New Delhi, July 27: The Justice B.N. Srikrishna Committee on data protection in India has suggested amendments to various laws including the Aadhaar Act to provide for the imposition of penalties on data fiduciaries and compensations to data principals for violations of the data protection law. The 213-page report, prepared by a 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, was submitted to Law and Electronics Minister Ravishankar Prasad who said that the government will go through the draft bill and take stakeholder comments before taking Cabinet approval for finalising the legislation.
Justice Srikrishna said data privacy is a burning issue and there are three parts to the triangle. The report assumes significance in the context of controversies over alleged leakage of biometric details of Aadhaar card holders. In its recommendations, the committee has said the data protection law will set up a Data Protection Authority (DPA), an independent regulatory body responsible for the enforcement and implementation of the law. The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies under Indian law will be covered, irrespective of where it is actually processed. The law will not have retrospective application and will come into force in structured and phased manner. The report suggests amendments to the Aadhaar Act from a data protection perspective. Sensitive poersonal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data and data that reveals transgender status, inter-sex status, caste, tribe, religious or political beliefs or affiliations of an individual.
The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of the five-point criteria as follows: (i) the sensitivity of the personal data sought to be restricted; (ii) the scale of disclosure or degree of accessibility sought to be restricted; (iii) the role of the data principal in public life (whether the data principal is publicly recognisable or whether they serve in public office); (iv) the relevance of the personal data to the public (whether the passage of time or change in circumstances has modified such relevance for the public); and (v) the nature of the disclosure and the activities of the data fiduciary (whether the fiduciary is a credible source or whether the disclosure is a matter of public record; further, the right should focus on restricting accessibility and not content creation). (IANS)