Sensitive personal data should be processed in India: Srikrishna panel

All sensitive personal data relating to Indian citizens should be processed and stored only within India, the Justice Srikrishna committee has said, among other recommendations that forms the basis of the new bill on data protection.

Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the department of personnel and administration (DPA) will be given the residuary power to notify further categories in accordance with the criteria set by law.
The document, officially titled ‘Personal Data Protection Bill, 2018', was submitted today to the IT ministry for review.
The bill aims at protecting the digital rights of Indian citizens and addresses issues such as consent, protecting children’s rights in the digital age and at empowering citizens to fight for their digital rights. The bill also addresses issues of government overreach, accountability and initiatives like Aadhaar. However, the committee has not taken up the Aadhaar issue, as it was under consideration of the Supreme Court.
The recommendations of the committee, headed by former Supreme Court judge BN Srikrishna, comes amidst reports of misuse of personal data by both public and private entities handling personal data on customers.
The committee has suggested that the government should determine the categories of sensitive personal data that are “critical to the nation having regard to strategic interests and enforcement.”
Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework in the case of a product liability regime, making it financially liable for harms caused to the data principal or the consumer.
The bill seeks to regulate the processing of personal data that is used, shared, disclosed, collected or otherwise processed in India. This will apply to data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law, irrespective of where it is actually processed in India.
However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.
However, the data protection law may empower the government to exempt such companies, which only process the personal data of foreign nationals not present in India.
The law will not have retrospective application and it will come into force in a structured and phased manner. Processing that is ongoing after the coming into force of the law would be covered. Timelines should be set out for notifications of different parts of the law to facilitate compliance.
The law will cover processing of personal data by both public and private entities.
Standards for anonymisation and de-identification (including pseudonymisation) may be laid down by the DPA. However, de-identified data will continue to be within the purview of this law. Anonymised data that meets the standards laid down by the DPA would be exempt from the law.
The report was keenly awaited by global technology companies for its views on data localisation.