Shared News | UPDATED: JULY 27, 2018 17:36 IST
The report also said that consent should be the lawful basis for the processing of personal data, and consent should be free, informed and specific.
The committee on data protection led by Justice B.N. Srikrishna on Friday submitted its report and recommendations, including on what personal data is, the consent requirements for using such data, and the penalties for the misuse of personal data.
“Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual,” the report said.
The report also said that consent should be the lawful basis for the processing of personal data and that the consent should be “free, informed, specific, clear and capable of being withdrawn.” For sensitive personal data, consent will have to be explicit, it added.
The committee also gave its recommendations on the right to be forgotten, in which it said that the right be adopted, with the proposed Data Protection Authority determining the eligibility of the application on the basis of five points.
These five points include: i) the sensitivity of the personal data sought to be restricted, (ii) the scale of disclosure sought to be restricted; (iii) the role of the data principal (whose data it is) in public life, (iv) the relevance of the personal data to the public, and (v) the nature of the disclosure.
In the case of data misuse, the Committee also recommended a penalty of either a certain percentage of the total worldwide turnover of the data misuser, or a fixed amount set by the law.
It recommended that the penalty may extend up to ₹5 crore or 2% of the data misuser’s total worldwide turnover of the preceding financial year, whichever is higher in situations where the company fails to take “prompt and appropriate action” in response to a data security breach.
In situations where the norms on personal data, sensitive personal data, and the personal data on children are violated, the report has recommended a penalty of ₹15 crore or 4% of the total worldwide turnover of the preceding financial year of the company.