In August 2017, the central government formed a 10-member committee chaired by retired Supreme Court judge BN Srikrishna to create a draft for the data protection and privacy laws in India.
Now, after close to the year of the committee formation, it has submitted the committee's proceedings, key findings pertaining to recent reports of Aadhaar data leak and also a draft for the new legislation on data protection titled, 'The Personal Data Protection Bill, 2018' to Law and Electronics Minister Ravishankar Prasad.
The government is expected to go through the draft, key points of privacy policy and hold a meeting with all the stakeholders before calling the cabinet meeting for finalising new legislation.
In the report, Justice Srikrishna, considering the recent spate of user privacy data scandals including Facebook Cambridge Analytica fiasco and the frequently occurring Aadhaar data breaches, has said the citizen's right to privacy should not be compromised at the cost of trade and industry and urged the central government to frame well-defined responsibilities for the states to follow.
It has also urged the government to make amendments to Aadhaar Act to have a clear-cut framework to deal with individual issues with enforceable action and most importantly, remedies to make sure there won't be any recurrence of data leak either by state-run public offices or by private companies.
Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data and data that reveals transgender status, inter-sex status, caste, tribe, religious or political beliefs or affiliations of an individual.
A person under the age of 18 is considered as a child and the committee has put the onus on data fiduciaries to ensure that processing is undertaken keeping the best interests of the child in mind.
If the state or any private institutions are found guilty of leaking aforementioned personal identifiable details, they shall be booked for violating data protection law with a severe monetary penalty, in addition to compensating the victim.
"The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the proceeding financial year, whichever is higher. Offences created under the law should be limited to any intentional or reckless behaviour, or to damage caused with the knowledge to the data principals in question," IANS quoted SN Srikrishna committee report.
The newly proposed data protection bill also gives the rights to the citizens for data portability, subject to limited exceptions, the right to object to processing; the right to object to direct marketing, right to object to decisions based on the solely automated processing.
It also gives the right to be forgotten, with the Adjudication Wing of the Data Protection Act determining its applicability on the basis of the five-point criteria below:
(1) The sensitivity of the personal data sought to be restricted;
(3) The scale of disclosure or degree of accessibility sought to be
restricted;
(3) The role of the data principal in public life (whether the data principal
is publicly recognisable or whether they serve in public office);
(4) The relevance of the personal data to the public (whether the passage
of time or change in circumstances has modified such relevance for
the public)
(5) The nature of the disclosure and the activities of the data fiduciary (whether the fiduciary is a credible source or whether the disclosure is a matter of public record; further, the right should focus on restricting accessibility and not content creation).
Here's what technology companies responded to Srikrishna committee report:
"This bill provides a strong foundation of protection for Indians' privacy, but it is not without loopholes - in particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data, and the independence of the regulator's adjudicatory authority. We welcome the Government's commitment to a public consultation process, which we hope will rectify the cracks in this foundation," Amba Kak, Policy Advisor, Mozilla India said to International Business Times India.
"The draft report is a good first step towards enabling and enforcing the right to privacy, that the supreme court has now ruled to be a fundamental right. I am happy to see the comprehensive coverage and inclusion of accountability and punitive damages. It is important however to plug gaps that may allow certain public entities or constitutional authorities from claiming exemptions. I also feel that given the pervasive impact and importance of Aadhaar data, UIDAI and allied services, more needs to be done to empower the individual (data principal) in understanding who has access to what data, how and provide them with the means to take direct action against misuse or mishandling of such data." Dr Pandurang Kamat, Chief Technologist and Associate CTO at Persistent Systems said to International Business Times, India Edition.