After much wait, the Government has released Justice BN Srikrishna Committee of Experts Report on Data Protection as well as a Personal Data Protection Bill, 2018 on Friday.
Applicability of the law
The committee’s report recommends that the law should be applicable to processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, it asserts that in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.
Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, it empowers the Centre to exempt companies which only process the personal data of foreign nationals not present in India.
Definition of personal data
The definition of personal data has been stipulated to be based on the standard of “identifiability”. The “Data Protection Authority” (DPA) has been tasked with issuing guidance explaining the standards in the definition as applicable to different categories of personal data in various contexts.
Opining that a “broad and flexible” definition of personal data should be adopted, the report explains, “Identifiability in circumstances where the individual is directly identifiable from the presence of direct identifiers such as names is perhaps uncontroversial and will obviously be included within the scope of any definition of personal data. The definition should also, in addition, apply to contexts where an individual may be indirectly identifiable from data that contains indirect identifiers.
Whether indirect identification is possible is often a question of the means available to a data fiduciary and the nature of data available to the fiduciary to combine with the original data. The question of means could also be related to cost and prevalence of methods of analysis having regard to the state of technology. Thus, even where an individual is not directly identifiable, data about such an individual must be treated as personal if it is possible that he or she may be identified having regard to these factors.”
Processing of personal data
The report says that the law should cover processing of personal data by both public and private entities, and sensitive personal data has been meant to include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the DPA has been given the residuary power to notify further categories in accordance with the criteria set by law.
Further, consent, it says, will be the lawful basis for processing of personal data. As per the report, for consent to be valid it should be free, informed, specific, clear and capable of being withdrawn, and for sensitive personal data, consent will have to be explicit.
Data Principal Rights
The committee suggests that the right to confirmation, access and correction should be included in the data protection law, and the right to data portability should be included subject to limited exceptions. However, the right to object to processing; the right to object to direct marketing, right to object to decisions based on solely automated processing, and the right to restrict processing has been recommended to be kept out of the purview of the law.
As regards right to be forgotten, the committee states that it may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of five-point criteria. It, however, clarifies that the right shall not be adopted if the DPA finds that the “interest of the data principal in limiting the disclosure of her personal data does not override the right to freedom of speech and expression as well as the right to information of any other citizen.”
Amendments in different laws
The committee has also identified a list of 50 statutes and regulations which have a “potential overlap” with the data protection framework. The proposed framework, therefore, suggests amendments in several laws, including the Aadhaar Act, RTI Act and IT Act.
The DPA has been entrusted with the enforcement and effective implementation of the law. It will also categorize certain fiduciaries as significant data fiduciaries based on their ability to cause greater harm to data principals as a consequence of their data processing activities. Such significant data fiduciaries will have to undertake obligations such as: (i) Registration with the DPA; (ii) Data Protection Impact Assessments; (iii) Record- keeping; (iii) Data audits; and (iv) Appointment of Data Protection Officer (DPO).
Further, the DPA will have powers which include issuing warnings, reprimands, ordering data fiduciaries to cease and desist, modify or temporarily suspend businesses or activities of data fiduciaries who are found to be in contravention of the law etc.
The report stipulates that the penalties that can be imposed on data fiduciaries would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher. It however clarifies that offences created under the law should be limited to any “intentional or reckless behaviour, or to damage caused with knowledge to the data principals in question”.