By Elton Gomes
A draft of the personal data protection bill 2018 was submitted by the expert panel headed by Justice B.N. Srikrishna on Friday. It has been proposed that critical data of Indian citizens should be processed in centres within the country. The draft law comes after a year-long consultation process, but it has left it to the Centre to notify categories of personal data that will be considered as critical.
Keeping in mind consent, the draft bill takes into consideration provisions for withdrawal of consent and a penalty for violation. The bill was submitted to IT minister Ravi Shankar Prasad for the government’s review and has been made public.
What the draft law proposes
The draft law states that personal data can be processed on the basis of the consent of the data principal, which has to be given at the beginning of the processing. Additionally, processing of sensitive personal data should strictly be on the basis of “explicit consent.” The committee in its recommendations said the law will not have retrospective application and will be put into force in a structured and phased manner.
The committee underscored the need for consent and made it clear that “consent needs to be informed … consent needs to be specific … consent must be clear (and) consent needs to be capable to be withdrawn as easily as it was given,” as per a report in the Times of India.
Concerning the sharing of data on platforms like Google and Facebook, the panel said that users should have the right to access their personal data any time. It also laid out steps to protect individuals against the uninformed harvesting of their personal data by third-party applications.
The act will also be applicable for data processors not present in India, as activities such as data profiling could lead to privacy harms to users in India.
The draft also proposes the establishment of a Data Protection Authority of India (DPA) – an independent regulatory body that will be responsible for enforcement and effective implementation of the law. The draft has said that the DPA could include a chairperson and six full-time members.
Changes in Aadhaar
The panel has suggested some changes for the shield of Aadhaar Act. The panel’s report stated that “amendments have been suggested that classify requesting entities into two kinds to regulate access to personal data on the basis of necessity — those who can request for authentication and those who are limited to verifying the identity of individuals offline,” according to the Indian Tribune. The amendment could lead to the sovereignty of UIDAI.
Experts seemed confident that the draft is comprehensive enough to protect users’ data, while others had their doubts. “It reflects original thinking, and addresses both opportunities and challenges that are specific to India,” former chairperson of the UIDAI, Nandan Nilekani said, as reported by Hindustan Times. Nilekani added that the Srikrishna panel has identified individual data that needs to be protected and has recognised the need to use data to improve lives.
Raman Jit Singh Chima, Policy Director at Access Now and volunteer with saveourprivacy.in, said, “There is also no attempt to change how wiretapping and surveillance happens in this country… India is one of the only major democracies that still allows civil servants to tap phones. The present bill does not attempt to change that, and that is surprising and troubling,” Hindustan Times reported.
Data privacy expert, Nikhil Pahwa, was of the opinion that the bill should not be passed without some discussion, “The committee has avoided giving citizens data ownership. The bill should not be passed. Needs fixing,” as per a report in the Times of India.
Elton Gomes is a staff writer at Qrius
Stay updated with all the insights.
Navigate news, 1 email day.
Subscribe to Qrius