wordpress blog stats
Connect with us

Hi, what are you looking for?

Justice Srikrishna data protection draft bill is now public, highlights and what happens next

The panel headed by retired Justice BN Srikrishna has submitted its bill on data protection to the IT Ministry on Friday. The draft bill, titled the Personal Data Protection Bill, 2018, now has to be tabled in Parliament. It will be the basis of a data protection framework that prescribes conditions for how organisations should receive, handle, and process individuals’ personal data in India, along the lines of laws like the EU’s General Data Protection Regulation (GDPR).

The draft legislation has 15 chapters and lays out a framework for data-protection obligations, grounds for processing of personal and sensitive personal data, data principal rights, provisions to govern the transfer of data outside India and the creation of a data protection authority.


Key highlights from the bill

  • Personal data has been defined as data which makes an individual directly or indirectly identifiable. The definition does not specifically mention any particular form of data or attribute. The bill excludes anonymized data from the application of this law.
  • Apart from defining personal data the bill labels certain information as sensitive personal data as it existed under SPDI (sensitive personal data and information) Rules of the IT act, this has been expanded to include passwords; financial data; health data; official identifier; sex life; sexual orientation; biometric data; genetic data; transgender status; intersex status; caste or tribe; religious or political belief or affiliation.
  • The law will extend to data fiduciaries or data processors who operate outside the country, if they carry out processing of personal data in connection either with any business carried on in India, systematic offering of good and services to data principles in India, or any activity which involves profiling of data principals (individual users) within of India.
  • Legal grounds for processing under the bill include consent, functions of state, compliance with law or order of court/tribunal, for prompt action in case of emergencies, purposes related to employment and reasonable purposes of the data fiduciary.
  • The bill provides certain rights to the data principal (i.e. the individual) this includes the right to confirmation and access, right to correction, right to data portability and right to be forgotten.
  • Platforms operating under this law will have to adhere to certain transparency and accountability measures. These include Privacy by design, data protection impact assessment, record keeping, appointing a data protection officer and data audits.
  • The bill places restrictions on cross-border transfers of data. The bill mandates storing a mirror of all personal data within the territory of India. The bill also empowers the central government to classify any sensitive personal data as critical personal data and mandate its storage and processing exclusively within India.
  • The bill establishes an independent authority called the Data Protection Authority of India that is empowered to oversee the enforcement of the bill. The adjudication process will be looked after by the adjudication wing of the Authority.
  • The bill lays down financial penalties for non-compliance ranging from Rs 5 crores or 2% of total worldwide turnover to Rs 15 crores rupees or 4% of the total worldwide turnover.

H/T: DSCI for their document on Highlights of the Personal Data Protection Bill.

What happens next?

The bill will likely be introduced in Parliament soon. IT Minister Ravi Shankar Prasad said that the bill will be subject to further parliamentary review before going to the Cabinet for approval. “Once the bill will be tabled in parliament it is likely to pass without any major amendments as the government has a strong majority,” Meghnad S, creator of Consti-tuition and Sansad Watch, told MediaNama.

Opaque and ineffective consultations

One of the issues afflicting the committee has been the opacity and purported ineffectiveness of its public consultation process. Firstly the public consultation should have followed the release of the draft bill as this would have allowed all stakeholders to examine and comment on the proposals made. Holding the public consultation before the release of the report means that said stakeholders will not be able to address any flaws present in the draft legislation.

Advertisement. Scroll to continue reading.

Secondly, copies of submissions sent to the committee have not been made public. In a town hall in Mumbai, Justice Srikrishna responded to a concern by MediaNama on stakeholder submissions not being made public, saying, “You give your comments. Why do you worry about what anyone else has to say?”

The IT Ministry also refused to share copies of the submissions in response to an RTI application filed by Medianama. The IT Ministry has also refused to hand over minutes of the committee’s meetings. The ministry in its response said that the submissions were “confidential” and “not available for public dissemination” without the consent of the submitting entity. With regards to the ‘minutes of the meetings,’ the ministry said that it cannot be shared under Section 8(1)(i) of the RTI act.

Written By

Writes about consumer technology, social media, digital services and tech policy. Is a gadget freak, gamer and Star Wars nerd.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