The Bill has raised concerns over the citizens’ Right to Privacy, as it allows private entities to process their data without their explicit consent.

The Lok Sabha has passed the Digital Personal Data Protection (DPDP) bill on Monday, making it India’s first data privacy law. It was introduced by Ashwini Vaishnaw, the Union Minister for Electronics and Information Technology, on August 3.

This Bill seeks to address two long-standing demands from the tech industry: allowing relaxations around the age of consent for children and easing cross-border flow of data. It applies to digital personal data in India and extends to processing outside India for offering Indian goods and services. Personal data needs consent for lawful processing, with exceptions allowed for government agencies and voluntary sharing. It bestows certain rights upon individuals, including the right to access information and request data correction and erasure, among others. Thus, it eases data flows for the government and private entities, including giant companies like BigTech.

Additionally, the Bill gives the central government powers to prescribe a lower age of consent than 18 years for accessing Internet services without parental consent as long as the platform they are using can process their data in a “verifiably safe manner”.

The text says: “A Bill to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”

The Bill amends the Right to Information Act, 2005, to remove public interest exemptions on disclosing personal information.

In order to ensure compliance with the Bill’s regulations, the central government will set up a Data Protection Board, with its members and chairperson appointed by the central government, which will regulate data protection.

The Bill has also proposed a minimum penalty of Rs. 50 crore and maximum penalty of Rs. 250 crores on entities who violate their norms. Furthermore, if an entity is penalized more than two times, the central government can potentially decide to block their platform in the country.

However, these demands have been met at the expense of citizens, whose private data will be accessible to the government and private entities without their explicit consent on grounds of “legitimate causes”. Furthermore, the Bill doesn’t regulate risks of harm which may arise from the processing of personal data, and might not guarantee a thorough evaluation of the data protection standards in countries where the transfer of personal data has been allowed.

The Bill was passed amid massive opposition from several parties who protested that it violated and made a mockery of citizens’ Right to Privacy at a time when both consumers and governments are becoming increasingly aware of the safety of citizens’ personal data.

It is now set to be considered in Rajya Sabha.