The proposed data protection bill, making offences cognisable and non-bailable, is a deterrent for businesses who wilfully do wrong as giant corporations can otherwise get away with flagrant breaches “merely by throwing the fine monies”, Justice B Srikrishna has said.


“Every modern statute has a criminal liability clause. That is a deterrent for those who will do wrong intentionally or grossly negligently. Without such provision, merely imposing civil liabilities will make the law a toothless tiger as giant corporations can and will get away with flagrant breaches merely by throwing the fine monies,” he said.


Data privacy is a fundamental right emanating from Article 21, as held by the Supreme Court in the Puttaswamy case, and breach of fundamental right must be viewed very seriously, he added. Some businesses are gripped with fear about making offenses cognisable and non-bailable under the bill by saying this will make it tougher for businesses.They have argued that it would force companies and executives to deal with criminal machinery, instead of focusing on business, he said.


The central government had constituted the 10-member committee, headed by Justice Srikrishna, in July 2017 to recommend a framework for securing personal data in the increasingly digitised economy, as also to address privacy concerns and build safeguards against data breaches.


The committee had submitted its report to the government on July 27, suggesting steps for safeguarding personal information, defining obligations of data processors as also rights of individuals, and mooting penalties for violation.


On “right to be forgotten” provision, Srikrishna said it cannot be exercised unilaterally without considering the consequences of one’s action on persons who may have benefitted and innocently entered into transactions for downstream processing of data, which would give rise to a series of legal liabilities.


The proposed legislation contains a provision for the ‘Right to be Forgotten’, which is in line with European data privacy laws such as General Data Protection Regulation. While the draft bill does not insist on personal data of residents of India to be stored only in India, it has made an enabling provision where the government can notify categories of personal data as critical data, which would be only stored
in India.


The rule is always that the one who causes the ultimate liability must be held liable for his actions, he said. “Again, there could be statutory restrictions on deletion of data as data may have to be maintained to meet legal obligations for a long time,” he said.


“Personal data may be critical if it relates to someone who holds a critically important position, say like officers of the defence forces, ISRO scientists, missile scientists, atomic energy personnel and even Judges of High Courts and the Supreme Court,” he said.


Asked why the recommendations on Aadhaar Act were kept outside the purview of the committee’s work, he said it would amount to contempt of court, since the case is pending before the apex court. “Again, all observations would be subject to Aadhar Acts constitutional validity being upheld. Why make hypothetical observations without knowing that for sure?” he asked.