Why a balanced data bill is key

First, data fiduciaries — government and private — will have to issue a notice to the public declaring the data they have collected, stored and shared. This provision, if cleared, will ensure mandatory initial disclosure by data fiduciaries on the information they already have, a significant (and welcome) step towards transparency. Two, the law itself will not apply retrospectively to any breaches in the past but will seek a fine of up to ₹250 crore on any entity that processes personal data and fails to safeguard it. The rash of data breaches over the past few years – almost every individual with a mobile number and a credit history now figures in reams of lists with spammers — has touched alarming proportions (remember the leak of health data last month that held the potential for identity theft). The administration’s diffident and ad-hoc responses have underlined the urgent requirement for a data protection framework.

Any data protection bill in a nation as diverse as India will need to strike a balance between ease of compliance, industry concerns, and privacy protections. At the same time, it must be agile and stand the test of time in a field where concepts and tools are forever morphing into newer and unfamiliar forms. The previous iteration of the bill last year laid down some key fundamentals for how personal data should be handled (only after specific, informed and unambiguous consent), how the data of children should be processed (only after parental approval) and how data can flow across borders (with relatively fewer constraints). But its provisions on “deemed consent” (allowing the government broad powers to access personal data), empowering the government to exempt any department from the ambit of the law in the future, and a new data protection board that was stacked with government members proved controversial. Whether these remain in the new bill will be important. But, for now, any step forward to a data protection framework should be welcomed.