Data protection draft bill holds hope for privacy

New Delhi: Insisting on processing of personal data of Indians within the country, a draft Personal Data Protection Bill on Friday proposed “explicit consent” for processing “sensitive personal information” like religious or political belief, sexual orientation and biometric details and recommended penalties of up to `15 crore and jail term of up to 10 years for  data collection entities that misuse the information.  

The draft of Personal Data Protection Bill, 2018, which is based on the recommendations of the government-constituted panel headed by Justice B.N. Srikrishna, restricts and imposes conditions on the cross-border transfer of personal data, and suggests setting up of “Data Protection Authority of India” to prevent any misuse of personal information. In certain circumstances, companies will have to notify the DPA about personal data breach.

The recommendations come at a time when data breaches are becoming common globally and there is heightened scrutiny by governments on how companies handle user data. Facebook, for instance, was recently held guilty by Dutch and French privacy watchdogs for breaking strict data protection rules.

The panel’s report was keenly awaited for their implications on tech majors and service providers such as Google, Facebook, Amazon, Twitter, Instagram, Visa and Mastercard, among others, in the backdrop of the Supreme Court’s recognition of privacy as a fundamental right.

Also, the recent data breach involving Facebook and British data analytics firm Cambridge Analytica has brought to the centre-stage issues around information privacy, user rights and consent policies, nudging companies and policymakers alike to review and strengthen privacy protection rules.

Justice Srikrishna, who submitted his report on data protection as also the draft bill to the government on Friday, said data privacy is a burning issue and there are three parts to the triangle.

“The citizen’s rights have to be protected, the responsibilities of the states have to be defined but the data protection can’t be at the cost of trade and industry,” he said.

The draft bill, which would go before Parliament after parliamentary consultation and the Union Cabinet’s approval, makes obtaining, transferring or selling of personal data in contravention of the norms as an offence.

The panel defined “sensitive personal data” as passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political belief or affiliation.

It suggested steps for safeguarding personal information, defining obligations of data processors as also rights of individuals, and mooting penalties for violation.

To check data misuse, the draft bill provides a penalty of Rs 15 crore or 4 per cent of the total worldwide turnover of any data collection entity, including the state, for violation of personal data processing provisions.

A failure to take prompt action on a data security breach can attract a fine of up to Rs 5 crore or 2 per cent of the turnover of the data collection entity, whichever is higher.

The bill said that whoever uses core biometric information collected or created under this Aadhaar Act for any purpose other than generation of Aadhaar numbers and authentication under the Act, shall be punished with imprisonment which shall not be less than three years, but which may extend to 10 years, or with a fine which may extend to Rs 10,000 and or, in the case of a company, with a fine which may extend to Rs 50 lakh or both.

The panel also recommended amendments to RTI and Aadhaar laws to bolster data protection.

In RTI act, it said, restrictions on disclosure on information under the law should only be limited to data that is likely to cause harm to a data principal or owner and such harm outweighs public interest.

There will be a general obligation on companies to ensure that processing data of those under 18 years of is undertaken keeping the best interests of the child in mind.

The panel, which submitted its report to electronics and information technology minister Ravi Shankar Prasad, said that there will be a prohibition against cross border transfer of personal data determined to be critical. However, Central government will determine categories of sensitive personal data which is critical to the nation having regard to strategic interests and enforcement requirements.

“It is a monumental law and we would be like to have widest parliamentary consultation… We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” said minister Ravi Shankar Prasad.

The panel said personal data relating to health will, however, be permitted to be transferred abroad for reasons of prompt action or emergency. Transfer of other personal data (non-critical) will be subject to the requirement to store at least one serving copy in India.

The panel said the proposed data protection authority would look into enforcement and implementation of the new data protection law. Companies will have to notify DPA, personal data breach and in certain circumstances, to the data principal or the owner.

“Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing,” it said, adding that processing of sensitive personal data should be on the basis of explicit consent.

The report said that the “right to be forgotten” may be adopted and it should be determined by factors like sensitivity of the personal data, especially in case of public figures.

Mr Srikrishna said that the new data protection law would “override” all other notifications and regulations on data storage, including RBI directive which said in April that all payments data should be stored in the country within six months.

Over the last one year, there have been reports of personal information being allegedly compromised with increasing use of biometric identifier Aadhaar in an array of services, as also data breach incidents in the private sector.