The Srikrishna committee on data protection submitted its much-awaited report on Friday and its recommendations, if accepted by the government, will sharply increase citizens’ privacy levels, affect technology and e-commerce companies, and redefine government’s access to personal information. This is per a report in the Economic Times.
Also, key laws such as those on Aadhaar, right to information and information technology may have to change.
Citizens and internet users will have the final say on how and for which purpose personal data can be used and they will also have the right to withdraw consent. There will also be the option of ‘right to be forgotten’, subject to certain conditions.
Stiff monetary penalties as well as criminal prosecution has been recommended for companies violating data privacy rules. For technology and internet companies, recommendations on storing one copy of ‘personal data’ in India – that is, creating a mirror of data stored in servers abroad – will mean higher costs and major change in business models. Smaller companies will be affected more by this rule.
Criminal Proceedings for Serious Violations
RBI’s rules on storing financial data locally, which made no provision for storing it abroad, may also get overridden.
The Bill makes senior management of companies and heads of government departments accountable for any breach in data privacy. It calls for mandatary security audits of all companies, both foreign and Indian; appointment of data protection officers by them; setting up of a data protection authority on the lines of regulators such as Sebi and a data protection fund.
Nandan Nilekani, chairman of Infosys and founder chairman of Aadhaar, called the Bill a landmark in India’s privacy and data protection landscape.
“The best part is that after considering what is happening in the US, Europe and China, the committee has really looked at the principals from an Indian context. They have really empowered the consumer, making it a role model for many countries that may be struggling with their own privacy frameworks,” said Nilekani. The government had set up the committee under the chairmanship of retired Supreme Court Judge Srikrishna in August last year.
Receiving the recommendations and the Bill, union minister for electronics and IT, law and justice, Ravi Shankar Prasad said that government will go through the draft Bill and get stakeholder comments along with taking Cabinet approval before finalising the legislation.
“The entire parliamentary process will be followed,” he said without setting a timeline for it. Prasad also said that he hoped that India’s data protection law becomes a model for the world. “It has to be the right blend of security, safety, privacy and innovation.”
The Bill has mandated penalties anywhere between two and four percent of a company’s worldwide turnover, or fines between Rs 5 crore and Rs 15 crore, whichever is higher, for violations such as failing to notify a personal data breach or large-scale profiling or use of genetic data or biometric data which may cause harm to the people concerned.
The European Union’s General Data Protection Regulation (GDPR) also mandates companies violating rules to cough up penalties to the range of 2-4% of their annual revenues or nearly $25 million, whichever is higher.
The Bill also defines criminal proceedings for serious violations and making the management of the companies and government responsible for the violations.
Talking to ET, Justice Srikrishna said the reason behind introducing stiff punishment was that “people are scared of criminal penalties in India”.
As far as putting responsibilities on companies’ senior management, he said, “It should be like that. This is a standard clause in all statutes where the company is guilty and the person in charge is also to be held guilty. This clause is found everywhere, whichever statute you take, whether it is FEMA or any other.”
He added that data privacy is a burning issue and there are three parts to the triangle. “The citizen’s rights have to be protected, the responsibilities of the states have to be defined but the data protection can’t be at the cost of trade and industry.”
An interview which appeared in the Economic Times with retired Supreme Court judge Srikrishna speaks about how the proposed Data Protection Bill puts the ownership of data in the hands of individuals while taking care not to throttle businesses and innovation.
What is the reasoning behind putting monetary penalties and some criminal penalties?
Experience has shown people are still scared of criminal penalties in this country.
You have also made companies’ management and government heads responsible for violations…
It should be like that. This is a standard clause in all statutes where the company is guilty and the person in charge is also to be held guilty. This clause is found everywhere, whichever statute you take, whether it is Fema or any other as an example.
The Bill says one copy of all personal data has to be kept in India and the government will define as to what is this critical personal data. Why have you left it to the government to decide?
Who is going to decide? You and I cannot decide it. I would say all of my data is critical and somebody else would say that no it is not critical. Somebody has to decide and the government has to run the country.
This data transfer and all that — it’s necessary you have to deal with an international instrument, that can be done only by the executive not even by the legislature. That is why we have kept it open for the government to take a call on a case-to-case basis.
You think the sectoral regulators should take a call on this?
It depends. Hospitals should be treated differently. For example, Supreme Court judge’s personal data? Should it be treated critically or not? Let somebody take a call on that. The government can call the Chief Justice and ask if the judge’s personal data should be treated critically. The CJI may say, ‘I don’t want my judge’s data to be sent out’ — then that is fair enough.
The whole issue is that if you want data somewhere else, let’s say, outside the country, then how will you access it when you want it? Then it will depend on country-to-country treaties.
Look at what is happening to the extradition treaties … they will say my law doesn’t permit, then what will you do? So, it is better to keep it available and then the government can take it up at a government-to-government level saying please provide us this.
As far as consent is concerned, the proposed Bill has given a lot of power to the individual… See, the idea is to empower the individual. But at the same time, you cannot use your empowerment to the detriment of somebody else. Then, you will be answerable to the court. Do you think this will hurt the way in which the tech industry is currently fashioned, where a lot of startups come up and this may put a lot of compliance burden on them?
It is for this reason that there is a specific provision. Take, for example, labour cess. It will apply only if you have 20 or more workers. If you have two workers, it will not apply. Something can be done like this.
Which existing laws will have to be amended due to the data protection Bill?
Almost every law will be impacted by this. This is why we have said this law will have overriding effect. So, in the event of a conflict of the provisions of this law with any other law, this law will prevail. It is a constitutional provision.