The draft report says the legislation will ‘not apply to any processing activity that has been completed prior to this law coming into effect’.
New Delhi: The Justice B.N. Srikrishna Committee, constituted in the wake of the Supreme Court’s landmark ‘Right to Privacy’ judgment to come up with a data protection framework, is all set to recommend that the proposed law should not be enforced retrospectively.
Simply put, this means the data collected under Aadhaar would be out of the scope and purview of the proposed law. This recommendation may not find favour with those who have opposed the unique identification system on the ground that the collection and dissemination of Aadhaar data leaves citizens vulnerable.
In its draft report, accessed exclusively by ThePrint, the committee headed by the former Supreme Court judge has concluded that, in the interest of “effective enforcement and fairness to data fiduciaries”, the first-of-its-kind data protection law will “not apply to any processing activity that has been completed prior to this law coming into effect”.
Not only this, the draft report also talks of giving adequate time to data fiduciaries (to whom data is entrusted) to ensure seamless implementation of the new law. This, it says, is needed since the data protection law would be a new legislation and require the creation of a new regulatory framework.
Sources told ThePrint that the committee was scheduled to meet later in the day Monday, where a decision will be taken on whether this report is final or requires further deliberation.
Some acts that the panel wants listed as crimes include obtaining, transfer, disclosure and sale of personal and sensitive data if it causes harm to the person whose data it is (data principal), and re-identification and processing of previously de-identified personal data.
The draft report recommends punishment for “intentional or reckless behaviour” that leads to the crimes, which it wants to be made cognisable and non-bailable. In case the crime has been committed by a company or body corporate, including government departments, the responsibility would lie with the person in charge of conducting the company’s business or the head of a government department.
It wants compensation to be paid to data principals in case any harm is caused to them for infringement.
But, in a move that is certain to rile activists working for stringent privacy and data protection laws, the committee’s draft report absolves the in-charge of all responsibility if he or she shows that the crime was committed without his/her knowledge or that all reasonable efforts had been taken to prevent the crime from being committed.
Other significant recommendations include:
- All cross-border transfer of personal data to be done only through proper contracts, with the sender being liable for any leak or harm caused to such data.
- Personal data deemed ‘critical’ can’t be taken outside India. Critical personal data will include all data necessary for the smooth functioning of the economy and the nation-state.
- The report makes it clear that this data would include Aadhaar number, genetic data, biometric data and health data.
- The differentiation between critical and non-critical personal data, the draft report says, will lead to effective law enforcement, curb foreign surveillance, avert vulnerabilities to the optic cable network, and help in building a robust artificial intelligence ecosystem.
- There will be an independent regulatory body called the data protection authority (DPA), whose functions will include monitoring and enforcement of the proposed law as well as investigation and grievance-handling.
- All data collectors would have to get registered with the DPA.
- The DPA’s powers would include issuing warnings and reprimands, and ordering data fiduciaries to suspend work or collection of data, if found violating the law.
- There will be a ‘data ombudsman’ to adjudicate complaints between data principals and data fiduciaries. Appeals against orders of the data ombudsman will be made to an appellate tribunal. The Supreme Court will hear appeals against orders of this appellate tribunal.
- Consent will be required to collect any kind of personal data. Such consent will be invalid if not based on informed choice that is specific, clear and capable of being withdrawn.
- For sensitive personal data, the consent will also have to be explicit.
- There will be a fiduciary relationship between the “data subject” and “data controller”.
Right to be forgotten:
The draft report allows data principals to approach the data ombudsman with requests for the right to be forgotten, which will be granted on the basis of criteria laid out in the draft law.
However, the right to be forgotten will not be available if data ombudsman feels such a request interferes with the constitutional right to freedom of speech and expression, and/or right to information of any other citizen.
What is Justice Srikrishna committee?
The Committee of Experts on a Data Protection Framework for India was set up on 31 July 2017 to examine issues related to data protection, recommend methods to address them, and draft a data protection law.
It released a white paper on 27 November 2017.
Thereafter, it held several rounds of meetings with stakeholders, as well as four regional conferences.
However, the white paper itself came under attack from several quarters, with former Supreme Court judge M. Jagannadha Rao writing to the panel that the document referred to collection of data but “not to the boundaries of the right to collection of data which is the essence of the SC judgment”.
Earlier this month, some lawyers and privacy rights activists made public a draft model law on privacy and data protection.
ThePrint’s YouTube channel is now active and buzzing. Please subscribe here.