This article is more than 2 year old.

Justice Srikrishna's Data Protection Report: Key highlights


The 213-page report covers how any Indian's personal data would be protected. 

Panel headed by Justice BN Srikrishna on Friday submitted its report to the Ministry of Information and Technology outlining its suggestions for a data protection law.
The 213-page report covers how any Indian's personal data would be protected.
It said, "This report is based on the fundamental belief shared by the entire Committee that if India is to shape the global digital landscape in the  1st century, it must formulate a legal framework relating to personal data that can work as a template for the developing world. Implicit in such a belief is the recognition that the protection of personal data holds the key to empowerment, progress, and innovation. Equally implicit is the need to devise a legal framework relating to personal data not only for India, but for Indians."
"We would urge the Government of India to adopt expeditiously in the form of a data protection law. A suggested draft of such a law has been provided along with this report," Srikrishna and the panel wrote in the report.
Key Recommendations:
  • The law will have jurisdiction over the processing of personal data if such data
  • has been used, shared, disclosed, collected or otherwise processed in India.
    However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.
    Additionally, personal data collected, used, shared, disclosed or otherwise
    processed by companies incorporated under Indian law will be covered,
    irrespective of where it is actually processed in India. However, the data
    protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
  •  The law will not have retrospective application and it will come into force in a
  • structured and phased manner. Processing that is ongoing after the coming into force of the law would be covered. Timelines should be set out for notifications of different parts of the law to facilitate compliance.
  • The definition of personal data will be based on identifiability. The DPA may
  • issue guidance explaining the standards in the definition as applied to different categories of personal data in various contexts.
  • The law will cover processing of personal data by both public and private
  • entities.
  • Standards for anonymisation and de-identification (including pseudonymisation) may be laid down by the DPA. However, de-identified data will continue to be within the purview of this law. Anonymised data that meets the standards laid down by the DPA would be exempt from the law.
  • Sensitive personal data will include passwords, financial data, health data,
  • official identifier, sex life, sexual orientation, biometric and genetic data, and
    data that reveals transgender status, intersex status, caste, tribe, religious or
    political beliefs or affiliations of an individual. However, the DPA will be given
    the residuary power to notify further categories in accordance with the criteria set by law.
  • Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent thereby making the data fiduciary liable for harms caused to the data principal.
  • For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.
  • A data principal below the age of eighteen years will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind. Further, data fiduciaries capable of causing significant harm to children will be identified as guardian data fiduciaries. All data fiduciaries (including guardian data fiduciaries) shall adopt appropriate age verification mechanism and obtain parental consent. Furthermore, guardian data fiduciaries, specifically, shall be barred from certain practices. Guardian data fiduciaries exclusively offering counselling services or other similar services will not be required to take parental consent.
  • The principle of granting protection to community data has been recognised by the Committee. This should be facilitated through a suitable law which is
  • recommended to be enacted by the Government of India in the future.
  • The relationship between the ―data subject‖ and the ―data controller‖ is to be reformulated as a fiduciary relationship between the ―data principal‖ and the ―data fiduciary.
  • All processing of personal data by data fiduciaries must be fair and reasonable.
  • The principles of collection and purpose limitation will apply on all data
  • fiduciaries unless specifically exempted.
  • Processing of personal data using big data analytics where the purpose of the
  • processing is not known at the time of its collection and cannot be reasonably
    communicated to the data principal can be undertaken only with explicit consent.
  • A principle of transparency is incumbent on data fiduciaries from the time the
  • data is collected to various points in the interim. Most prominently, a data
    fiduciary is obliged to provide notice to the data principal no later than at the
    time of the collection of her personal data.
  • There shall be obligations of data quality and storage limitation on data
  • fiduciaries. However, the responsibility to ensure that the personal data provided is accurate will rest on the data principal.
  • There will be a provision of personal data breach notification to the DPA and in
  • certain circumstances, to the data principal.
  • Data security obligations will be applicable.
  • The right to confirmation, access and correction should be included in the data protection law.
  • The right to data portability, subject to limited exceptions, should be included in the law.
  • The right to object to processing; right to object to direct marketing, right to  object to decisions based on solely automated processing, and the right to restrict processing need not be provided in the law for the reasons set out in the report.
