About Us Contact us Kannada

New Delhi, July 27 : The Justice B.N. Srikrishna Committee on data protection in India has suggested amendments to various laws including the Aadhaar Act to provide for imposition of penalties on data fiduciaries and compensations to data principals for violations of the data protection law.

The 213-page report, prepared by a 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, was submitted to Law and Electronics Minister Ravishankar Prasad who said that the government will go through the draft bill and take stakeholder comments before taking Cabinet approval for finalising the legislation.

Justice Srikrishna said data privacy is a burning issue and there are three parts to the triangle. "The citizen's rights have to be protected, the responsibilities of the states have to be defined but the data protection can't be at the cost of trade and industry."

The report assumes significance in the context of controversies over alleged leakage of biometric details of Aadhaar card holders and the ongoing Supreme Court hearing in the case related to data protection.

The report has proposed penalties for violations, criminal proceedings, setting up of a data authority, provision of withdrawal of consent and concept of consent fatigue.

In its recommendationsm, the committee has said the data protection law will set up a Data Protection Authority (DPA), an independent regulatory body responsible for the enforcement and implementation of the law. Broadly, it will perform the functions of monitoring and enforcement, legal affairs, policy and standard setting, research and awareness and enquiry, grievance handling and adjudication.

The draft law has suggested that penalties may be imposed on data fiduciaries and compensations may be awarded for violations of data protection law.

"The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the proceeding financial year, whichever is higher. Offences created under the law should be limited to any intentional or reckless behaviour, or to damage caused with knowledge to the data principals in question."

The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.

However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.

Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies under Indian law will be covered, irrespective of where it is actually processed.

However, the data protection law can empower government to exempt companies which only process the personal data of foreign nationals not present in India.

The law will not have retrospective application and will come into force in structured and phased manner.

The report suggests amendments to the Aadhaar Act from a data protection perspective. Read along with the provisions of the proposed data protection bill, the amendments will deal with enforcement action and individual remedies.

Under the Chapter Processing, the report says the definition of personal data will be based on identifiability. The law will cover processing of personal data by both public and private entities.

Standards for anonymisation and de-identification (including pseudonymisation) may be laid down by the authority.

Sensitive poersonal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data and data that reveals transgender status, inter-sex status, caste, tribe, religious or political beliefs or affiliations of an individual.

The authority will be given the residuary power to notify further categories in accordance with the criteria set by law.

Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent, thereby making the data fiduciary liable for harms caused to the data principal.

For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.

A data principal below 18 years of age will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind.

Further, data fiduciaries capable of causing significant harm to children will be identified as guardian data fiduciaries. All data fiduciaries (including guardian data fiduciaries) shall adopt appropriate age verification mechanism and obtain parental consent.

Furthermore, guardian data fiduciaries, specifically, shall be barred from certain practices. Guardian data fiduciaries exclusively offering counselling services or other similar services will not be required to take parental consent.

Under data principal rights, the right to confirmation, access and correction should be included in the data protection law.

Similarly, the right to data portability, subject to limited exceptions, should be included in the law. The right to object to processing; right to object to direct marketing, right to object to decisions based on solely automated processing, and the right to restrict processing need not be provided in the law for the reasons set out in the report.

The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of the five-point criteria as follows:

(i) the sensitivity of the personal data sought to be restricted;

(ii) the scale of disclosure or degree of accessibility sought to be

restricted;

(iii) the role of the data principal in public life (whether the data principal

is publicly recognisable or whether they serve in public office);

(iv) the relevance of the personal data to the public (whether the passage

of time or change in circumstances has modified such relevance for

the public); and

(v) the nature of the disclosure and the activities of the data fiduciary

(whether the fiduciary is a credible source or whether the disclosure is

a matter of public record; further, the right should focus on restricting

accessibility and not content creation).

Cross-border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.



Let the Truth be known. If you read VB and like VB, please be a VB Supporter and Help us deliver the Truth to one and all.

Comments

New Delhi (PTI): The Delhi Police has arrested a man and his son for allegedly murdering his 19-year-old daughter in west Delhi's Hari Nagar area, an official said on Friday.

The case first came to light on April 1 after a PCR call was received around 2 pm, alleging that a woman had been killed by her family members and her body was being taken for last rites, he said.

The accused, identified as Mohammad Maneer (55), a vegetable vendor, and his son Meraj Ali (19), were arrested in connection with the case, the officer said.

The victim had been in a relationship with a man from her native place for the past two years, which was opposed by her father, Maneer and brother Meraj, he said.

"When the girl did not end the relationship despite objections, the family killed her," the officer said.

On April 1, the police said that when their team reached the spot, they found that the woman's body was being taken for burial.

Acting on the input, the burial process was stopped over suspicion of honour killing.

"Police intercepted the family members and took possession of the body," he said.

Police said that the man who had made the PCR told them that the woman was in love with his cousin.

During the inquiry, police also interacted with the PCR caller, who said his cousin, a friend of the deceased, had informed him about the situation and suspected foul play, prompting him to alert the police control room.

The body of the woman was subsequently shifted to the mortuary of Deen Dayal Upadhyay Hospital for preservation and postmortem.

Police said that both the crime team and the forensic science laboratory (FSL) team were called to inspect the scene and collect evidence.

Police said that, as per the postmortem report, the cause of death was identified as smothering, indicating that the woman was suffocated.

A preliminary inquiry also revealed that the family had initiated preparations for the last rites soon after the woman's death, raising suspicion about the circumstances.

Initial investigation pointed to the family's opposition to the woman's relationship.

"The family members of the woman saw her with the man, and she was taken back home. We got to know that she was beaten up and even locked inside the house for some days," a source said.

Further investigation into the matter is underway, police added.

All Stories

PoK will 'reintegrate with India soon', says head of All India Imam Organisation
PoK will 'reintegrate with India soon', says head of All India Imam Organisation

Chief Imam of the All India Imam Organisation, Umer Ahmed Ilyasi, on Friday said Pakistan-Occupied Kashmir (PoK) would "very soon" be reintegrated with India.
Punjab Kings beat CSK by five wickets in IPL
Punjab Kings beat CSK by five wickets in IPL

Punjab Kings defeated Chennai Super Kings by five wickets in an Indian Premier League match with skipper Shreyas Iyer scoring a fine half-century here on Friday.
West Bengal: EC orders suspension of joint BDO ahead of polls
West Bengal: EC orders suspension of joint BDO ahead of polls

The Election Commission on Friday ordered the immediate suspension of a joint block development officer (BDO) in poll-bound West Bengal and directed the initiation of disciplinary proceedings against her.

Copyright © 2026. Vartha Bharati. All rights reserved