Personal critical user data should be processed and stored only in India, a panel headed by former Supreme Court judge BN Srikrishna said in its report to the government on Friday. This and its other recommendations are likely to form the basis of India's first data protection law.
The key recommendation will impact foreign firms operating across the country. The report was awaited by global technology companies for its views on data localisation.
Other recommendations include setting up of a data authority, option of withdrawal of consent, penalties and criminal proceedings for violations. The report also suggests steps for protection of personal information, and defines obligations of data processors and rights of individuals.
The government should notify categories of personal data as critical personal data that will only be processed in a server, or in a data centre, located in India, according to the report.
The recommendations came after a year of deliberations. The report was submitted by Justice Srikrishna to Minister of IT and Electronics Ravi Shankar Prasad.
"It is a monumental law, and we would like to have widest parliamentary consultation... We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation," Prasad said. The report will be circulated for inter-ministerial consultations, and will require approval from the Cabinet and Parliament.
The report has come when there are reports of data misuse with respect to Aadhaar and breach of data of Facebook users by Cambridge Analytica. In May this year, the European Union General Data Protection Regulation (GDPR) also came into force under which all firms have to adhere to the new regulations.
"Privacy has become a burning issue... every effort has to be made to protect data. The recommendations look into three aspects - citizens, state and industry," Justice Srikrishna said after submitting the report. He also submitted a draft Personal Data Protection Bill, 2018.
"Aadhaar is just one scratch on the surface. This is an overarching law. Aadhaar happened to be the first kid on the block so the Supreme Court had to deal with its constitutionality," he said while refusing to comment directly on Aadhaar as the matter is subjudice.
Nasscom-DSCI comment:
Mandating localisation of all personal data is likely to become a trade barrier in key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.
Mozilla Corporation's comment:
This Bill provides for a strong foundation of protection for Indians' privacy, but it is not without loopholes - in particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data, and the independence of the regulator's adjudicatory authority. We welcome the government's commitment to a public consultation process, which we hope will rectify the cracks in this foundation.
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
 "BN Srikrishna-Ravi Shankar Prasad")
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}