Seek explicit consent for sensitive data, steep penalty on violators: Srikrishna panel tells Govt


Justice B N Srikrishna addresses the media after submitting a report on 'Data Protection Framework' to Union Law Minister Ravi Shankar Prasad, in New Delhi on Friday, July 27,2018. (PTI Photo)

Justice B N Srikrishna addresses the media after submitting a report on ‘Data Protection Framework’ to Union Law Minister Ravi Shankar Prasad, in New Delhi on July 27,2018. (PTI Photo)

Amid a sharp rise in data breaches, a new legislation on July 27, 2018 proposed taking explicit consent of individuals before sensitive personal information like religious or political beliefs, sexual orientation and biometric information is processed.

It also said critical data will have to be stored and processed only within India.

The draft legislation, which could affect how global companies store data in India, also provides for the right to be forgotten and prescribed steep penalties for violations.

The draft of Personal Data Protection Bill, 2018 — which is based on the recommendations of the government-constituted, high-level panel set up in 2017 and headed by Justice B N Srikrishna — restricts and imposes conditions on the cross-border transfer of personal data, and suggests setting up of Data Protection Authority of India to prevent any misuse of personal information.

The panel submitted its report on data protection as also the draft of the bill to IT Minister Ravi Shankar Prasad, wrapping up nearly one year of deliberations.

In its 213-page report, the panel asked the government to determine categories of sensitive personal data which are critical to the nation, and said such data can be processed “only in India”.

The draft legislation, which would go to Parliament after stakeholder consultation, provides for a penalty of Rs 15 crore or 4 per cent of the total worldwide turnover of any data collection entity, including the state, for violation of personal data processing provisions.

Failure to take prompt action on a data security breach can attract up to Rs 5 crore or 2 per cent of turnover, whichever is higher, as penalty. Once passed by parliament, the framework will override all legislations dealing with data privacy and collection, including Aadhaar.

“The Bill provides that right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy,” the draft said.

It allowed processing of personal data only for the purpose it is collected, for compliance with laws, employment as well as any function of parliament or state legislature.

‘Sensitive personal data’ comprises passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political belief or affiliation. These can be handled only with explicit consent of an individual.

“The draft does not give users ownership of their data and deprives them of control that they need to be able to delete data from collectors like Facebook and Google. Also, there is no restriction on mass surveillance by government,” Nikhil Pahwa, a digital rights activist, said.

He further said it is not feasible to expect every website or app to mirror the data in India and added that doing so will be a “direct attack” on the global nature of internet.

Another area of concern is that the draft does not mandate entities to inform or disclose data breach incidents that may occur, he said.

NASSCOM-DSCI said while the Bill builds on the Supreme Court judgement advocating privacy as a fundamental right, mandating localisation of all personal data is “likely to become a trade barrier in the key markets”.

“Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets,” it said in a statement.

It restricts cross-border transfer of personal data and gives exemption on use of personal data for national security, crime investigation, legal proceedings and certain journalistic purpose.

Besides setting up of Data Protection Authority of India — aimed at preventing misuse of personal data, ensuring compliance and promoting awareness of data protection — the draft also provides for setting up of an Appellate Tribunal.

Compensation has to be given to any person who has been wronged, the draft has suggested.

The draft bill makes obtaining, transferring or selling of personal data in contravention an offence.

It has emphasised that it is necessary to create a collective culture that “fosters a free and fair digital economy”, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation.

The Bill in the works aims to “protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data.”

The areas covered included consent, what comprises personal data including sensitive personal data, exemptions which can be granted, grounds for processing data, storage restrictions for personal data, individual rights and right to be forgotten.

“It is a monumental law and we would be like to have widest parliamentary consultation… We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” IT Minister Ravi Shankar Prasad said at a conference.

He added that the report will go through the process of inter-ministerial consultations and Cabinet as well as parliamentary approval.

Justice Srikrishna said privacy has become “a burning issue” and therefore, every effort has to be made to protect data at any cost.