Consent must for using data such as biometrics, sexuality: Srikrishna panel

Recognising privacy as a fundamental right, the draft personal data protection Bill has mandated that explicit consent must be taken for processing sensitive personal data like biometrics, sexual orientation, and religious or political belief. Also, at least a copy of such personal data should be stored in India. The Justice B N Srikrishna-led panel submitted the Bill along with the recommendations on personal data protection to the government on Friday, after deliberating on the issue for one year. The panel was formed in July 2017 after the Supreme Court delivered a verdict that privacy was a fundamental right. 

The Bill has proposed stringent penalties in case of any violation or misuse of personal data by public or private entities. For instance, if a data fiduciary, which can be a person, company or state, processes personal data in contravention of the Act, it would be liable to a penalty of up to Rs 150 million or 4 per cent of an entity’s total worldwide turnover in the preceding financial year, whichever is higher. If the data fiduciary fails to take prompt action in response to a data security breach, it would be liable to pay up to Rs 50 million or 2 per cent of its total worldwide turnover, whichever is higher.

The proposed legislation contains a provision for the ‘Right to be Forgotten’, which is in line with the European data privacy laws such as GDPR (general data protection regulation). While the draft Bill does not insist on personal data of residents of India to be stored only in India, it has made an enabling provision where the government can notify categories of personal data as critical data, which would be only stored in India.

According to the Bill, processing of personal data should be done only for the purpose it was collected or for compliance of any law, employment and for any function of Parliament or any state legislature.

‘Sensitive personal data’ comprises passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political belief or affiliation. 

When asked about Reserve Bank of India (RBI) mandating storage of financial data in India, Justice Srikrishna said the central bank had jumped the gun. When the personal data protection law comes into force, it would over-ride all other directions, he said. 

The 10-member panel has identified a list of 50 statutes and regulations which have a potential overlap with the data protection framework. The panel recommended certain other enactments which require to be amended simultaneously with a data protection regime. Three such enactments have been identified — Aadhaar Act, RTI Act and IT Act. 

The bill, based on the recommendations of the panel, has put in strong conditions for cross-border transfer of personal data. Only the Central government can prescribe the permissibility of transfers where it finds that the relevant personal data shall be subject to an adequate level of protection. The mandatory localisation of personal data has drawn mixed reactions with privacy advocates cheering the move but industry, especially in the field of information technology, terming it as a trade barrier.

“Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets,” IT industry body Nasscom said.

The Srikrishna panel differed with telecom regulator Trai in defining data ownership. The Justice said the whole idea of ownership of the data was a concept that had something to do with property. “We have not treated data as a matter of property, it is a matter of my trust in somebody… we did not use the word data subject although it is being used by GDPR and other countries also. We have called data fiduciary and data principal,” he said. Recently Trai had said that customers own their data and that all digital entities and intermediaries were mere custodians of data. 

Data fiduciary can be any person, state, company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. Data principal has been defined as a natural person to whom the personal data relates.  The bill will now go through inter-ministerial consultations before being taken up by the Union Cabinet. It would require Parliament’s nod to become a law. Justice Srikrishna said privacy had become a burning issue and therefore every effort had to be made to protect data at any cost. 

“It is a monumental law and we would like to have widest parliamentary consultation... We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” Prasad said. 

The bill proposes that a data protection authority should be set up. The authority, which will be equivalent to a civil court, will consist of a chairperson and six whole-time members. Also, an appellate tribunal has to be established. 

Reacting to the Srikrishna report, Vidur Gupta, partner, government and public sector, EY India, said the data protection report would be a key step towards building the important base of ‘trusted’ digital India. 

“The proposed introduction of a Digital Protection Authority (DPA) as an independent regulatory body with wider powers would be quite beneficial in the enforcement of the data protection law. Further, the recommendation of bringing public entities under the gambit of law would not only strengthen the confidence of citizens but also define specific safety measures for their personal data while using eGovernance services,” Gupta added.