Srikrishna panel report: Data safeguards will not apply to national security, police and courts

A landmark privacy bill drafted by the Justice BN Srikrishna committee, which seeks to protect citizens’ data and privacy, provides for certain exemptions from provisions of the Bill, especially when data needs to be accessed for purposes of national security, police investigations and legal proceedings.

The draft Personal Data Protection Bill, 2018 – part of the Srikrishna panel report – provides for regulations on how personal data is to be handled by various entities, including the state. However, it does make key exemptions, such as consent, under special circumstances.

For instance, section 42 states that when there is a need to access or process citizens’ data for reasons of national security, this will be exempt from key rules that protect data, as provided in the draft bill. However, these exemptions will apply only when it is authorized by law.

Whatever the exemptions, personal data must always be handled in a “fair and reasonable ma- nner” that respects the “privacy of the data principal”, the draft bi- ll states. Data principal, as defin- ed by the bill, refers to any person whose data is being referred to.

Similar exemptions have been made in the draft bill for processing of personal data for police investigations and detentions or prosecution for any offence committed. But such exemptions only apply when permission has been granted by law. The implication of these provisions is that Parliament and states will have to make a separate law to allow for these exemptions.

Exceptions have also been proposed in the draft bill for legal proceedings. When personal data needs to be accessed to enforce any legal right or claim, seeking any relief, defending a criminal charge, opposing any claim, or obtaining any legal advice from an advocate, major provisions of the draft bill do not apply.

Such exemptions from provisions of the bill have also been extended to any court of law or tribunal in the country, that needs to access or process personal data to carry out judicial processes.

When such exemptions kick in, an entity – whether police, a court or a person – is not required to adhere to data-protection obligations that will usually apply. Such exemptions include chapter II of the draft Bill, which requires personal data to be processed only for purposes specified or for any other related purpose that is “reasonably” expected, the bill states.

Moreover, where processing of personal data is necessary for research, archiving, or statistical purposes, exemptions can be sought from the data protection authority, the apex regulator wh- ich the bill provides for. It is for the authority to decide what exemptions are to be given, depending on a case-to-case basis.