1. The Personal Data
Protection Bill 2018 – Justice B.N Sri Krishna Recommendation
Introduction – The committee headed by Justice B N Srikrishna was
constituted in July, 2017 to deliberate( write ) a framework on Data
Protection. The Committee submitted its report in July, 2018 named as “Data
Protection Framework”. This committee has produced a set of recommendations that run
into 213 pages, and a draft law titled the “The Personal Data Protection Bill,
2018” running into 112 sections.
Some important Recommendations-
1. The report has proposed penalties for
violations, criminal proceedings, setting up of a data authority,
provision of withdrawal of consent and concept of consent fatigue The law will have jurisdiction over the processing of personal data if such
data has been used, shared, disclosed, collected or otherwise processed in
India.
2.
Additionally, personal data collected, used, shared, disclosed or
otherwise processed by companies incorporated under Indian law will be covered,
irrespective of where it is actually processed in India. However, the data
protection law may empower the Central Government to exempt such companies
which only process the personal data of foreign nationals not present in India.
3.
The law will not have retrospective application and it will come into
force in a structured and phased manner. The Aadhaar Act needs to be amended to
bolster data protection.
4. The
data protection law will set up a DPA which will be an independent
regulatory body responsible for the enforcement and effective implementation of
the law. The Central Government shall establish an appellate tribunal or grant
powers to an existing appellate tribunal to hear and dispose of any appeal
against an order of the DPA.
5. Penalties
may be imposed for violations of the data protection law. The penalties imposed
would be an amount up to the fixed upper limit or a percentage of the total
worldwide turnover of the preceding financial year, whichever is higher.
6. The
state can process data without consent of the user on ground of public
welfare, law and order, emergency situations where the individual is
incapable of providing consent, employment, and Reasonable purpose.
7. The
law will cover processing of personal data by both public and private
entities.
8.
Sensitive personal data will include passwords, financial data, health
data, official identifier, sex life, sexual orientation, biometric and genetic
data, and data that reveals transgender status, intersex status, caste, tribe,
religious or political beliefs or affiliations of an individual. However, the
DPA will be given the residuary power to notify further categories in
accordance with the criteria set by law.
9. Consent
will be a lawful basis for processing of personal data. However, the law
will adopt a modified consent framework which will apply a product liability
regime to consent thereby making the data fiduciary liable for harms caused to
the data principal.
10. Cross
border data transfers of personal data, other than critical personal data, will
be through model contract clauses containing key obligations with the
transferor being liable for harms caused to the principal due to any violations
committed by the transferee. Personal data determined to be critical will be
subject to the requirement to process only in India (there will be a
prohibition against cross border transfer for
such data).
Criticism
The report goes against the apex court’s decision of right to
privacy, as the Judgment has two basic concepts. The first, the primacy of
individual as the beneficiary of fundamental rights is crucial. Second, it
rejected that the right to privacy will dissolve in the collective notion of
economic development. This can be concluded in easy words- Fundamental
rights will be protected and remain in practice even if the Government wants to
implement something for economic developments.
However the report did not interpret the same. The conclusion of
the report is that economy comes first and the individual second.
The report said that the state is a facilitator of human progress
and is commanded by the Directive principles of state policy so
fundamental rights take a back seat. This also goes against the basic structure
of Indian Constitution
The report says that “to see the individual as an atomised unit,
standing apart from the collective, neither flows from our constitutional
framework nor accurately grasps the true nature of rights litigations. Rights
(of which the right to privacy is an example) are not deontological categories
that protect interests of atomised individuals.” Then, it proceeds to conclude,
“Thus the construction of a right itself is not because it translates into an
individual good, be it autonomy, speech, etc. but because such good creates a
collective culture where certain reasons for state action are unacceptable.”
Much of this language is inscrutable to even the legally trained mind.
To the report’s view that the individual ought not to be the
spotlighted while making a law, the right to privacy judgment is in stark contrast.
Sources-
