Data Protection Law in India appears to be round the corner now

The online service delivery has made our lives simpler; from discovering where to book our next vacation to paying our bills, everything is now at our fingertips, but this needs sharing of information online. The burgeoning information exchange has resulted in security concerns ranging from minor to major misuse of the information harming us financially and causing reputation loss too. According to Tenable’s 2022 Threat Landscape Study, about 1,300 data breaches occurred between November 2021 and October 2022, placing India as the second-highest country exposed to cyber breaches in 2022. More than two thirds (68 %) of the leaked records came from APAC-based firms.

For online transactions, video games, social media, and other purposes, we are required to submit our personal data which includes bank account / credit card information, phone number, email address and in certain places identity data such as PAN, Aadhar and residential address. However, so far, apart from certain provisions in IT Act of our country, there has not been enough safe guard provisions in the Law of the country. Therefore, Data Protection Law is necessary to safeguard and control the Information sharing and usage of such information.

Data volume and processing capacity demands have all skyrocketed since the dawn of the digital age. With mobile percolation enabled with fast internet, availability of such data has also taken up a priority position in customer demands. On the other hand, enormous volumes of sensitive consumer data is available and accessible with service providers like Facebook, Google, and Apple on a global scale, it is challenging for individuals to be reasonably assured of the safety of their personal data. Entities who have collected and have access to such data could be using it for their own gain, without the consumer knowing it or consenting it. This makes it further necessary to have a strong and effective Data Protection Law in our country and keep a check on data theft and breaches as well as misuse of such data. The Law that can protect individual interests and safety of such shared data.

The Personal Data Protection Bill 2019, which was earlier approved by the cabinet ministry, aimed to establish a framework for organisational and technical measures in data processing, laying down standards for social media intermediaries, cross-border transfer, and accountability; to provide for protection of individuals' privacy with regard to their personal data; to specify the flow and use of personal data; to build a relationship of trust between people and entities processing the data; and to protect the fundamental rights of individuals whose personal data are processed. But the bill was highly criticised for various reasons. Therefore, the Parliament with an aim to ensure overall acceptance of such Law, initiated the process to draft a more comprehensive bill considering the concerns and addressing them where possible and feasible, without diluting the objective.

Proposed Bill

A new Digital Personal Data Protection Bill 2022 has been proposed by the Ministry of Electronics and Information Technology (Meity), which says " The purpose of this Act is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto."

The bill outlines the duty of the data fiduciary to use acquired data legitimately and the rights and responsibilities of the citizen, on the one hand.

The bill highlighted that the data fiduciaries will be responsible for processing personal data of individuals in accordance with the bill. A data fiduciary must obtain verifiable parental consent before processing the personal data of a child, and refrain from tracking of behavioural monitoring of children or targeted advertising directed at them.

According to reports, the government may soon announce a policy that would allow other nations and multinational corporations to establish "data embassies" within India that would grant "diplomatic immunity" from local restrictions for both national and commercial digital data.

The government would facilitate the establishment of data embassies in the GIFT city, according to Finance Minister Nirmala Sitharaman's remarks during her Budget speech. Later, this may include the regulation in the future Digital Data Protection Bill, which is anticipated to be introduced in March.

The bill also includes the power of consent. A person must only process personal data belonging to a data principal for purposes for which the data principal has consented.

The government's proposed final draught bill stipulates the following penalties for failing to comply with the law:

• Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (4) of section 9 of this Act -Penalty up to Rs 250 crore.
• Failure to notify the Board and affected Data Principals in the event of a personal data breach, under sub-section (5) of section 9 of this Act- Penalty up to Rs 200 crore
• Non-fulfilment of additional obligations in relation to Children; under section 10 of this Act -Penalty up to Rs 200 crore
• Non-fulfilment of additional obligations of Significant Data Fiduciary; under section 11 of this Act- Penalty up to Rs 150 crore
• Non-compliance with section 16 of this Act Penalty up to Rs 10 thousand 6 Non-compliance with provisions of this Act other than those listed in (1) to (5) and any Rule made thereunder- Penalty up to Rs 50 crore

India's data protection law is considered as a key step in bringing the country into compliance with global privacy norms. The government's aggressive response to data protection issues demonstrates its dedication to supporting a safe and privacy-focused digital ecosystem in the nation. If passed, the data protection law will be a big step forward for India's digital development and set the standard for regional data protection procedures.