Professional Documents
Culture Documents
Srikrishna Committee Report Summary PDF
Srikrishna Committee Report Summary PDF
Bill Summary
The Draft Personal Data Protection Bill, 2018
Rights of the individual: The Bill sets out allowed on certain grounds, including: (i) based
certain rights of the individual. These include: on explicit consent of the individual, (ii) if
(i) right to obtain confirmation from the necessary for any function of Parliament or
fiduciary on whether its personal data has been state legislature, or, if required by the state for
processed, (ii) right to seek correction of providing benefits to the individual, or (iii) if
inaccurate, incomplete, or out-of-date personal required under law or for the compliance of any
data, and (iii) right to have personal data court judgement.
transferred to any other data fiduciary in certain
Sensitive personal data includes passwords,
circumstances.
financial data, biometric data, genetic data,
Obligations of the data fiduciary: The Bill caste, religious or political beliefs, or any other
sets out obligations of the entity who has access category of data specified by the Authority.
to the personal data (data fiduciary). These Additionally, fiduciaries are required to institute
include: (i) implementation of policies with appropriate mechanisms for age verification and
regard to processing of data, (ii) maintaining parental consent when processing sensitive
transparency with regard to its practices on personal data of children.
processing data, (iii) implementing security
Transfer of data outside India: Personal data
safeguards (such, as encryption of data), and
(except sensitive personal data) may be
(iv) instituting grievance redressal mechanisms
transferred outside India under certain
to address complaints of individuals.
conditions. These include: (i) where the central
Data Protection Authority: The Bill provides government has prescribed that transfers to a
for the establishment of a Data Protection particular country are permissible, or (ii) where
Authority. The Authority is empowered to: (i) the Authority approves the transfer in a
take steps to protect interests of individuals, (ii) situation of necessity.
prevent misuse of personal data, and (iii) ensure
Exemptions: The Bill provides exemptions
compliance with the Bill. It will consist of a
from compliance with its provisions, for certain
chairperson and six members, with knowledge
reasons including: (i) state security, (ii)
of at least 10 years in the field of data protection
prevention, investigation, or prosecution of any
and information technology. Orders of the
offence, or (iii) personal, domestic, or
Authority can be appealed to an Appellate
journalistic purposes.
Tribunal established by the central government
and appeals from the Tribunal will go to the Offences and Penalties: Under the Bill, the
Supreme Court. Authority may levy penalties for various
offences by the fiduciary including (i) failure to
Grounds for processing personal data: The
perform its duties, (ii) data processing in
Bill allows processing of data by fiduciaries if
violation of the Bill, and (iii) failure to comply
consent is provided. However, in certain
with directions issued by the Authority. For
circumstances, processing of data may be
example, under the Bill, the fiduciary is
permitted without consent of the individual.
required to notify the Authority of any personal
These grounds include: (ii) if necessary for any
data breach which is likely to cause harm to the
function of Parliament or state legislature, or if
individual. Failure to promptly notify the
required by the state for providing benefits to
Authority can attract a penalty of the higher of
the individual, (iii) if required under law or for
Rs 5 crore or 2% of the worldwide turnover of
the compliance of any court judgement, (iv) to
the fiduciary.
respond to a medical emergency, threat to
public health or breakdown of public order, or, Amendments to other laws: The Bill makes
(v) for reasonable purposes specified by the consequential amendments to the Information
Authority, related to activities such as fraud Technology Act, 2000. It also amends the Right
detection, debt recovery, and whistle blowing. to Information Act, 2005, and to permit non-
disclosure of personal information where harm to
Grounds for processing sensitive personal
the individual outweighs public good.
data: Processing of sensitive personal data is
DISCLAIMER: This document is being furnished to you for your information. You may choose to reproduce or redistribute this report for
non-commercial purposes in part or in full to any other person with due acknowledgement of PRS Legislative Research (“PRS”). The
opinions expressed herein are entirely those of the author(s). PRS makes every effort to use reliable and comprehensive information, but
PRS does not represent that the contents of the report are accurate or complete. PRS is an independent, not-for-profit group. This document
has been prepared without regard to the objectives or opinions of those who may receive it.
-2-