The high-level panel on data protection framework submitted its report to the government on Friday, suggesting steps for safeguarding personal information, defining obligations of data processors as also rights of individuals, and mooting penalties for violation.
Headed by Justice B N Srikrishna, the panel handed the report to Information Technology Minister Ravi Shankar Prasad, wrapping up nearly one year of deliberations that touched upon sensitive and controversial issues.
The areas covered included consent, what comprises personal data including sensitive personal data, exemptions which can be granted, grounds for processing data, storage restrictions for personal data, individual rights and right to be forgotten.
"It is a monumental law and we would be like to have widest parliamentary consultation... We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation," Prasad said.
He added that the report will go through the process of inter-ministerial consultations and cabinet as well as parliamentary approval.
Justice Srikrishna said privacy has become a burning issue and therefore, every effort has to be made to protect data at any cost.
He added that report straddles three aspects -- citizens, the state and the industry.
He stated that this report is the first step and as technology changes, it may become necessary to fine tune the law keeping with the changes.
The report touches on variety of issues including consent, rights of children, data protection authority and right to recall data.
Recognising privacy as a fundamental right, the draft personal data protection bill proposed 'explicit consent' for processing 'sensitive personal information' like religious or political belief, sexual orientation and biometric information.
It also provided for the right to be forgotten and prescribed steep penalties for violations.
The draft provides for a penalty of Rs 15 crore or 4 per cent of the total worldwide turnover of any data collection entity, including the state, for violation of personal data processing provisions.
Failure to take prompt action on a data security breach can attract up to Rs 5 crore or 2 per cent of turnover, whichever is higher, as a penalty.
‘The Bill provides that right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy,’ the draft said.
It allowed processing of personal data only for the purpose it is collected or for compliance of any law, employment and for any function of Parliament or any state legislature.
'Sensitive personal data' comprises passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political belief or affiliation.
According to the draft, personal data means ‘data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information’.
‘Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing,’ it said, adding that processing of sensitive personal data should be on the basis of explicit consent.
It provides for the processing of personal data only for purposes that are clear, specific and lawful. Collection of personal data has been limited to such data that is necessary for the purposes of processing.
Data fiduciary, which includes the state, has to give the individual information of the purpose for which the personal data is to be processed.
It will retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. It provides for the right to be forgotten after the particular purpose has been served.
The draft restricts cross-border transfer of personal data and gives exemption on use of personal data for national security, crime investigation, legal proceedings and certain journalistic purpose.
Besides the Data Protection Authority of India to prevent any misuse of personal data, ensure compliance and promote awareness of data protection, it also provides for setting up of an Appellate Tribunal.
Compensation has to be given to any person whose has been wronged, it has suggested.
The draft bill makes obtaining, transferring or selling of personal data in contravention as an offence.
It has stated that it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation.
The Bill in the works aims to ‘protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data’.
As far as data storage is concerned, the report identifies circumstances under which data has to be mandatorily stored in India and cases where it can be stored with mirroring provisions. The report asserts that critical data has to be stored in India.
The government had constituted the 10-member committee in July 2017 to recommend a framework for securing personal data in the increasingly digitised economy as also to address privacy concerns and build safeguards against data breaches.
The report submitted on Friday assumes significance given that public and private sectors are collecting and using personal data on an unprecedented scale and for various purposes, and instances of unregulated and arbitrary use, especially that of personal data, have raised concerns about privacy and autonomy of an individual.
Over the last one year, there have been reports of personal information being allegedly compromised with increasing use of biometric identifier Aadhaar in an array of services, as also data breach incidents in the private sector.
The recent data breach involving social networking giant Facebook and British data analytics firm Cambridge Analytica has brought centre stage the issues around information privacy, user rights and consent policies, nudging companies and policymakers alike to review and strengthen privacy protection rules.
The Srikrishna committee held its last and final meeting earlier this week on July 25, where one of the members said on conditions of anonymity that the data protection framework, would spur amendments in a slew of existing legislations in areas like Aadhaar, Right to Information and health.