Justice B.N. Srikrishna-headed expert panel has submitted its draft personal data protection Bill 2018.
It has asked for critical personal data of Indian citizens be processed in centres located within the country.
What does the draft law state?
The draft bill by the Srikrishna committee has come after a year-long consultation process that studied aspects of the data protection regime.
The draft bill seeks to classify personal data of citizens into two categories namely critical and non-critical depending on its significance.
Further, it seeks to mandate the processing and storage of data classified as critical within the Indian borders.
It also proposes to allow non-critical data to be transferred outside India with some safeguards, although a copy of the same has to be retained locally.
Significantly, it has left the aspect of what data gets classified as critical to the discretion of the union government.
What are the implications of the bill?
The draft Bill, will apply to all processors of personal data within India.
For data processors not present in India, the act will apply to those carrying on business in India or other personal data gathering activities such as profiling.
Penalty - The draft also provides for penalties for violations and compensation to data subjects if their right to privacy is impinged.
It has suggested a penalty of Rs.15 crore or 4% of the total worldwide turnover of any data collection/processing entity, for violating provisions.
Further, failure to take prompt action on a data security breach can attract up to Rs.5 crore or 2% of turnover as a penalty.
Permission - The bill seeks make the consent principle vital for aggregation of personal data, which needs to be given in advance.
Further, it stresses the need for explicit consent for processing “sensitive personal data”, which should be sought specifically.
The committee has also contemplated the implementation of the provisions in the bill in a structured manner and has ruled out retrospective application.
What are the other important metrics concerning the draft bill?
The bill hasn’t commented on “Aadhaar” and allied privacy issues, as the issue is sub judice and is likely to be taken up soon in the Supreme Court.
Further, the committee hasn’t considered data as property and it has termed the relationship between aggregator and the consumer as one based trust.
The draft bill has recommended the setting up of a “Data Protection Authority” and “Appellate Tribunal” to prevent misuse of personal information.
On right to be forgotten, the draft states data subjects will have the right to restrict or prevent disclosure of personal data by a data processor.
