Stringent privacy laws need of the hour

India is at the cusp of getting its own digital data privacy bill. The Digital Personal Data Protection Bill that has been passed by the Lok Sabha and next goes to the Rajya Sabha will be notified as a law after it gets the President’s assent. The billwill be a trail-blazer as it will help protect the privacy of individuals in the digital age, given that it is aimed at establishing a robust framework for protecting personal data. It may be noted that the bill was initially introduced in Parliament on December 11, 2019 but had to be withdrawn for taking up some contentious provisions. Currently, India does not have any law on data protection and the use of personal data is regulated under the Information Technology (IT) Act, 2000. The proposed bill addresses two key demands of the technology industry. It has provision for allowing relaxations around the age of consent for children. The Union government is empowered to prescribe a less than 18 years lower-age for accessing internet services without parental consent provided the platform is found safe for use. This provision is likely to facilitate growth of the edtech and healthtech sectors, where digital platforms are witnessing wide adoption.

Secondly, the bill proposes to significantly ease cross-border data flows. It proposes that the Central government will notify countries or territories to which a data fiduciary may transfer personal data in accordance with such terms and conditions as may be specified. This is an important provision as many global technology companies have huge operations in India and the data transfer and its protections are important facets of inter-country operations. Moreover, the bill has provisions that empower the Centre to establish a separate ‘Data Protection Board of India’with specific tasks of monitoring compliance and impose penalties apart from hearing grievances made by the ‘victims’. The board can impose a penalty of up to Rs. 500 crore if non-compliance by a person is found to be significant in terms of data privacy norms. The bill also proposes six types of penalties for non-compliance, including a fine of up to Rs. 250 crore for failure to put in place security safeguards. There is no doubt that such an approach will ensure that the privacy of an individual’s personal data gets a robust framework.

However, the bill is not free from contentious issues. For instance, it will give sweeping powers to the Centre. After it becomes a law, the government can process personal data for the provision of benefit, service, license, permit, or certificate without taking the consent of the people. Critics argue that the bill opens up surveillance of citizens by the government. On that count,

the proposed bill has some provisions, which may not be totally acceptable by one and all. Such criticisms notwithstanding, the data protection bill, taken in its entirety, is a step in the right direction. With rapid digitalisation, an emerging economy like India will be better-placed with such stringent privacy laws for its future growth.