DATA PROTECTION:WHAT’S ON THE ANVIL

The Justice B.N.SriKrishna committee on Friday submitted  to the government a draft of the Personal Data Protection Bill,2018 after a year of deliberations by the B.N.SriKrishna Committee Panel and a time when a constitution bench of the apex court reserved its judgment on validity of Aadhaar unique ID system.

Personal data is data relating to a natural person who is directly or indirectly identifiable having regard to any characteristic, trait, attribute or any other features , or any combination of such features with any other information.

Key Highlights:

• The law will have jurisdiction over personal data that is used,shared , disclosed ,collected or otherwise ,processed in India.
• The law will not have retrospective application and will come into force in a structured and phased manner.
• It will cover personal data used by companies incorporated under Indian law,irrespective of the data being processed in India,or not.
• The law will cover processing of personal data by both public and private entities.
• Sensitive and personal data will include passwords ,financial data ,health data ,sex life,sexual orientation ,biometric and genetic data.
• Such data also covers information that reaveals trasgender status ,intersex status,tribe,religious or political beliefs or affliations of an individual.
• Individuals will have the right to access their personal data with entities,make corrections to it,and also restrict its usage.
• Penalities may be imposed for violating  the data protection law.
• Any person below the age of 18 years will be considered a child under the law.
• The Justice Srikrishna committee on data privacy has made specific mention of the need for separate and more stringent norms for protecting the data of children, recommending that companies be barred from certain types of data processing such as behavioural monitoring, tracking, targeted advertising and any other type of processing which is not in the best interest of the child.
• Entities processing data of children will have to develop appropriate mechanisms for age verification and get parental consent.
• Data collecting entities will be responsible for data quality and storage limitation. However, accuracy of personal data is the responsibility of the individual.
• The committee has identified 50 statutes and regulations, which potentially overlap with the data protection framework.
• The Aadhaar Act needs to be amended to bolster the data protection , and the committee has suggested amendments to the Act.
• In its broad structure and key provisions, the bill seems to follow the model of the European Union’s General Data Protection Regulation(GDPR).

DATA PROTECTION AUTHORITY(DPA)

• A regulator in the name of DATA PROTECTION AUTHORITY(DPA) will be set  up for effective implementation and enforcement of the law.
• The new regulator will have a chairperson and six whole-time members.
• The DPA,a sector agnostic body,will ensure that every entity that handles data is conscious of its obligations and that it will be held to account in case of failure to comply.
• The selection committee shall consist of the Chief Justice of India or her/his nominee (who is a judge of the Supreme Court of India), the Cabinet Secretary, Government of India,
• and one expert of repute who has special knowledge of, and professional experience in, areas related to data protection, information technology, data management, data science,
• cyber and Internet laws and related subjects.
• Broadly, the DPA will have four departments and related functions: monitoring and enforcement; legal affairs, policy and standard setting; research and awareness; and inquiries, grievance handling and adjudication.

Drawbacks:

• This draft bill gives carte blanche to the state to process personal data without consent under sec 13.
• One of the key objectives missing from the draft bill is the reform of surveillance laws.
• The draft falls short on key principles at the core of a robust data protection framework.

Source: Livemint