Union Communication, Electronics and Information Technology Minister Ashwini Vaishanaw introduced the Data Protection Bill in the Lok Sabha on Thursday. The bill outlines the lawful collection, processing and protection of private data and prescribes penalties up to Rs. 250 crore for data breaches.
As per the bill all the digital platforms must get consent from the users to access personal data. Users can withdraw the consent at any time, upon which digital platforms must stop processing the data. One more critical aspect of the law is that it permits the transfer of personal data to any country, except those the government may blacklist in the future.
Also Read: Meta hit with record €1.2 billion fine over EU data rules
This cross-border data transfer has come as a relief to the Industry and they have welcomed the move. Manish Sehgal, Partner, Deloitte India told Business Today that the bill would make enterprises based outside India serving individuals in India to adhere to the provisions of this bill once enacted.
“In view of the bill’s extra-territorial coverage, enterprises based outside India serving individuals in India will also be expected to adhere to the provisions of this bill once enacted. Enterprises will have to review the current ways of working especially for the personal data of individuals such as their employees, customers, merchants, vendors, etc. to be able to honour the rights that individuals may exercise, such as the right to access, update, erase their personal data etc. Non-adherence of obligation listed in the bill may attract sanctions and commercial penalty as high as Rs 250 crore”, Sehgal told Business Today.
Amit Jaju, Senior Managing Director, Ankura Consulting Group has compared the bill to that of the European Union’s General Data Protection Regulation (GDPR). He mentioned that provisions such as consent, rights of the date subject, and penalties for non-compliance are all seen in GDPR too. He also highlighted the differences between GDPR and India's data protection bill.
“However, there are also differences. For instance, GDPR has stricter regulations on data transfer outside the EU and has provisions for the "right to be forgotten", which allows individuals to request the deletion of their data under certain circumstances. The Indian bill, on the other hand, has a focus on the establishment of a Data Protection Board, which is not a feature of the GDPR", Jaju told Business Today.
Jaspreet Bindra, Founder-MD, Tech Whisperer Ltd has also welcomed the move. “Bringing in the Digital Data Protection Bill is a very welcome step, since this is the first time there is a law to protect data protection and privacy in India. This is especially significant given that India is one of the very few countries where privacy has been declared to be a fundamental right of its citizens. The formation of the Data Protection Board and the fact that it will be housed by professionals is also very welcome” , he told Business Today.
Meanwhile, the opposition has dissented to the bill who raised concerns about its potential violation of the fundamental right to privacy.