  • The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of the five-point criteria as follows:
  • (i) the sensitivity of the personal data sought to be restricted;
    (ii) the scale of disclosure or degree of accessibility sought to be restricted;
    (iii) the role of the data principal in public life (whether the data principal is
    publicly recognisable or whether they serve in public office);
    (iv) the relevance of the personal data to the public (whether the passage of
    time or change in circumstances has modified such relevance for the
    public); and
    (v) the nature of the disclosure and the activities of the data fiduciary
    (whether the fiduciary is a credible source or whether the disclosure is a
    matter of public record; further, the right should focus on restricting
    accessibility and not content creation).
  • The right to be forgotten shall not be available when the Adjudication Wing of the DPA determines upon conducting the balancing test that the interest of the data principal in limiting the disclosure of her personal data does not override the right to freedom of speech and expression as well as the right to information of any other citizen.
  • Time-period for implementing such rights by a data fiduciary, as applicable, shall be specified by the DPA.
  • Cross border data transfers of personal data, other than critical personal
  • data, will be through model contract clauses containing key obligations
    with the transferor being liable for harms caused to the principal due to
    any violations committed by the transferee.
  • Intra-group schemes will be applicable for cross-border transfers within
  • group entities.
  • The Central Government may have the option to green-light transfers to
  • certain jurisdictions in consultation with the DPA.
  • Personal data determined to be critical will be subject to the requirement
  • to process only in India (there will be a prohibition against cross border
    transfer for such data). The Central Government should determine
    categories of sensitive personal data which are critical to the nation
    having regard to strategic interests and enforcement.
  • Personal data relating to health will however permitted to be transferred
  • for reasons of prompt action or emergency. Other such personal data
    may additionally be transferred on the basis of Central Government
  • Other types of personal data (non-critical) will be subject to the
  • requirement to store at least one serving copy in India.
  • Various allied laws are relevant in the context of data protection because they
  • either require or authorise the processing of personal data for different objectives.
  • All relevant laws will have to be applied along with the data protection law, as
  • the latter will be the minimum threshold of safeguards for all data processing in the country. In the event of any inconsistency between data protection law and extant legislation, the former will have overriding effect.
  • The proposed data protection framework replaces Section 43A of the IT Act and the SPD Rules issued under that provision. Consequently, these must be repealed together with consequent minor amendments.
  • The RTI Act prescribes a standard for privacy protection in laying out an
  • exemption to transparency requirements under Section 8(1)(j). This needs to be amended to clarify when it will be activated and to harmonise the standard of privacy employed with the general data protection statute.
  • The Committee has identified a list of 50 statutes and regulations which have a potential overlap with the data protection framework. Concerned ministries may take note of this and ensure appropriate consultation to make complementary amendments where necessary.
  • The Aadhaar Act needs to be amended to bolster data protection.
  • Non-Consensual Grounds of Processing
    • Functions of the State: Welfare functions of the state will be recognised as a
    • separate ground for processing. Processing activities carried out by the State
      under law will be covered under this ground, ensuring that it is in furtherance
      of public interest and governance. However, only bodies covered under
      Article 12 of the Constitution may rely on this ground. Processing towards
      activities that may not be considered part of a welfare functions would,
      however, not to be permitted. Thus, the availability of this ground is
      restricted to certain entities and certain functions to avoid vagueness in the
    • Compliance with Law or Order of Court or Tribunal: Compliance with law or
    • order of court or tribunal will be recognised as a separate ground for
      processing to avoid inconsistency with obligations under other laws,
      regulations and judicial orders. The word ‗law‘ shall be construed to mean
      laws, ordinances, orders, bye-law, rules, regulations and notifications that
      have statutory authority. Order of court or tribunal would be restricted to
      Indian courts and tribunals. Obligations imposed by contract, foreign law and
      foreign judicial orders shall not be permitted to be processed under this
    • Prompt Action: Prompt action will be recognised as a separate ground for
    • processing. It should receive a strict interpretation and only be applied in
      critical situations where the individual is incapable of providing consent and
      the processing is necessary to meet emergency situations.
    • Employment: Employment will be recognised as a separate ground for
    • processing. This ground should be invoked only where processing under
      consent would involve disproportionate effort or where the employment
      relation makes consent inappropriate and will permit processing even where
      employment-related activities are not authorised under any of the other
      grounds of processing such as compliance with law.
