The Personal Data Protection Bill 2018 – Justice B.N Sri Krishna Recommendation - Seeker's Thoughts

Recent Posts

Seeker's Thoughts

For Clearing the Blur Spot.

Popular Posts

The Personal Data Protection Bill 2018 – Justice B.N Sri Krishna Recommendation

1.      The Personal Data Protection Bill 2018 – Justice B.N Sri Krishna Recommendation
Introduction – The committee headed by Justice B N  Srikrishna was constituted in July, 2017 to deliberate( write ) a framework on Data Protection. The Committee submitted its report in July, 2018 named as “Data Protection Framework”.  This committee has produced a set of recommendations that run into 213 pages, and a draft law titled the “The Personal Data Protection Bill, 2018” running into 112 sections.

Some important Recommendations-
1.   The report has proposed penalties for violations, criminal proceedings,  setting up of a data authority, provision of withdrawal of consent and concept of consent fatigue The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
2.       Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
3.       The law will not have retrospective application and it will come into force in a structured and phased manner. The Aadhaar Act needs to be amended to bolster data protection.
4.     The data protection law will set up a DPA which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. The Central Government shall establish an appellate tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA.
5.    Penalties may be imposed for violations of the data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher.
6.    The state can process data without consent of the user on ground of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment, and Reasonable purpose.
7.    The law will cover processing of personal data by both public and private entities.
8.     Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.
9.    Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent thereby making the data fiduciary liable for harms caused to the data principal.
10.   Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee. Personal data determined to be critical will be subject to the requirement to process only in India (there will be a prohibition against cross border transfer for such data). 
The report goes against the apex court’s decision of right to privacy, as the Judgment has two basic concepts. The first, the primacy of individual as the beneficiary of fundamental rights is crucial. Second, it rejected that the right to privacy will dissolve in the collective notion of economic development. This can be concluded in easy words- Fundamental rights will be protected and remain in practice even if the Government wants to implement something for economic developments.
However the report did not interpret the same. The conclusion of the report is that economy comes first and the individual second.
The report said that the state is a facilitator of human progress and is commanded by the Directive principles of state policy so fundamental rights take a back seat. This also goes against the basic structure of Indian Constitution
The report says that “to see the individual as an atomised unit, standing apart from the collective, neither flows from our constitutional framework nor accurately grasps the true nature of rights litigations. Rights (of which the right to privacy is an example) are not deontological categories that protect interests of atomised individuals.” Then, it proceeds to conclude, “Thus the construction of a right itself is not because it translates into an individual good, be it autonomy, speech, etc. but because such good creates a collective culture where certain reasons for state action are unacceptable.” Much of this language is inscrutable to even the legally trained mind.
To the report’s view that the individual ought not to be the spotlighted while making a law, the right to privacy judgment is in stark contrast.