Panel headed by Justice BN Srikrishna on Friday submitted its report to the Ministry of Information and Technology outlining its suggestions for a data protection law.
The 213-page report covers how any Indian's personal data would be protected.
It said, "This report is based on the fundamental belief shared by the entire Committee that if India is to shape the global digital landscape in the 1st century, it must formulate a legal framework relating to personal data that can work as a template for the developing world. Implicit in such a belief is the recognition that the protection of personal data holds the key to empowerment, progress, and innovation. Equally implicit is the need to devise a legal framework relating to personal data not only for India, but for Indians."
"We would urge the Government of India to adopt expeditiously in the form of a data protection law. A suggested draft of such a law has been provided along with this report," Srikrishna and the panel wrote in the report.
has been used, shared, disclosed, collected or otherwise processed in India.
However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.
Additionally, personal data collected, used, shared, disclosed or otherwise
processed by companies incorporated under Indian law will be covered,
irrespective of where it is actually processed in India. However, the data
protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
structured and phased manner. Processing that is ongoing after the coming into force of the law would be covered. Timelines should be set out for notifications of different parts of the law to facilitate compliance.
issue guidance explaining the standards in the definition as applied to different categories of personal data in various contexts.
official identifier, sex life, sexual orientation, biometric and genetic data, and
data that reveals transgender status, intersex status, caste, tribe, religious or
political beliefs or affiliations of an individual. However, the DPA will be given
the residuary power to notify further categories in accordance with the criteria set by law.
recommended to be enacted by the Government of India in the future.
fiduciaries unless specifically exempted.
processing is not known at the time of its collection and cannot be reasonably
communicated to the data principal can be undertaken only with explicit consent.
data is collected to various points in the interim. Most prominently, a data
fiduciary is obliged to provide notice to the data principal no later than at the
time of the collection of her personal data.
fiduciaries. However, the responsibility to ensure that the personal data provided is accurate will rest on the data principal.
certain circumstances, to the data principal.
(i) the sensitivity of the personal data sought to be restricted;
(ii) the scale of disclosure or degree of accessibility sought to be restricted;
(iii) the role of the data principal in public life (whether the data principal is
publicly recognisable or whether they serve in public office);
(iv) the relevance of the personal data to the public (whether the passage of
time or change in circumstances has modified such relevance for the
(v) the nature of the disclosure and the activities of the data fiduciary
(whether the fiduciary is a credible source or whether the disclosure is a
matter of public record; further, the right should focus on restricting
accessibility and not content creation).
data, will be through model contract clauses containing key obligations
with the transferor being liable for harms caused to the principal due to
any violations committed by the transferee.
certain jurisdictions in consultation with the DPA.
to process only in India (there will be a prohibition against cross border
transfer for such data). The Central Government should determine
categories of sensitive personal data which are critical to the nation
having regard to strategic interests and enforcement.
for reasons of prompt action or emergency. Other such personal data
may additionally be transferred on the basis of Central Government
requirement to store at least one serving copy in India.
either require or authorise the processing of personal data for different objectives.
the latter will be the minimum threshold of safeguards for all data processing in the country. In the event of any inconsistency between data protection law and extant legislation, the former will have overriding effect.
exemption to transparency requirements under Section 8(1)(j). This needs to be amended to clarify when it will be activated and to harmonise the standard of privacy employed with the general data protection statute.
Non-Consensual Grounds of Processing
separate ground for processing. Processing activities carried out by the State
under law will be covered under this ground, ensuring that it is in furtherance
of public interest and governance. However, only bodies covered under
Article 12 of the Constitution may rely on this ground. Processing towards
activities that may not be considered part of a welfare functions would,
however, not to be permitted. Thus, the availability of this ground is
restricted to certain entities and certain functions to avoid vagueness in the
order of court or tribunal will be recognised as a separate ground for
processing to avoid inconsistency with obligations under other laws,
regulations and judicial orders. The word ‗law‘ shall be construed to mean
laws, ordinances, orders, bye-law, rules, regulations and notifications that
have statutory authority. Order of court or tribunal would be restricted to
Indian courts and tribunals. Obligations imposed by contract, foreign law and
foreign judicial orders shall not be permitted to be processed under this
processing. It should receive a strict interpretation and only be applied in
critical situations where the individual is incapable of providing consent and
the processing is necessary to meet emergency situations.
processing. This ground should be invoked only where processing under
consent would involve disproportionate effort or where the employment
relation makes consent inappropriate and will permit processing even where
employment-related activities are not authorised under any of the other
grounds of processing such as compliance with law.
processing activities which are not covered by other grounds like consent,
compliance with law, prompt action and public function but are still useful to
society. The ambit of the provision would be limited to those purposes which
are whitelisted by the DPA to guide data fiduciaries.
processing of personal or sensitive personal data if it is necessary in the interest of the security of the state. Any restriction must be proportionate and narrowly tailored to the stated purpose. The Central Government should expeditiously bring in a law for the oversight of intelligence gathering activities.
data necessary for enforcing a legal right or claim, for seeking any relief,
defending any charge, opposing any claim or for obtaining legal advice from an
advocate in an impending legal proceeding would be exempt from the
application of the data protection law. General obligations of security and fair
and reasonable processing will continue to apply.
exemption. Only those obligations that are necessary to achieve the object of the research will be exempted by the DPA. This assessment is contextual and
dependent on the nature of the research.
personal or domestic processing of data should be incorporated in the data
protection law. It would provide a blanket exemption from the application of the data protection law.
caused are higher when personal data is processed through automated means, an exemption will be made in the data protection law for manual processing by data fiduciaries that are unlikely to cause significant harm and would suffer the heaviest relative burdens from certain obligations under this law.
Registration with the DPA; (ii) Data Protection Impact Assessments; (iii) Recordkeeping; (iii) Data audits; and (iv) Appointment of DPO. The DPA can require that any other data fiduciaries may have to undertake these obligations as well.
issuing warnings, reprimands, ordering data fiduciaries to cease and desist, modify or temporarily suspend businesses or activities of data fiduciaries who are found to be in contravention of the law etc.
First Published: IST