‘Sensitive personal data’ comprises passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political belief or affiliation.
When asked about Reserve Bank of India (RBI) mandating storage of financial data in India, Justice Srikrishna said the central bank had jumped the gun. When the personal data protection law comes into force, it would over-ride all other directions, he said.
The 10-member panel has identified a list of 50 statutes and regulations which have a potential overlap with the data protection framework. The panel recommended certain other enactments which require to be amended simultaneously with a data protection regime. Three such enactments have been identified — Aadhaar Act, RTI Act and IT Act.
The bill, based on the recommendations of the panel, has put in strong conditions for cross-border transfer of personal data. Only the Central government can prescribe the permissibility of transfers where it finds that the relevant personal data shall be subject to an adequate level of protection. The mandatory localisation of personal data has drawn mixed reactions with privacy advocates cheering the move but industry, especially in the field of information technology, terming it as a trade barrier.
“Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets,” IT industry body Nasscom said.
The Srikrishna panel differed with telecom regulator Trai in defining data ownership. The Justice said the whole idea of ownership of the data was a concept that had something to do with property. “We have not treated data as a matter of property, it is a matter of my trust in somebody… we did not use the word data subject although it is being used by GDPR and other countries also. We have called data fiduciary and data principal,” he said. Recently Trai had said that customers own their data and that all digital entities and intermediaries were mere custodians of data.
Data fiduciary can be any person, state, company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. Data principal has been defined as a natural person to whom the personal data relates. The bill will now go through inter-ministerial consultations before being taken up by the Union Cabinet. It would require Parliament’s nod to become a law. Justice Srikrishna said privacy had become a burning issue and therefore every effort had to be made to protect data at any cost.
“It is a monumental law and we would like to have widest parliamentary consultation... We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” Prasad said.
The bill proposes that a data protection authority should be set up. The authority, which will be equivalent to a civil court, will consist of a chairperson and six whole-time members. Also, an appellate tribunal has to be established.
Reacting to the Srikrishna report, Vidur Gupta, partner, government and public sector, EY India, said the data protection report would be a key step towards building the important base of ‘trusted’ digital India.
“The proposed introduction of a Digital Protection Authority (DPA) as an independent regulatory body with wider powers would be quite beneficial in the enforcement of the data protection law. Further, the recommendation of bringing public entities under the gambit of law would not only strengthen the confidence of citizens but also define specific safety measures for their personal data while using eGovernance services,” Gupta added.