India’s landmark data privacy law may not apply to Aadhaar
OTHER SIGNIFICANT RECOMMENDATIONS
All cross-border transfer of personal data to be done only through proper contracts, with the sender being liable for any leak or harm caused to such data. Personal data deemed ‘critical’ can’t be taken outside India. Critical personal data will include all data necessary for the smooth functioning of the economy and the nation-state.
The report makes it clear that this data would include Aadhaar number, genetic data, biometric data and health data.
The differentiation between critical and non-critical personal data, the draft report says, will lead to effective law enforcement, curb foreign surveillance, avert vulnerabilities to the optic cable network, and help in building a robust artificial intelligence ecosystem.
There will be an independent regulatory body called the data protection authority (DPA), whose functions will include monitoring and enforcement of the proposed law as well as investigation and grievance-handling.
All data collectors would have to get registered with the DPA.
The DPA’S powers would include issuing warnings and reprimands, and ordering data fiduciaries to suspend work or collection of data, if found violating the law. There will be a ‘data ombudsman’ to adjudicate complaints between data principals and data fiduciaries. Appeals against orders of the data ombudsman will be made to an appellate tribunal. The Supreme Court will hear appeals against orders of this appellate tribunal.
Consent will be required to collect any kind of personal data. Such consent will be invalid if not based on informed choice that is specific, clear and capable of being withdrawn.