Protect data without suffocating the business
The bill will be reintroduced, in the words of Ashwini Vaishnaw, “soon”, as part of a series of laws that ideally should have absorbed all the criticism leveled at India’s inadequate data protection regime in the over the four years of deliberations that have taken place. of the withdrawn bill. These concerns involve diluting the right to privacy by including non-personal data within the scope of the law, local storage of data collected by companies, and extended powers to government.
Privacy, although arising from a fundamental right, cannot be considered in isolation. It must find its place in an effective regulation of data governance. This includes not placing an inordinate compliance burden on data collection and storage.
Penalties for violations should be in line with global standards, as should disqualifications for law enforcement. Personal and non-personal data must be separated by effective anonymization and their treatment in law must be different. Without a privacy law and regulatory framework for public data in place, the GoI would find itself in a gray area regarding obtaining consent and anonymizing citizen data it holds in trust. .
The legislation would remain behind the curve of technological change if it had to undergo another round of protracted consultation with stakeholders. The sooner the legal foundations are laid, the easier it will be to change the superstructure of data protection as the digital landscape develops.
Privacy that does not stifle the digital economy is vital for a government that expects technology to power the next phase of India’s development. It is up to the GoI to find the shortest path to strike a balance between regulatory overbreadth, ease of doing business and trade distortion.