Justice BN Srikrishna on Friday said that under the new Personal Data Protection Bill, 2018, offences will be cognisable and non-bailable.
In an interview to CNBC-TV18, Srikrishna said that Personal Data Protection Bill is an Indianised version of the data protection law as ideas from several countries were taken.
Watch: Justice Srikrishna's Data Protection Report: Key highlights
Srikrishna said, “Minister seems very confident and very happy that it was there. He said it was an excellent thing, which was needed to empower the country to become a frontrunner in the digital space.”
Edited excerpts: You have submitted your 67 page report to the government today, but how confident do you feel that we will have a new data protection law in the country in place in this tenure of the government?
We should, because the minister seems very confident and very happy that it was there and he was full of adjectives. He said it was an excellent thing, which was needed to empower the country to become a frontrunner in the digital space.
You have pointed out that application of this new legislation will not be retrospective in nature, it will apply prospectively. However, in terms of the key amendments, whether it is to the Aadhaar Act or the Right to Information Act or to the Information Technology Act itself, what are the gaps that the report is hoping to plug when it comes to these acts?
If you read either the report or the draft bill, processing is inclusive of near storage also. So, if you have collected till yesterday and stored data there and today, and if the law becomes operative then, you also become liable to follow the act. So, it is an overarching act. Aadahar is just a surface scratch. In any case, I don't want to talk about Aadhaar, because it is in hands of the Supreme Court.
Let me ask you about what you have said, when it comes to the issue of localisation which has again become a fairly controversial and contentious issue. Why do you believe that the RBI may have jumped the gun here?
RBI has jumped the gun, because they think it is necessary. RBI has done it by an executive circular, whereas this is going to be a law as and when it is passed. This will override all the RBI and all the other regulators.
The RBI has given companies six months window, we don't know whether this legislation is going to be in place in six months, so what happens then?
You know how much time it takes for parliamentary legislations to be brought into effect and put on the statute book and that is something I have no idea, I have no control. So it takes whatever time and in the meanwhile, the regulators are making merry, let them make merry.
One of the recommendations in the report is the setting up of this data security authority, that is one of the key recommendations that you have made. Do you believe that while the government may in fact put this overarching legislation in place, which of course will take its time because the consultation process will now start post the submission of the report, do you believe that it must perhaps act urgently on actually setting up this data security authority?
Both in the report and in the bill, it sets time limits for, when the act becomes operative and within 6 or 4 months we have to setup the authority. So, the authority is the first thing to be done and thereafter the rest of it.
What about the rationale behind the penalties, which have been suggested by the report? You seem to have aligned your recommendations to what we are seeing happen globally especially when it comes to the GDPR?
We have done an Indianised version of the data protection law. We have got ideas from several countries, we examined them, debated them, there was lot of back and forth in the committee. Finally, we thought that in the interest of our country, this is the best way - not take an extreme step either to total control like the Chinese do or total non-control like some other countries do. In a way, it takes the middle path, that is why you will notice that there are three options available, rather than three situations where localisation is dealt with.
There could be concerns that could the penalties perhaps and the fact that this is also going to be a cognizable non-bailable offence - the misuse if that were to be the case, would it be seen perhaps as too punitive?
Unless there is a penal law, it is just taken as a joke. Some people say, you are going to charge me couple of million dollars, I will afford to pay it or they may consistently refuse to follow the law, in which case, the threat of danda must be there always. In the Companies Act, there are so many penal provisions, but how many people have gone to jail? Nobody has gone to jail.
You are saying that threat of danda is necessary?
It is necessary, because if worst comes to worst, then one should be able to pinpoint and say this is a criminal offence on your part. You shall answer it before a criminal court. Then it is a question of trial before the criminal court and all that.
You alluded to the fact that regulators seem to be doing their own thing. Since we are talking about regulator the Telecom Regulatory Authority of India (Trai) has also put out its own version of what it believe should be?
Exactly, that is what I said. It was open to the regulators to put whatever their inputs were before the committee, because the committee was high powered committee, which was looking into overall data protection law. Instead of that, they have their own small ponds in which they want to pop-out and say I am here. I can't help it.
You believe that this has become a little bit of territorial battle?
It is one-upmanship, absolutely.
What do you make of the Trai recommendations if at all you had a look at that?
Frankly, if you have read the Trai recommendations, nothing is new there. If you look at original whitepaper, was it is just probably picked up from there and called Trai regulation. In any case, we have also tried to accommodate them to best of our ability in the report and in the bill.
I don't know if you heard the law minister in Parliament yesterday speaking on the issue of curbing fake news and cracking down on fake news and the government has again put out a set of measures that it hopes to take forward including things like putting in place local grievance officer etc. ensuring that these intermediaries are tried here in India under Indian law what do you make of those suggestions and those recommendation?
He can deal with fake news, he can bring out a law to deal with fake news. I am concerned with data protection of the citizen basically.
How vulnerable is the Indian citizen today minus this data protection law that you have proposed?
There is no law at all unfortunately. The point is, we walk around literally throwing our data left and right, we leave footprints everywhere. Somebody picks it up and monetises it, we don't even know. Sometimes, the monetisation maybe just a profit motive, sometimes it may cause harm to you also. So, there is no law, nobody is answerable today. At least, there will be a law which will say you are answerable, you picked up this data for what purpose, who gave you consent, what is the purpose for which you took it, how long are you going to use it, all this questions there is no answer today. This law will answer all those questions.
Since we are talking about this issue of the under appreciation of the fact that there needs to be requisite data protection regulation in the country, the response from the government and the government bodies very often when it comes to whether it is Aadhaar or other such issues is, this fear, this threat is exaggerated, it is over inflated, this concern has been blown out of proportion?
If you have heard government officers speak, they also say this Prevention of Corruption Law is totally unnecessary. There is unnecessary big talk about corruption. Where is corruption in this country? There is no corruption in this country, that is what they say.
Of all the recommendations that you have made in this 67 page report, which the government will now go over, if I could ask you to tell our viewers what do you believe is the absolute priority. The five things that the government must act on now irrespective of whether this legislation goes through in this term of the government or not?
The government has to protect that data in the first place. Empower the citizen. The way I look at it is, it is a triangle. One is the citizen at the top. On the one side is the state, it has also to be empowered in matters of data protection and final is the trade and industry, you can't choke away the trade and industry in the ground of data protection. So, how much of pull is there on each will depend on as they call it in mathematics the triangular force, the resultant will be somewhere in the middle obviously.
It is ridiculous way of putting it. Today, things have gone beyond this property concept. It is a question of my right. Right need not be always monetised. In fact, I remember one of the person made a suggestion and said, well if he monetises it, let him make a profit out of it and I will take a share out of it, that is not the purpose of a law. The law is to empower the citizen and make sure that his data is not used by somebody else without his consent and without benefiting him. It is not property as such.
Why is that you have recommended that data not be treated as property?