About Us Contact us Kannada

New Delhi, July 27 : The Justice B.N. Srikrishna Committee on data protection in India has suggested amendments to various laws including the Aadhaar Act to provide for imposition of penalties on data fiduciaries and compensations to data principals for violations of the data protection law.

The 213-page report, prepared by a 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, was submitted to Law and Electronics Minister Ravishankar Prasad who said that the government will go through the draft bill and take stakeholder comments before taking Cabinet approval for finalising the legislation.

Justice Srikrishna said data privacy is a burning issue and there are three parts to the triangle. "The citizen's rights have to be protected, the responsibilities of the states have to be defined but the data protection can't be at the cost of trade and industry."

The report assumes significance in the context of controversies over alleged leakage of biometric details of Aadhaar card holders and the ongoing Supreme Court hearing in the case related to data protection.

The report has proposed penalties for violations, criminal proceedings, setting up of a data authority, provision of withdrawal of consent and concept of consent fatigue.

In its recommendationsm, the committee has said the data protection law will set up a Data Protection Authority (DPA), an independent regulatory body responsible for the enforcement and implementation of the law. Broadly, it will perform the functions of monitoring and enforcement, legal affairs, policy and standard setting, research and awareness and enquiry, grievance handling and adjudication.

The draft law has suggested that penalties may be imposed on data fiduciaries and compensations may be awarded for violations of data protection law.

"The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the proceeding financial year, whichever is higher. Offences created under the law should be limited to any intentional or reckless behaviour, or to damage caused with knowledge to the data principals in question."

The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.

However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.

Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies under Indian law will be covered, irrespective of where it is actually processed.

However, the data protection law can empower government to exempt companies which only process the personal data of foreign nationals not present in India.

The law will not have retrospective application and will come into force in structured and phased manner.

The report suggests amendments to the Aadhaar Act from a data protection perspective. Read along with the provisions of the proposed data protection bill, the amendments will deal with enforcement action and individual remedies.

Under the Chapter Processing, the report says the definition of personal data will be based on identifiability. The law will cover processing of personal data by both public and private entities.

Standards for anonymisation and de-identification (including pseudonymisation) may be laid down by the authority.

Sensitive poersonal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data and data that reveals transgender status, inter-sex status, caste, tribe, religious or political beliefs or affiliations of an individual.

The authority will be given the residuary power to notify further categories in accordance with the criteria set by law.

Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent, thereby making the data fiduciary liable for harms caused to the data principal.

For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.

A data principal below 18 years of age will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind.

Further, data fiduciaries capable of causing significant harm to children will be identified as guardian data fiduciaries. All data fiduciaries (including guardian data fiduciaries) shall adopt appropriate age verification mechanism and obtain parental consent.

Furthermore, guardian data fiduciaries, specifically, shall be barred from certain practices. Guardian data fiduciaries exclusively offering counselling services or other similar services will not be required to take parental consent.

Under data principal rights, the right to confirmation, access and correction should be included in the data protection law.

Similarly, the right to data portability, subject to limited exceptions, should be included in the law. The right to object to processing; right to object to direct marketing, right to object to decisions based on solely automated processing, and the right to restrict processing need not be provided in the law for the reasons set out in the report.

The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of the five-point criteria as follows:

(i) the sensitivity of the personal data sought to be restricted;

(ii) the scale of disclosure or degree of accessibility sought to be

restricted;

(iii) the role of the data principal in public life (whether the data principal

is publicly recognisable or whether they serve in public office);

(iv) the relevance of the personal data to the public (whether the passage

of time or change in circumstances has modified such relevance for

the public); and

(v) the nature of the disclosure and the activities of the data fiduciary

(whether the fiduciary is a credible source or whether the disclosure is

a matter of public record; further, the right should focus on restricting

accessibility and not content creation).

Cross-border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.



Let the Truth be known. If you read VB and like VB, please be a VB Supporter and Help us deliver the Truth to one and all.

Comments

Ahmedabad, Sep 24: The Gujarat Congress on Monday claimed a school principal held for allegedly murdering a 6-year-old girl student in Gujarat's Dahod district was close to the BJP and RSS.

The child's body was found in the school compound in Torani village in Singvad taluka on Thursday and a probe zeroed in on principal Govind Nat.

Nat, who was taking the child to school in his car, smothered her to death after she fended of his sexual assault attempt, as per police. He was held on Sunday.

Sharing some photographs in which the accused can be purportedly seen sitting with former state minister Arjunsinh Chauhan and attending an RSS event in the outfit's uniform, Gujarat Congress spokesperson Parthivraj Kathvadiya said, "Govind Natt is a political figure. In the photographs available on social media, Nat can be seen with BJP leaders and also attending events of RSS and VHP."

"It is clear from such cases that our daughters are not safe under BJP rule in Gujarat. These incidents are a disgrace to the education sector and has left parents worried," Kathvadiya said in a statement and expressed concern on the accused getting protection due to his political influence.

He also asked if BJP leaders would take out a candle march for "Dahod's daughter".

Responding to the allegations, Gujarat Education Minister Kuber Dindor said his department worked closely with the police to solve the crime at the earliest.

"We worked closely with the police. It is a shameful act by a principal. Thanks to our efforts, police managed to nab him in 24 hours and sent him behind bars. We have already suspended him and our government will ensure the case will run in a fast track court for speedy justice," said Kuber.

All Stories

There is no question of bowing to the Governor's efforts, BJP's conspiracy: Congress
There is no question of bowing to the Governor's efforts, BJP's conspiracy: Congress

The Karnataka High Court has dismissed Chief Minister Siddaramaiah’s petition challenging the prosecution sanction granted by Governor Thawar Chand Gehlot in connection with the MUDA case. With this decision, the court has upheld the Governor’s order.
16-year-old stabbed to death by friends for denying treat for his new phone in east Delhi
16-year-old stabbed to death by friends for denying treat for his new phone in east Delhi

A 16-year-old boy was stabbed to death allegedly by three of his friends in East Delhi's Shakarpur when he refused to give them a treat after buying a new phone, police said on Tuesday.
Complainants hail HC order dismissing CM's petition challenging Guv's order
Complainants hail HC order dismissing CM's petition challenging Guv's order

The complainants, who were granted sanction by the Karnataka Governor Thaawarchand Gehlot after they sought an order for probe from the special court against the Chief Minister Siddaramaiah in a site allotment case, on Tuesday hailed the High Court's verdict dismissing his petition challenging the approval.

Copyright © 2024. Vartha Bharati. All rights reserved