The Personal Data Protection Bill 2018 has been submitted by the Justice BN Srikrishna committee on Data protection after nearly a year of consultations. The Committee has submitted the draft bill and its report on Data Protection to the Ministry of Electronics and Information Technology (MeiTY) on Friday.
The committee has suggested measures to be taken when it comes to protecting personal information of Indian citizens, the role and duties of data processors, and the rights of individuals. The report also talks about the penalties that should be imposed for violation of these data protection measures.
“It is a monumental law and we would be like to have widest parliamentary consultation… We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” Minister Ravi Shankar Prasad said.
Justice Srikrishna said privacy has become a burning issue and therefore, every effort has to be made to protect data at any cost. He added that report straddles three aspects – citizens, the state and the industry. The 10-member committee was set up in July 2017 to recommend a framework for securing personal data in the digital world.
The Srikrishna report on data protection notes in regard to personal data, the individual expects that their personal data “will be used fairly,” and “in a manner that fulfils her interest and is reasonably foreseeable.”
It also adds that the “growth of the digital economy has meant the use of data as a critical means of communication between persons” and adds, “it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation.”
What the Personal Data Protection 2018 Bill says
The draft bill submitted by the committee notes that “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.”
The bill also notes that it is necessary to create trust between the individual who provide their data and those who process this. It says: “protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data…”
However, on the right to be forgotten, the bill notes that that ‘data principal’ which means the individual or the person providing their data, has a right to “right to restrict or prevent continuing disclosure.” But the bill does not allow for a right of total erasure like the European Union does.
It also gives a data processor considerable leeway when it comes to deciding on this ‘right to be forgotten.’ The bill notes that “the data fiduciary may charge a reasonable fee to be paid for complying with requests.”
The Data Protection Bill also calls for privacy by design on part of data processors, and defines terms like consent, data breach, sensitive data, etc.
It, however, shall not apply to processing of anonymised data. The bill says that “anonymisation” in relation to personal data, means the irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, meeting the standards specified by the Authority.
The government is not bound to accept the recommendations, but the final bill could be close to panel’s version.