The draft personal data protection Bill 2018, submitted by the Justice B.N. Srikrishna-headed expert panel on Friday, has proposed that critical personal data of Indian citizens be processed in centres located within the country.
The draft law, which comes after a year-long consultation process, however, has left it to the Central government to notify categories of personal data that will be considered as critical.
A copy in India
Other personal data may be transferred outside the territory of India with some riders. However, at least one copy of the data will need to be stored in India. The draft Bill, which India hopes will become a model framework for protection of personal data for the world, will apply to processing of personal data within India, including the State.
For data processors not present in India, the Act will apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India. The draft also provides for penalties for data processor as well as compensation to data principal to be imposed for violations of the data protection law. It has suggested a penalty of ₹15 crore or 4% of the total worldwide turnover of any data collection/processing entity, for violating provisions. Failure to take prompt action on a data security breach can attract up to ₹5 crore or 2% of turnover as a penalty.
Personal data, the draft law states, may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing. It added that processing of sensitive personal data should be on the basis of “explicit consent.” The law, the committee in its recommendations said, will not have retrospective application and will come into force in a structured and phased manner. “Processing that is ongoing after the coming into force of the law would be covered.”
Hailing it as a “monumental law”, Minister of Electronics and IT, at a press conference said the “widest parliamentary consultation” will be held and the report and draft law will go through the process of inter-ministerial discussions and the Cabinet as well as parliamentary approval.
Justice Srikrishna stated that this report is the first step towards data protection and as technology changes, it may become necessary to fine-tune the law. The report and the draft Bill are “like buying new shoes. It will be tight in the beginning but will be comfortable later,” Justice Srikrishna said.
He, however, did not comment on Aadhaar as the issue is sub judice. Asked about ownership of data, he said the committee has not treated data as property as the relationship between the individual and entities with whom the individual shares his personal data is one that is based on a fundamental expectation of trust.
The draft Bill, which has recommended that a Data Protection Authority be set up to prevent misuse of personal information, also provides for setting up an Appellate Tribunal.
On right to be forgotten, the draft states that data principal will have the right to restrict or prevent continuing disclosure of personal data by a data processor.