The high-level panel crafting the data protection framework for India is expected to submit its report to the government by the first week of August, and could prompt amendments to a slew of existing legislations in areas like Aadhaar, RTI and health.
The panel headed by Justice B N Srikrishna met here today — in what is being seen as its final meeting — to discuss various aspects, including contentious ones like data localisation, classification of sensitive personal data and the telecom regulator TRAI’s recent recommendations on data privacy and ownership.
Emerging from the two-and-a-half hour meeting, Justice Srikrishna declined to comment on the deliberations held at the closed-door meeting.
One of the members of the panel said the data protection framework will prompt amendments to nearly 70 legislations, including those pertaining to Aadhaar, RTI and health. The amendments will be needed as the existing legislations will have to brought under the new data protection law, the member explained.
It may be recalled that the government had constituted the 10-member committee in July 2017 to recommend a framework for securing personal data in the increasingly digitised economy as also to address privacy concerns and build safeguards against data breaches.
The experts committee formed under Justice Srikrishna, a former Supreme Court judge, had previously noted that both public and private sectors are collecting and using personal data on an unprecedented scale and for various purposes.
It had also said that while the data can be put to beneficial use, the unregulated and arbitrary use, especially that of personal data, has raised concerns about privacy and autonomy of an individual.
Two of the members present at the meeting today said the panel hopes to submit its report to the government by the first week of August, after which it could be placed in the public domain for comments.
It is learnt that there were dissenting voices within the panel on aspects like data localisation, categorisation of financial data as sensitive personal data and treating some of the violations as criminal offense.
One of the members cited above also said TRAI’s recommendations on data ownership, security and privacy, issued last week, also figured in the discussions today.
The recommendations of TRAI were largely seen in line with the draft being worked on by the panel, they added.
The Telecom Regulatory Authority of India (TRAI) has recommended regulation of all digital entities handling consumer data, and emphasised that users are the primary owners of their data. Trai has termed entities controlling and processing user data as “mere custodians”.
Trai has argued that firms collecting user data do not have a right over it, and asserted that consumers’ consent is a must for obtaining it.
Describing the existing data protection framework as inadequate, Trai has said that the government must notify policy framework to regulate devices, operating systems, browsers and applications. It had also suggested that users be granted the right to choice, consent and, equally importantly, to be forgotten, to safeguard privacy.