Key takeaways from Justice Srikrishna report on Data Protection
Justice Srikrishna handed over the report to union minister for electronics and IT, law and justice, Ravi Shankar Prasad, who will review the report before submitting it to PM Narendra Modi
On Friday, the Government released Justice BN Srikrishna Committee of Experts Report on Data Protection as well as a Personal Data Protection Bill, 2018. The report is titled, “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians”, which was submitted during a press event at the IT Ministry. The 10-member committee was set up in July 2017 to recommend a framework for securing personal data in the digital world.
Justice Srikrishna handed over the report to union minister for electronics and IT, law and justice, Ravi Shankar Prasad, who will review the report before submitting it to PM Narendra Modi.
The committee has suggested measures to be taken when it comes to protecting personal information of Indian citizens, the role and duties of data processors, and the rights of individuals. The report also talks about the penalties that should be imposed for violation of these data protection measures.
“We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” said Prasad in certain sections of media, on receiving the report.
Justice Srikrishna said privacy has become a burning issue and therefore, every effort has to be made to protect data at any cost. The report covers three aspects – citizens, the state and the industry.
Highlights of the Personal Data Protection 2018 Bill:
The draft bill submitted by the committee says, “The right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy. Protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data…”
However, on the right to be forgotten, the bill notes that that ‘data principal’ which means the individual or the person providing their data, has “right to restrict or prevent continuing disclosure.” This means they will be able to restrict or prevent any display of their personal data once the purpose of disclosing the data has ended, or when the data principal withdraws consent from disclosure of their personal data. This right is one of several given to data principals, including the right to confirm what information is being held or disclosed about them, and to get this corrected if necessary. It also gives a data processor considerable leeway when it comes to deciding on this ‘right to be forgotten.’
However, it allows processing considered necessary for functions of state and central governments and prevention of offense and contravention of law.
The Bill also calls for privacy by design on part of data processors.
Personal data will need to be stored on servers located within India, and transfers outside the country will need to be subject to safeguards. Critical personal data, however, will only be processed in India.
The Committee recommends that “sensitive” personal data (such as passwords, financial data, sexual orientation, biometric data, religion or caste) should not be processed unless someone gives explicit consent – which factors in the purpose of processing.
The Committee has also recommended setting up a Data Protection Authority which is supposed to “protect the interests of data principals”, prevent misuse of personal data and ensure compliance with the safeguards and obligations under the data protection framework by corporations, governments or anyone else processing personal data (known as “data fiduciaries”). The obligations on data fiduciaries include conducting audits and ensuring they have a data protection officer and grievance redressal mechanism – the Authority will need to publish Codes of Practice on all these points. The Authority shall have the power to inquire into any violations of the data protection regime, and can take action against any data fiduciaries responsible for the same.The Aadhaar Act too needs to be amended to bolster data protection.
Prasad said the report will go through the process of inter-ministerial consultations and Cabinet as well as parliamentary approval.
WhatsApp, Instagram, LinkedIn, Twitter, Facebook & Youtube