Indian Kanoon - Search engine for Indian Law

328. Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the State but from non- State actors as well. We commend to the Union Government the need to examine and put into place a DBP No.13 of 2021 & W.P.(C)Nos.21609 & robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the State would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union Government while designing a carefully structured regime for the protection of the data. Since the Union Government has informed the Court that it has constituted a Committee chaired by Hon'ble Shri Justice B.N. Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with appropriately by the Union Government having due regard to what has been set out in this judgment."

48. In K.S. Puttaswamy, at Para.315 of the judgment, DBP No.13 of 2021 & W.P.(C)Nos.21609 & the Apex Court noticed the constitution of a committee chaired by Justice B.N. Srikrishna, former Judge of the Supreme Court of India to review, inter alia, data protection norms in the country and to make its recommendations. Para.315 of the said judgment reads thus;

"315. During the course of the hearing of these proceedings, the Union Government has placed on the record an Office Memorandum dated 31.07.2017 by which it has constituted a committee chaired by Justice B.N. Srikrishna, former Judge of the Supreme Court of India to review inter alia data protection norms in the country and to make its recommendations. The terms of reference of the Committee are:

a) To study various issues relating to data protection in India;

b) To make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill.

Since the Government has initiated the process of reviewing the entire area of data protection, it would be appropriate to leave the matter for expert determination so that a robust regime for the protection of data is put into place. We expect that the Union Government shall follow up on its decision by taking all necessary and proper steps." (underline supplied) DBP No.13 of 2021 & W.P.(C)Nos.21609 &

65. As per sub-rule (3) of Rule 8, any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule (1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation. As per sub-rule (4) of Rule 8, the body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that DBP No.13 of 2021 & W.P.(C)Nos.21609 & such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.