Draft data protection law exempts security of state and journalistic activities | Top Stories
The draft data protection law recommended by the Justice Srikrishna Committee provides for exemptions for processing of personal or sensitive personal data for various purposes, including security of the state and journalistic activities.
The 213-page report, prepared by a 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, Justice B.N. Srikrishna, was submitted to law and electronics minister Ravishankar Prasad on 27 July.
“The data protection law will enable an exemption to the processing of personal or sensitive personal data if it is proportionate and necessary in the interest of the security of the state and is pursuant to a law that meets the test of constitutionality,” the report said.
“Any restriction must be proportionate and narrowly tailored to the stated purpose,” it said, adding that the Central government should expeditiously bring in a law for the oversight of intelligence gathering activities.
Obligations on maintaining security safeguards in processing personal data will remain on the agency collecting such data and no exemption to the same will be provided, the report stated.
“Apart from the obligations of security safeguards and fair and reasonable processing, none of the other obligations under the data protection law shall apply to the processing of personal data under the security of state exemption,” it says.
The collection and processing in such situations may be covert and expedited, thereby making consent inapplicable, as per the report.
Obligations such as purpose specification and storage limitation will also not apply through the proposed data protection law for purposes related to security of the state, and, if applicable, it would be implemented in a modified form through the appropriate statute authorising the intelligence activities.
“Moreover, since a principal-fiduciary relationship has not been envisaged in this case, rights of the individuals will also not be applicable.”
Regarding exemptions to journalistic activities, the draft Bill said: “If journalists were made to adhere to the grounds of processing personal data, it would be extremely onerous for them to access information.”
However, to the extent possible, journalists should still be expected to outline the broad contours of the purpose for which the personal data is being collected, with the final purpose being the publishing of news on the subject, it said.
Further, personal data processed for the purpose of journalism should ordinarily be deleted when the purpose of such processing has been realised, that is, when the news has been published.
However, to cover new stories, journalists may often need to reach for records of data and the deletion of personal data collected post publishing may make it very difficult to do so.
Therefore, under the journalistic exemption, the report says, storage limitation should not apply so long as it is clear that the personal data is being stored for only further journalistic purposes.
It further said the notice and consent obligation will not apply, “especially in cases of investigative journalism where notifying the individual of the collection of information about them would defeat the purpose of the exercise.”
However, the report noted that security safeguards should be implemented for all personal data processed by journalists and they must take reasonable steps to prevent the data loss, theft or misuse.
Other exemptions provided under the proposed Bill are for prevention, detection, investigation and prosecution for contraventions of law, disclosure for the purpose of legal proceedings, research activities, personal or domestic purposes and manual processing by small entities.