After a having a consultation for a year, Justice BN Srikrishna committee has finally submitted its report on the Personal Data Protection.
The panel was headed by Justice BN Srikrishna, handed the report to IT Minister Ravi Shankar Prasad on Friday.
The committee recommended certain key issues such as transparency, transfer of personal data outside India, the definition of personal data and penalties, compensation and offenses.
After submitting the recommendations to the minister Justice Srikrishna said," We have not treated data as a matter of property. It is a matter of my trust in somebody I have entrusted to and he is answerable to it. I am the principal of my data that someone else is processing it so I should have the upper hand."
The minister said: "It is a monumental law and we would be like to have a widest parliamentary consultation... We want Indian data protection law to become a model globally, blending security, privacy, safety, and innovation," Prasad said.
He said that the report will go through the process of inter-ministerial consultations and Cabinet as well as parliamentary approval.
While reacting to the development Siddharth Vishwanath, Leader - Cyber Advisory at PwC India, said, "The spread of digital ecosystem in India where e-wallets, ride-sharing services, e-commerce, online entertainment services and social media are thriving is the direct result of the digital disruption. But the absence of data privacy and protection law could lead consumers exposed to risks of their data being misused by organizations and data breaches on account of sub-optimal investments in security."
Amba Kak, India Policy Advisor, Mozilla, pointed out this bill provides a strong foundation of protection for Indians' privacy, but it is not without loopholes - in particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data, and the independence of the regulator's adjudicatory authority.
We welcome the Government's commitment to a public consultation process, which we hope will rectify the cracks in this foundation."
Vidur Gupta, partner, EY India said" "The proposed introduction of a Digital Protection Authority(DPA) as an independent regulatory body with wider powers would be quite beneficial in the enforcement of the data protection law."
However Nikhil Pawa, co-founder of savetheinternet.in said: "This is a weak data protection bill and it should NOT be allowed to be passed in Parliament. Justice Srikrishna has disappointed."
Here are some highlights from the recommendations
1 The law will have jurisdiction over the processing of personal data if such data been used, shared, disclosed, collected or otherwise processed in India.
2 Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
3 The law will not have retrospective application and it will come into force in a structured and phased manner. Processing that is ongoing after the coming into force of the law would be covered.
4 The White Paper suggested the creation of an independent regulatory body for enforcement of a data protection legal
5 Further, it was suggested that this regulatory body should have the powers of (a) monitoring, enforcement, and investigation; (b) awareness generation; and (c) standard setting. It was suggested that a number of regulatory tools and mechanisms such as codes of practice and categorization of data fiduciaries could be deployed to achieve enforcement objectives.
6 The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher.