Srikrishna Committee Suggests Amendments in Aadhaar Act for Data Protection

The Justice B.N. Srikrishna Committee on data protection in India has suggested amendments to various laws including the Aadhaar Act to provide for imposition of penalties on data fiduciaries and compensations to data principals for violations of the data protection law.

The 213-page report, prepared by a 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, was submitted to Law and Electronics Minister Ravishankar Prasad who said that the government will go through the draft bill and take stakeholder comments before taking Cabinet approval for finalising the legislation.

Justice Srikrishna said data privacy is a burning issue and there are three parts to the triangle. "The citizen's rights have to be protected, the responsibilities of the states have to be defined but the data protection can't be at the cost of trade and industry."

The report assumes significance in the context of controversies over alleged leakage of biometric details of Aadhaar card holders and the ongoing Supreme Court hearing in the case related to data protection.

The report has proposed penalties for violations, criminal proceedings, setting up of a data authority, provision of withdrawal of consent and concept of consent fatigue.

In its recommendationsm, the committee has said the data protection law will set up a Data Protection Authority (DPA), an independent regulatory body responsible for the enforcement and implementation of the law. Broadly, it will perform the functions of monitoring and enforcement, legal affairs, policy and standard setting, research and awareness and enquiry, grievance handling and adjudication.

The draft law has suggested that penalties may be imposed on data fiduciaries and compensations may be awarded for violations of data protection law.

"The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the proceeding financial year, whichever is higher. Offences created under the law should be limited to any intentional or reckless behaviour, or to damage caused with knowledge to the data principals in question."

The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.

However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.

Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies under Indian law will be covered, irrespective of where it is actually processed.

However, the data protection law can empower government to exempt companies which only process the personal data of foreign nationals not present in India.

The law will not have retrospective application and will come into force in structured and phased manner.

The report suggests amendments to the Aadhaar Act from a data protection perspective. Read along with the provisions of the proposed data protection bill, the amendments will deal with enforcement action and individual remedies.

Under the Chapter Processing, the report says the definition of personal data will be based on identifiability. The law will cover processing of personal data by both public and private entities.

Standards for anonymisation and de-identification (including pseudonymisation) may be laid down by the authority.

Sensitive poersonal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data and data that reveals transgender status, inter-sex status, caste, tribe, religious or political beliefs or affiliations of an individual.

The authority will be given the residuary power to notify further categories in accordance with the criteria set by law.

Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent, thereby making the data fiduciary liable for harms caused to the data principal.

For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.

A data principal below 18 years of age will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind.

Further, data fiduciaries capable of causing significant harm to children will be identified as guardian data fiduciaries. All data fiduciaries (including guardian data fiduciaries) shall adopt appropriate age verification mechanism and obtain parental consent.

Furthermore, guardian data fiduciaries, specifically, shall be barred from certain practices. Guardian data fiduciaries exclusively offering counselling services or other similar services will not be required to take parental consent.

Under data principal rights, the right to confirmation, access and correction should be included in the data protection law.

Similarly, the right to data portability, subject to limited exceptions, should be included in the law. The right to object to processing; right to object to direct marketing, right to object to decisions based on solely automated processing, and the right to restrict processing need not be provided in the law for the reasons set out in the report.

The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of the five-point criteria as follows:

(i) the sensitivity of the personal data sought to be restricted;

(ii) the scale of disclosure or degree of accessibility sought to be

restricted;

(iii) the role of the data principal in public life (whether the data principal

is publicly recognisable or whether they serve in public office);

(iv) the relevance of the personal data to the public (whether the passage

of time or change in circumstances has modified such relevance for

the public); and

(v) the nature of the disclosure and the activities of the data fiduciary

(whether the fiduciary is a credible source or whether the disclosure is

a matter of public record; further, the right should focus on restricting

accessibility and not content creation).

Cross-border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.