Towards a surveillance state?
The Union government on Friday released the draft Personal Data Protection Bill, 2018, submitted as part of the recommendations of the Justice B N Srikrishna Committee on data security
New Delhi: The Union government on Friday released the draft Personal Data Protection Bill, 2018, submitted as part of the recommendations of the Justice B N Srikrishna Committee on data security.
The main purpose of the Bill seems to be to protect Aadhaar, the 12-digit biometrics-linked unique identification number currently under challenge before a Constitution bench of the Supreme Court.
Significantly, the draft law facilitates sweeping state surveillance by providing broad exceptions to consent clauses when the data is processed by the government.
The 213-page report, prepared by a 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, was submitted to Union Law Minister Ravishankar Prasad who said that the government will go through the draft bill and take stakeholder comments before taking Cabinet approval for finalising the legislation.
Justice Srikrishna said data privacy is a burning issue and there are three parts to the triangle. "The citizen's rights have to be protected, the responsibilities of the states have to be defined but the data protection can't be at the cost of trade and industry."
The report assumes significance in the context of controversies over alleged leakage of biometric details of Aadhaar card holders and the ongoing Supreme Court hearing in the case related to data protection.
The report has proposed penalties for violations, criminal proceedings, setting up of a data authority, provision of withdrawal of consent and concept of consent fatigue.
In its recommendations, the committee has said the data protection law will set up a Data Protection Authority (DPA), an independent regulatory body responsible for the enforcement and implementation of the law.
Broadly, it will perform the functions of monitoring and enforcement, legal affairs, policy and standard setting, research and awareness and enquiry, grievance handling and adjudication.
The draft law has suggested that penalties may be imposed on data fiduciaries and compensations may be awarded for violations of data protection law. "The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the proceeding financial year, whichever is higher. Offences created under the law should be limited to any intentional or reckless behaviour, or to damage caused with knowledge to the data principals in question."
The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.
Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies under Indian law will be covered, irrespective of where it is actually processed.
However, the data protection law can empower government to exempt companies which only process the personal data of foreign nationals not present in India. The law will not have retrospective application and will come into force in structured and phased manner.