Print Friendly, PDF & Email

Insights into Editorial: Protect critical personal data of citizens: draft Bill

Insights into Editorial: Protect critical personal data of citizens: draft Bill


The draft personal data protection Bill 2018, submitted by the Justice B.N. Srikrishna-headed expert panel has proposed that critical personal data of Indian citizens be processed in centres located within the country.

The right to privacy is a fundamental right which necessitates protection of personal data as an essential facet of informational privacy says the draft Personal Data Protection bill, 2018.

The much-awaited bill is under the government’s review and has been made public for inviting suggestions.


Data Protection Authority of India (DPA):

It proposes setting up of a DPA, an independent regulatory body responsible for the enforcement and effective implementation of the law, consisting of a chairperson and six full-time members.

In case of any appeal against an order of the DPA, an appellate tribunal should be established or an existing appellate tribunal should be granted powers to hear and dispose of any appeal.


A copy of the data in India too:

Other personal data may be transferred outside the territory of India with some riders. However, at least one copy of the data will need to be stored in India. The draft Bill, which India hopes will become a model framework for protection of personal data for the world, will apply to processing of personal data within India, including the State.

Personal data, the draft law states, may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing. It added that processing of sensitive personal data should be on the basis of “explicit consent.”

The law, the committee in its recommendations said, will not have retrospective application and will come into force in a structured and phased manner. “Processing that is ongoing after the coming into force of the law would be covered.”


Handle children’s data with care, says committee:

The Justice Srikrishna committee on data privacy has made specific mention of the need for separate and more stringent norms for protecting the data of children, recommending that companies be barred from certain types of data processing such as behavioural monitoring, tracking, targeted advertising and any other type of processing which is not in the best interest of the child.

It is widely accepted that processing of personal data of children ought to be subject to greater protection than regular processing of data.

Safeguarding the best interests of the child should be the guiding principle for statutory regulation on protecting data of children.

The committee noted that, at present, there were two types of entities processing the personal data of children.

The first type were services offered primarily to children, such as YouTube Kids, Hot Wheels and Walt Disney, and the second were social media services such as Facebook and Instagram.

The committee’s recommends that the Data Protection Authority will have the power to designate websites or online services that process large volumes of personal data of children as “guardian data fiduciaries”.


Parental consent in processing the data of a child:

The committee noted that this approach, of placing the onus of properly processing the data of a child on the company, is preferable to the existing regulatory approach which is based solely on a system of parental consent.


‘Exemption in state or societal interest’:

The expert committee, headed by Justice B.N. Srikrishna, has recommended that processing of data for certain interests such as security of the State, legal proceedings, research and journalistic purpose, may be exempt from certain obligations of the proposed data protection law.

“For the creation of a truly free and fair digital economy, it is vital to provide certain exemptions from obligations that will facilitate the unhindered flow of personal data in certain situations. These exemptions derive their necessity from either a state or societal interest,” the committee said in its report.


‘Safeguards a must’:

It, however, added that adequate security safeguards must be incorporated in the law to guard against potential misuse.

In the draft ‘The personal data protection law 2018’ that the committee has submitted, it has said that “processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.”

SriKrishna Committe has recommended in the report that the Central government should expeditiously bring in a law for the oversight of intelligence gathering activities.

It further added that to strike a balance between freedom of expression and right to informational privacy, the data protection law would need to signal what the term ‘journalistic purposes’ signifies, and how ethical standards for such activities would need to be set.


Penalty Provisions for data security breach:

Regarding data misuse, the committee recommended a penalty of either a certain percentage of the total worldwide turnover of the data misuser, or a fixed amount set by the law.

It recommended that the penalty may extend up to ₹5 crore or 2% of the data misuser’s total worldwide turnover of the preceding financial year, whichever is higher in situations where the company fails to take “prompt and appropriate action” in response to a data security breach.

In situations where the norms on personal data, sensitive personal data, and the personal data on children are violated, the report has recommended a penalty of ₹15 crore or 4% of the total worldwide turnover of the preceding financial year of the company.



Data is the new currency. It is considered as the oil of 21st century. With the dawn of information age and mass digitalization there has been generation of huge data.

In order to protect people’s privacy and make companies accountable, India needs a data protection law “as soon as possible” as it is a “fundamental thing” so that the users can demand from the domestic or foreign companies to share their data when needed. This is not a technology problem, but a policy problem.


Instrumentally, a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access.

India lacks a coherent data protection law which makes us more vulnerable. The government should thus frame a robust law to gain confidence of people that their private data will not be misused and used without their permission.

The B.N srikrishna committee set to look into the law is much appreciated step in this direction. Now, the committee submitted its report also. The government should do the way forward with utmost Transparency and Integrity in framing in the law.