In a historic development toward framing the country's first law on data protection, Justice Srikrishna panel on Friday submitted the draft report in protection and storage of local and personal data. The 213-page draft bill advocated the idea of 'explicit' consent for sensitive data.
The committee, which was set up in 2017 to recommend a legislative framework for data privacy, submitted its report to the Union minister for law and justice, and electronics and Information Technology, Ravi Shankar Prasad. The Government is likely to run through the proposed bill and discuss with all the stakeholders before enacting it in the parliament.
Here are the key recommendations made by the Sri Krishna Panel
- The law will be applicable over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. There is an exception in this case in the way that if the data processed by the fiduciaries outside India, the law will be applied to the businesses in India. The law will not be enacted retrospectively
- The data protection law calls for the establishment of a Data Protection Authority (DPA) which will be an independent regulatory body with the responsibility of enforcing and effectively implementing the law. An appellate tribunal shall be set up by the central government or will grant power to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA
- Passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual shall be considered as sensitive personal data
- The state has the power to process data without the consent of use only in some special circumstances. The special cases mentioned in this regard is ground of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment and reasonable purpose.
- The Law also calls for the penalties for the violations of the data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher
- Explicit consent from the person is required before using, sharing, disclosing, collecting or otherwise processing data in India.
- The law covers the processing of personal data by both public and private entities
Critics of the new report have pointed out that the regulation it suggests lacks teeth to deal with data breaches. Specifically, the recommendations by the panel are lax when it comes to the right to be forgotten and data privacy.
Some security experts have also raised concerns over the panel's recommendation of storing data locally. Srikrishna committee asks companies to store a copy of data of Indian nationals within the country, meaning that companies can still keep data elsewhere as well. Experts say that this helps the government easily access data, but does almost nothing to protect the privacy of a person.