SC won’t take into account Justice Srikrishna report on data while delivering Aadhaar verdict

New Delhi, July 30: The Supreme Court has declined to take into account the Justice Srikrishna Committee report on data privacy and safety, while writing the Aadhaar judgment.

Chief Justice of India, Dipak Misra consults with Justices A M Khanwilkar and D Y Chandrachud and told the Attorney General that it would not require the report.

The AG, K K Venugopal had told the court that the Centre could submit the report, if the Bench wanted it. However the Bench said that it would not be necessary.

The court had reserved the verdict on Aadhaar in May.

The Justice BN Srikrishna committee submitted its report on the data protection law on Friday. The government had set up the committee under the chairmanship of retired Supreme Court judge Srikrishna in August last year.

Justice Srikrishna said data privacy is a burning issue and there are three parts to the triangle. "The citizen's rights have to be protected, the responsibilities of the states have to be defined but the data protection can't be at the cost of trade and industry."
The report has proposed penalities for violations, criminal proceedings, setting up of a data authority, provision of withdrawal of consent and concept of consent fatigue.

Highlights of the report:

• The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
• Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
• The law will not have retrospective application and it will come into force in a structured and phased manner. The Aadhaar Act needs to be amended to bolster data protection.
• The data protection law will set up a DPA which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. The Central Government shall establish an appellate tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA.
• Penalties may be imposed for violations of the data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher.
• The state can process data without consent of the user on ground of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment, and Reasonable purpose.
• The law will cover processing of personal data by both public and private entities.
• Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.
• Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent thereby making the data fiduciary liable for harms caused to the data principal.
• Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee. Personal data determined to be critical will be subject to the requirement to process only in India (there will be a prohibition against cross border transfer for such data).