The Justice BN Srikrishna committee on Friday submitted its report to the Centre on suggestions for a data protection law. The committee, chaired by former Supreme Court judge Justice BN Srikrishna, has nine other members including Unique Identification Authority of India Chief Executive Officer Ajay Bhushan Pandey and Research Director of Vidhi Center For Legal Policy Arghya Sengupta.

“The citizen’s rights have to be protected, the responsibilities of the states have to be defined but the data protection can’t be at the cost of trade and industry,” he said, according to The Economic Times.

The committee has handed over the report to Union Minister for Law and Information Technology Ravi Shankar Prasad. Srikrishna said the draft bill was prepared through an open process where stakeholders in the major information technology hubs were consulted. The report will be consulted by other ministries and the Cabinet, as well as seek parliamentary nod, he added.

The Srikrishna report’s recommendations are not binding on the government, meaning further lobbying – and public campaigns like Save Our Privacy – can also influence what the final law ends up being.

The challenges to Aadhaar come from various fronts, including concerns by citizens about storing and sharing their biometric information with the UIDAI. Several government websites were found to be leaking user data along with their Aadhaar numbers, which are considered sensitive information.

While UIDAI claims that user data in its repositories are safe and secure, the committee is expected to design a broader framework that covers all other kinds of data and ensure that the ministry can deliberate on these issues as soon as possible.

Highlights of the report

The 213-page report makes recommendations on several topics, including consent, data protection authority, right to recall data and rights of children. The report also identifies circumstances under which data has to be compulsorily stored in India.

The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India, according to the committee. “Personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India,” the report said. “However, the data protection law may empower the central government to exempt such companies which only process the personal data of foreign nationals not present in India.”

The definition of personal data will be based on identifiability, the report said. The law will cover processing of personal data by both public and private entities. “Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual,” the report said.

The committee recommended that in case of data misuse, a penalty of either a certain percentage of the total worldwide turnover of the data misuer, or a fixed amount set by the law. If the company fails to take prompt and appropriate action in response to data security breach, the committee recommended that the penalty may be extended up to Rs 5 crore or 2% of the misuser’s total worldwide turnover of the preceding financial year.