Mains Paper 3: Internal Security | Basics of cyber security
From UPSC perspective, the following things are important:
Prelims level: Highlights of the Srikrishna Committee Report, Right to be forgotten
Mains level: Need for protection of personal data.
Draft Personal Data Protection bill, 2018
- The right to privacy is a fundamental right which necessitates protection of personal data as an essential facet of informational privacy says the draft Personal Data Protection bill, 2018.
- It was submitted to the government by a high-level expert group headed by former Supreme Court judge B.N. Srikrishna.
- The much-awaited bill is under the government’s review and has been made public for inviting suggestions.
Provisions of the Bill
- The bill deals with issues such as collection and processing of personal data, consent of individuals, penalties and compensation, code of conduct and an enforcement model.
- According to the draft bill, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India.
Data Protection Authority of India (DPA)
- It proposes setting up of a DPA, an independent regulatory body responsible for the enforcement and effective implementation of the law, consisting of a chairperson and six full-time members.
- In case of any appeal against an order of the DPA, an appellate tribunal should be established or an existing appellate tribunal should be granted powers to hear and dispose of any appeal.
Highlights of the Panel Report
- The committee has recommended phased timelines for the adoption of different aspects of the privacy law, making data protection a critical component in India’s security posture.
- The report said that sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
- It noted that consent should be the lawful basis for the processing of personal data and the consent should be free, informed, specific, clear and capable of being withdrawn.
- For sensitive personal data, consent should be explicit.
Right to be forgotten
- The committee came out with a recommendation on the right to be forgotten.
- It said that the right should be adopted, with the proposed data protection authority determining the eligibility of the application on the basis of five points which are:
- Sensitivity of the personal data sought to be restricted
- Scale of disclosure sought to be restricted
- Role of the data principal (whose data it is) in public life
- Relevance of the personal data to the public
- Nature of the disclosure.
- Regarding data misuse, the committee recommended a penalty of either a certain percentage of the total worldwide turnover of the data misuser, or a fixed amount set by the law.
- It recommended that the penalty may extend up to ₹5 crore or 2% of the data misuser’s total worldwide turnover of the preceding financial year, whichever is higher in situations where the company fails to take “prompt and appropriate action” in response to a data security breach.
- In situations where the norms on personal data, sensitive personal data, and the personal data on children are violated, the report has recommended a penalty of ₹15 crore or 4% of the total worldwide turnover of the preceding financial year of the company.