    • Reasonable Purpose: Reasonable purpose is a residuary ground for
    • processing activities which are not covered by other grounds like consent,
      compliance with law, prompt action and public function but are still useful to
      society. The ambit of the provision would be limited to those purposes which
      are whitelisted by the DPA to guide data fiduciaries.
      • Security of the State: The data protection law will enable an exemption to the
      • processing of personal or sensitive personal data if it is necessary in the interest of the security of the state. Any restriction must be proportionate and narrowly tailored to the stated purpose. The Central Government should expeditiously bring in a law for the oversight of intelligence gathering activities.
      • Prevention, Detection, Investigation and Prosecution of Contraventions of Law: The data protection law should provide an exemption for prevention, detection, investigation and prosecution of contraventions of law (including protection of revenue). In order to invoke the exemption, the law enforcement agencies must be authorised by law.
      • Disclosure for the Purpose of Legal Proceedings: The disclosure of personal
      • data necessary for enforcing a legal right or claim, for seeking any relief,
        defending any charge, opposing any claim or for obtaining legal advice from an
        advocate in an impending legal proceeding would be exempt from the
        application of the data protection law. General obligations of security and fair
        and reasonable processing will continue to apply.
      • Research Activities: The research exemption is not envisaged as a blanket
      • exemption. Only those obligations that are necessary to achieve the object of the research will be exempted by the DPA. This assessment is contextual and
        dependent on the nature of the research.
      • Personal or Domestic Purposes: A narrowly tailored exemption for purely
      • personal or domestic processing of data should be incorporated in the data
        protection law. It would provide a blanket exemption from the application of the data protection law.
      • Journalistic Activities: To strike a balance between freedom of expression and right to informational privacy, the data protection law would need to signal what the term 'journalistic purposes‘ signifies, and how ethical standards for such activities would need to be set. Where these conditions are met, an exemption should be provided.
      • Manual Processing by Small Entities: Since the risk of privacy harms being
      • caused are higher when personal data is processed through automated means, an exemption will be made in the data protection law for manual processing by data fiduciaries that are unlikely to cause significant harm and would suffer the heaviest relative burdens from certain obligations under this law.
      • The data protection law will set up a DPA which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. Broadly, the DPA shall perform the following primary functions: (i) monitoring and enforcement; (ii) legal affairs, policy and standard setting; (iii) research and awareness; (iv) inquiry, grievance handling and adjudication.
      • The DPA is vested with the power to categorise certain fiduciaries as significant data fiduciaries based on their ability to cause greater harm to data principals as a consequence of their data processing activities. This categorisation will be based on an assessment of volume of the personal data being processed, nature of personal data, type of processing activity undertaken, turnover of the data fiduciary, the risk of harm, and the type of technology used to undertake processing.
      • Significant data fiduciaries will have to undertake obligations such as: (i)
      • Registration with the DPA; (ii) Data Protection Impact Assessments; (iii) Recordkeeping; (iii) Data audits; and (iv) Appointment of DPO. The DPA can require that any other data fiduciaries may have to undertake these obligations as well.
      • The following enforcement tools shall be made available to the DPA: (i) Issuance of directions; (ii) Power to call for information; (iii) Publication of guidance; (iv) Issuance of public statement; (v) Codes of Practice; (vi) Conducting inquiry; (vii) Injunctive Relief; (viii) Inter-sectoral coordination.
      • Pursuant to its powers of inquiry, the DPA has wide-ranging powers including
      • issuing warnings, reprimands, ordering data fiduciaries to cease and desist, modify or temporarily suspend businesses or activities of data fiduciaries who are found to be in contravention of the law etc.
      • The DPA‘s Adjudication Wing shall be responsible for adjudication of complaints between data principals and data fiduciaries.
      • The Central Government shall establish an appellate tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA. Appeals against orders of the appellate tribunal will be to the Supreme Court of India.
      • Penalties may be imposed on data fiduciaries and compensation may be awarded to data principals for violations of the data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher. Offences created under the law should be limited to any intentional or reckless behaviour, or to damage caused with knowledge to the data principals in question.
      • Market Movers



        Rupee-100 Yen0.6714-0.0002-0.04