The high-level panel on data protection framework on Friday submitted its 67 page report to the government, suggesting steps for safeguarding personal information, defining obligations of data processors as also rights of individuals, and mooting penalties for violation.
Headed by Justice B N Srikrishna, the panel handed the report to IT Minister Ravi Shankar Prasad, wrapping up nearly one year of deliberations that touched upon sensitive and controversial issues.
The areas covered included consent, what comprises personal data including sensitive personal data, exemptions which can be granted, grounds for processing data, storage restrictions for personal data, individual rights and right to be forgotten.
Penalties may be imposed for violations of the data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher.
The the data protection law will cover processing of personal data by both public and private entities.Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.
“It is a monumental law and we would be like to have widest parliamentary consultation… We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” Prasad said.
He added that the report will go through the process of inter-ministerial consultations and Cabinet as well as parliamentary approval.
Justice Srikrishna said privacy has become a burning issue and therefore, every effort has to be made to protect data at any cost.
He added that report straddles three aspects – citizens, the state and the industry.
He stated that this report is the first step and as technology changes, it may become necessary to fine tune the law keeping with the changes.
The report touches on variety of issues including consent, rights of children, data protection authority and right to recall data.
As far as data storage is concerned, the report identifies circumstances under which data has to be mandatorily stored in India and cases where it can be stored with mirroring provisions. The report asserts that critical data has to be stored in India.
The government had constituted the 10-member committee in July 2017 to recommend a framework for securing personal data in the increasingly digitised economy as also to address privacy concerns and build safeguards against data breaches.
The report submitted today assumes significance given that public and private sectors are collecting and using personal data on an unprecedented scale and for various purposes, and instances of unregulated and arbitrary use, especially that of personal data, have raised concerns about privacy and autonomy of an individual.
Over the last one year, there have been reports of personal information being allegedly compromised with increasing use of biometric identifier Aadhaar in an array of services, as also data breach incidents in the private sector.
The recent data breach involving US-based social networking giant Facebook and British data analytics firm Cambridge Analytica has brought centre stage the issues around information privacy, user rights and consent policies, nudging companies and policymakers alike to review and strengthen privacy protection rules.
The Srikrishna committee held its last and final meeting earlier this week on July 25, where one of the members said on conditions of anonymity that the data protection framework, would spur amendments in a slew of existing legislations in areas like Aadhaar, RTI and health.