MUMBAI: The much-awaited report on the data protection law was submitted by the Justice BN Srikrishna committee to Union Minister of Electronics and Information Technology Ravi Shankar Prasad on Friday. The committee was constituted on 31 July last year.

Prasad said government will go through the draft before finalising the legislation and will take stakeholders’ comments along with taking cabinet approval. “It is a monumental law and we would be like to have widest parliamentary consultation… We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” he said as per a report by Indian Express.

Justice Srikrishna mentioned three aspects of the report.  While the citizen’s rights have to be protected and the responsibilities of the states have to be defined, data protection can't be at the cost of trade and industry. He further added the draft bill has been prepared through an open process where the members of the committee consulted all stakeholders.

Excerpts from the bill:

Processing (collection, recording, analysis, disclosure, etc) of personal data should be done only for “clear, specific and lawful” purposes and only necessary data for such processing can be collected. Personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India.

The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.

Data related to these categories have been termed as sensitive personal data-passwords, financial data, health data , official identifiers which would include government issued identity cards; sex life and sexual orientation; biometric and genetic data, transgender status or intersex status, caste or tribe and religious or political beliefs or affiliations.

Violation of data protection law many cause penalty. The amount would be up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher.

The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure— a) has served the purpose for which it was made or is no longer necessary; b) was made on the basis of consent under section 12 and such consent has since been withdrawn; or c) was made contrary to the provisions of this act or any other law made by parliament or any state legislature.

The central government shall establish for the purposes of this act, the Data Protection Authority of India which shall consist of a chairperson and six whole-time members. It shall be the duty of the authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this act, and promote awareness of data protection.