What is the issue?
- Justice B.N. Srikrishna-headed expert panel has submitted its draft personal data protection Bill 2018.
- It has asked for critical personal data of Indian citizens be processed in centres located within the country.
What does the draft law state?
- The draft bill by the Srikrishna committee has come after a year-long consultation process that studied aspects of the data protection regime.
- The draft bill seeks to classify personal data of citizens into two categories namely critical and non-critical depending on its significance.
- Further, it seeks to mandate the processing and storage of data classified as critical within the Indian borders.
- It also proposes to allow non-critical data to be transferred outside India with some safeguards, although a copy of the same has to be retained locally.
- Significantly, it has left the aspect of what data gets classified as critical to the discretion of the union government.
What are the implications of the bill?
- The draft Bill, will apply to all processors of personal data within India.
- For data processors not present in India, the act will apply to those carrying on business in India or other personal data gathering activities such as profiling.
- Penalty - The draft also provides for penalties for violations and compensation to data subjects if their right to privacy is impinged.
- It has suggested a penalty of Rs.15 crore or 4% of the total worldwide turnover of any data collection/processing entity, for violating provisions.
- Further, failure to take prompt action on a data security breach can attract up to Rs.5 crore or 2% of turnover as a penalty.
- Permission - The bill seeks make the consent principle vital for aggregation of personal data, which needs to be given in advance.
- Further, it stresses the need for explicit consent for processing “sensitive personal data”, which should be sought specifically.
- The committee has also contemplated the implementation of the provisions in the bill in a structured manner and has ruled out retrospective application.
What are the other important metrics concerning the draft bill?
- The bill hasn’t commented on “Aadhaar” and allied privacy issues, as the issue is sub judice and is likely to be taken up soon in the Supreme Court.
- Further, the committee hasn’t considered data as property and it has termed the relationship between aggregator and the consumer as one based trust.
- The draft bill has recommended the setting up of a “Data Protection Authority” and “Appellate Tribunal” to prevent misuse of personal information.
- On right to be forgotten, the draft states data subjects will have the right to restrict or prevent disclosure of personal data by a data processor.
Source: The Hindu