New Delhi: The B.N. Srikrishna panel, in its report on data protection, recommended that “critical personal data” of Indians be processed only in the country. It also recommended “explicit consent” for processing ‘sensitive personal information.’
The firms will be liable for harms caused to the individuals due to consent given to process their data. The panel also presented a draft Bill — Personal Data Protection Bill, 2018 — that will go before the Parliament designed to enhance data protection.
The Bill makes obtaining, transferring or selling of personal data in contravention as an offence. These recommendations, which comes at a time when data breaches are becoming common and there is heightened scrutiny on how firms handle user data, will have huge impact on how tech firms process data in India.
The panel went on to recommended amendments in RTI and Aadhaar acts to bolster data protection. In RTI act, it said that only information that is likely to cause harm to a data principal and such harm outweighs public interest can be exempted from disclosure.
It suggested steps for safeguarding personal information, defining obligations of data processors as also rights of individuals, and mooting penalties for violation.
There will be a general obligation on firms to ensure that while processing the data of those under 18 is undertaken, the best interests of the child is kept in mind. The panel, which submitted its report to IT minister Ravi Shankar Prasad, said that there will be a prohibition against cross border transfer of critical personal data.
However, the central government will determine categories of sensitive personal data which are critical to the nation having regard to strategic interests and enforcement requirements. It said that cross-border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.
Personal data relating to health will however be permitted to be transferred for reasons of prompt action or emergency. Non-critical personal data will be subject to the requirement to store at least one serving copy in India. The panel recommended setting up a “data protection authority”, an agency which would look at enforcement and implementation of the new data protection law.
The firms will have to notify DPA, personal data breach and in certain circumstances, to the data principal. The draft provides for a penalty of Rs 15 crore or 4 per cent of the total worldwide turnover of any data collection entity, including the state, for violation of personal data processing provisions. “The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding fiscal, whichever is higher,” it said. He said that new law will “override” all other notifications.