The panel, established in August last year, is headed by retired Supreme Court Judge BN Srikrishna
The Srikrishna panel on Friday submitted a draft bill on data privacy to the government. The report has outlined suggestions to protect the privacy of citizen's data.The panel, established in August last year, is headed by retired Supreme Court Judge BN Srikrishna.
- Personal data has been specified as any information that works as an identifier
- The bill also clarifies 'sensitive personal data' as any information on a person's ethnicity, sexual orientation, finances, passwords, caste, biometric data, health and official identifiers.
- The panel has also suggested establishing a Data Protection Authority (DPA) to regulate data processing activities.
- The Right to be Forgotten can be adopted, subject to the DPA's Adjudication Wing discretion. Five criteria have been set, which include sensitivity of the data and role of the data in public.
- Data localization has been made mandatory. Companies collecting data on Indians must store their data in a server in India.
- Companies need to appoint a data protection officer who will act as a point of contact for individuals to raise grievances.
- The government (both Parliament and state legislatures) can access personal data if required.
- Cross-border transfer of data is allowed, with some conditions or "standard contractual clauses. Entities still need to preserve a copy of the data in India.
- The Act will not be applied retrospectively, and will be applied in a phased and structured manner.
What is the penalty for violation?
Corporates will have to pay up to Rs 5 crore or two percent of their turnover, whichever is higher, for violating non-sensitive personal data.
The penalty for violation of sensitive personal data is a fine of up to Rs 15 crore or four percent of the company's turnover, whichever is higher.