On July 31, the government set up a five-member committee chaired by former Supreme Court judge, Justice (retd.) B.N. Srikrishna, to draw up a draft Data Protection Bill. The Bill, if made law, will be India’s first exclusive statute providing protection to online users’ personal data from breach by state and non-state players.
The office memorandum of the Srikrishna Committee notes that the “government is cognisant of the growing importance of data protection in India. The need to ensure growth of the digital economy while keeping personal data of citizens secure and protected is of utmost importance.”
The recent privacy judgment highlights the committee’s role in evolving a “robust data protection regime”. The court recognised the government’s efforts to initiate the process of reviewing the entire area of data protection. It observes that “it would be appropriate to leave the matter for expert determination...”
The government has undertaken in the court that the Ministry of Electronics and Information Technology would work with the panel and hand over all necessary information to it within the next eight weeks, after which the latter will start its deliberations. The committee is expected to submit its report soon.
One of the primary guiding factors for the committee would be the exhaustive report submitted in October 2012 by a group of experts on privacy led by former Delhi High Court Chief Justice A.P. Shah, which was constituted by the erstwhile Planning Commission. Both the government and the court have agreed that this would be the “conceptual foundation for legislation protecting privacy” in the form of the new Data Protection Bill.
The new Bill would be based on five salient features: technological neutrality and interoperability with international standards; multi-dimensional privacy; horizontal applicability to state and non-state entities; conformity with privacy principles; and a co-regulatory enforcement regime.
The Justice Shah group had emphasised on taking the informed and individual consent of users before the collection of their personal data. It had proposed giving users prior notice of information practices, providing them with choices, and collection of only limited data necessary for the purpose for which it is collected. If there is a change of purpose, it must be notified to the individual.
Most importantly, the report proposed access for users to their personal information held by a data controller. Users should be able to seek correction, amendments, or deletion of inaccurate information.