DRAFT PERSONAL DATA PROTECTION BILL- JUSTICE BN KRISHNA COMMITTEE REPORT
• Justice BM Krishna committee submitted its report on Draft Personal Data Protection Bill on 27th July, 2018
• The need for legislation was also underlined last year with the landmark judgment in Justice K.S Puttaswamy v. Union of India that held the right to privacy to be a fundamental right.
• There are many positive and negative points in the draft Bill.
• The broad structure of the Bill follows the model of the European Union’s General Data Protection Regulation (GDPR).
• It seeks to codify the relationship between individuals and firms/state institutions as one between “data principals” (whose information is collected) and “data fiduciaries” (those processing the data) so that privacy is safeguarded by design.
It covers the following points broadly:
1. Privacy principles on how a notice should be sent to individuals before data is collected: It says that for the consent to be valid it must be free, informed, specific, clear and capable of being withdrawn.
2. It prescribes explicit consent for sensitive personal data.
3. Purpose limitation and collection limitation also feature prominently in the draft bill. 4. Individuals can control their data with the right to confirmation and access, right to correction and right to data portability. 5. Data protection authority will be established as a strong, independent and specialised regulator.
What are the positive aspects?
1. The draft legislation puts the onus on the “data fiduciary” to seek clear, informed, specific and free consent, with the possibility of withdrawal of data of the “principal” to allow for the use and processing of “sensitive personal data”.
2. It provides for or “data principals” the rights to confirmation, correction of data, portability and “to be forgotten”, subject to procedure.
What are the problems with this Bill?
1. Like the GDPR, this bill also does not restrict itself to having consent as the sole ground for processing.
2. It provides carte blanche to the government to process personal data without obtaining consent. Under Section 13, personal data of individuals can be processed “for the exercise of any function of the state. This can be done without the consent of the individual as long as it is to provide a service or benefit to the individual. this runs directly counter to the articulation of informed consent as central to informational privacy in the Puttaswamy judgment from last year
3. The report recommends a law to provide for “parliamentary oversight and judicial approval of non-consensual access to personal data”. Without such an enabling law, the exemptions provided in the bill will fall short of securing accountability from the state for activities such as dragnet surveillance.