Committee has identified at least 50 laws such as Aadhar act, RTI act, IT act which have a “potential overlap” with the data protection framework. The proposed framework, therefore, suggests amendments in these laws
- A data protection fund and a data protection awareness fund to be setup through proceeds from penalties and fines.
- The data protection law will set up a Data Protection Authority which will be an independent regulatory body responsible for the enforcement and effective implementation of the law.
- The committee’s recommends that the Data Protection Authority will act have the power to designate websites or online services that process personal data of children
- The Central Government shall establish an appellate tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA.
- Amendment in existing 50 laws/ regulation would be a tough task for Government
- Amendment in RTI and Aadhar act may dilute the existing laws
- Critics says inclusion of provision of bill treating violations as criminal offences along with fine and compensation is excessive and would impact the enforcement mechanismgreatly.
- The storage of one copy of personal data in India will impose additional cost to companies
- Under the bill all financial data has been classified as sensitive personal data which may be detrimental to Financial institutions
- Restriction on cross border flow of data may prove detrimental in era of digital global economy
- It is important to strike a right balance between digital economy and privacy protection
- Government must incorporate suggestions from various stake holder over the draft bill before finalizing the bill
- Privacy should not be used to undermine government transparency. Data protection law should be framed such that it does not make government opaque and unaccountable