By : Rajesh Gogna, Designated Partner, Lex Locum Consultants LLP
In July 2017, the Ministry of Electronics and Information Technology (MeitY) formed a 10-member committee under the leadership of Justice BN Srikrishna to address issues of privacy and draft the Personal Data Protection Bill (DPDP Act). The committee submitted its initial draft in 2018. However, as the draft Bill underwent multiple amendments, the Indian government decided to introduce a new version called the Digital Personal Data Protection Bill, 2022.
One of the key recommendations made by the committee was regarding data localization. They suggested that sensitive personal data should be stored exclusively in India to enhance control and protection. This recommendation found its way into the DPDP Act, which includes provisions on data localization, mandating that specific categories of sensitive personal data must be stored within the country.
Another significant recommendation highlighted by the committee was the importance of obtaining informed consent from individuals before processing their personal data. The DPDP Act reflects this recommendation by incorporating provisions that emphasize the need for clear and informed consent, while also granting individuals the right to access, correct, and delete their data.
The committee also proposed the establishment of an independent regulatory body, the Data Protection Authority (DPA), to oversee and enforce data protection laws. This recommendation was adopted in the DPDP Act, which includes provisions for the creation of a Data Protection Authority responsible for regulating and enforcing compliance with data protection laws.
Furthermore, the committee stressed the importance of accountability and Data Protection Impact Assessments (DPIA) for certain projects. The DPDP Act mandates accountability for data processing activities and requires organizations to conduct DPIAs to assess and mitigate potential privacy risks.
The committee established principles for data processing by government agencies, emphasizing the necessity and proportionality of data collection. Importantly, the DPDP Act extends its jurisdiction to both government and private entities, ensuring that principles of data minimization and purpose limitation are applied uniformly.
In addition to these recommendations, the committee recognized the need to establish a fiduciary relationship between individuals and service providers who have access to their data. They outlined the basic obligations of service providers, including fair and reasonable data processing and providing notice to individuals when collecting data.
The committee also emphasized the definition of personal data, which includes information that can directly or indirectly identify an individual. They made a distinction between personal data and sensitive personal data, which relates to intimate matters with a higher expectation of privacy, such as caste, religion, and sexual orientation.
Lastly, the committee stressed that consent should be a prerequisite for processing personal data, with a particular focus on ensuring meaningful consent, especially for vulnerable groups like children and for sensitive personal data, where explicit consent of the individual is required.
Recommendations of the committee incorporated into the Act
The Digital Personal Data Protection Act of 2023, which incorporates recommendations from Justice B.N. Srikrishna Committee, outlines a comprehensive framework for data protection in India. Key aspects of this Act include the roles and responsibilities of data fiduciaries and processors, who are tasked with ensuring the accuracy and completeness of data, removing data no longer necessary, and reporting data breaches. The Act establishes the Data Protection Board (DPB) as an independent body responsible for enforcing the bill’s provisions and imposing penalties for non-compliance.
In terms of penalties, the Act allows for substantial fines, up to INR 500 crores, for violations, emphasizing the importance of data security and compliance. Individual rights are also a focus, with the Act granting various rights to data principals, such as obtaining information about their data, requesting corrections, and filing grievances. However, it notably omits the right to data portability, which was present in earlier versions of the bill.
Special attention is given to the protection of children’s data, defining a child as anyone below 18 years and requiring parental consent for processing their data, subject to certain government-defined exemptions. The Act also empowers the government to make rules on several issues, including the processing of personal data without consent and guidelines for reporting data breaches. Additionally, it provides for certain exemptions, particularly for state agencies in the interests of national security and public order. Lastly, the Act is designed to have an overriding effect over other laws in case of conflicting provisions, highlighting its comprehensive and dominant role in the data protection landscape of India.