DPDP RULES AND A MISSED OPPORTUNITY

THE CONTEXT: The Digital Personal Data Protection Act was enacted on August 11, 2023, to regulate digital personal data processing in India. On January 3, 2025, the government released the Draft Digital Personal Data Protection Rules, 2025, for public consultation until February 18, 2025, to operationalize the Act.

EVOLUTION OF DATA PROTECTION LAWS IN INDIA:

    • K.S. Puttaswamy Judgment (2017): The Supreme Court of India in Justice K.S. Puttaswamy (Retd.) vs. Union of India (2017) declared the Right to Privacy a fundamental right under Article 21 of the Indian Constitution. The judgment recognized the need for safeguards against state and private sector surveillance and laid the groundwork for data protection legislation. It established a constitutional basis for data protection laws and highlighted concerns over Aadhaar, surveillance, and data misuse.
    • Formation of Justice B.N. Srikrishna Committee (2017): Emphasis on data minimization, purpose limitation, and informed consent. Proposed the establishment of a Data Protection Authority (DPA) for enforcement. Advocated balancing individual privacy with innovation and economic growth. The committee’s report formed the basis for the Personal Data Protection Bill, 2019.
    • Personal Data Protection Bill, 2019: Aimed to regulate public and private entities’ collection, storage, and processing of personal data. Proposed principles like data localization, user consent, and penalties for non-compliance. Excessive government exemptions under “national security.” Ambiguities in enforcement mechanisms and independence of the proposed DPA. The bill was withdrawn due to stakeholders’ criticisms regarding its overly complex and restrictive provisions for businesses.
    • Enactment of the Digital Personal Data Protection Act (DPDPA), 2023: This act will focus on personal data protection through principles like lawful processing, consent-based collection, and data minimization. The concept of “Data Fiduciaries” responsible for compliance will be introduced. A “Data Protection Board” will be established instead of an independent DPA.

THEORETICAL FRAMEWORK:

    • Data Privacy and Protection: Data privacy refers to individuals’ right to control how their personal information is collected, stored, processed, and shared. Data protection involves measures to safeguard personal data from misuse or unauthorized access.
    • Informed Consent: Consent that is freely given, specific, informed, and unambiguous. Empower individuals to make decisions about their data. Prevents coercive or deceptive practices by data fiduciaries. Low digital literacy (~12% as per Centre for Economic and Social Studies) hinders individuals’ ability to provide truly informed consent. Ambiguities in the DPDP Rules regarding what constitutes “clear and plain language.”
    • Data Minimization: This means only collecting the data necessary for a specific purpose so that it can reduce the risks of data breaches and misuse. It aligns with the principles of proportionality upheld in the K.S. Puttaswamy Judgment. Government exemptions under the DPDP Act allow extensive data collection without adhering to minimization principles.
    • Purpose Limitation: Ensuring that data is used solely for the purpose for which it was collected. Prevents misuse of data for unrelated purposes like profiling or surveillance. The DPDP Act permits overriding purpose limitations for government functions like subsidies or licenses, raising concerns about profiling.
    • Right to Be Forgotten (RTBF): The right to request erasure of personal data from digital platforms when it is no longer relevant or necessary. Recognized under GDPR but subject to balancing with freedom of expression.
    • Right to Data Portability: This enables individuals to transfer their data from one service provider to another in a structured format. It promotes competition by reducing vendor lock-in and enhances user autonomy over personal data. However, it is not explicitly provided under the DPDP Act.

CURRENT SCENARIO: DIGITAL PERSONAL DATA PROTECTION (DPDP) RULES, 2025:

    • Applicability: The rules apply to processing digital personal data within India and to entities outside India offering goods or services in India. Exemptions for government agencies under national security and public order remain unchanged from the DPDP Act.
    • Consent Mechanism: Consent must be obtained in “clear and plain language before processing personal data.” Withdrawal of consent is allowed, but the procedure for data deletion and verification is unclear.
    • Data Fiduciaries’ Obligations: Fiduciaries must ensure data accuracy, implement “reasonable safeguards,” and delete data once its purpose is fulfilled. Rule 10 mandates parental consent for processing children’s data.
    • Data Breach Notifications: Rule 7 requires fiduciaries to notify affected individuals and the Data Protection Board (DPB) in case of a breach. No specific timelines are provided for such notifications.
    • Exemptions: Rule 15 exempts data for “research, archiving, or statistical purposes” without clear definitions or limitations. Publicly available data is excluded from protection, raising concerns about AI training or surveillance misuse.
    • Governance Mechanism: The Data Protection Board (DPB) is tasked with adjudicating breaches but lacks independence due to its appointment process and oversight by the Union Government.

AMBIGUITIES AND CONCERNS IN THE DPDP RULES:

    • Informed Consent: The rules fail to define “clear and plain language” for consent notices. With only 12% digital literacy in India (CESS report), many users may not fully understand consent terms.
    • Right to Be Forgotten (RTBF): While RTBF is recognized, there are no clear procedural guidelines for exercising this right. Balancing RTBF with freedom of speech remains unresolved.
    • Reasonable Security Safeguards: Terms like “reasonable” and “adequate” are undefined, creating ambiguity about compliance standards. The lack of penalties for breaches despite adherence to vague safeguards raises accountability concerns.
    • Children’s Data Protection: Mandating age verification for all users to identify minors could compromise anonymity online. Undefined terms like “detrimental effect on well-being” create enforcement challenges.
    • Government Exemptions: Blanket exemptions for government agencies under national security undermine privacy protections. The absence of proportionality tests violates principles established in K.S. Puttaswamy vs Union of India (2017).
    • Cross-Border Data Transfers: The rules allow transfers unless restricted by the government but lack a framework for evaluating recipient countries’ data protection standards.
    • Public Consultation Process: Draft rules are available only in English and Hindi, limiting participation in a linguistically diverse country. Submissions are treated as fiduciary information, reducing transparency.

LACK OF CLARITY ON CRITICAL ASPECTS:

    • Grievance Redressal Mechanism: Rule 13 requires fiduciaries to establish grievance systems but does not specify oversight mechanisms or independent audits.
    • Data Retention Policies: There are no clear timelines for data deletion after consent withdrawal or purpose fulfillment. Ambiguities around exceptions for legal requirements leave room for misuse.
    • Independence of the Data Protection Board (DPB): The DPB’s members are appointed by a committee chaired by the Cabinet Secretary, raising concerns about executive influence. Short tenure with reappointment eligibility compromises its autonomy.
    • Vague Terminology: Terms like “appropriate technical measures” and “adequate safeguards” lack specificity, making enforcement subjective and inconsistent.

THE ISSUES:

    • Government Exemptions and Overreach: The government is exempt from most provisions of the Act under vague terms like “sovereignty” and “security of the state.” These exemptions could enable unchecked data collection and profiling by government agencies. The Pegasus spyware controversy highlighted risks of mass surveillance without adequate safeguards.
    • Lack of Independent Regulatory Body: Data Protection Board is tasked with adjudicating breaches but lacks independence due to its appointment process controlled by the Union Government. Members serve short two-year terms with reappointment eligibility, increasing executive influence.
    • Cross-Border Data Transfer Risks: Cross-border transfers are allowed unless restricted by the government via notification. However, no adequacy mechanisms are defined to evaluate recipient countries’ data protection standards. Weak cross-border safeguards could undermine India’s IT outsourcing industry by reducing trust among global clients.
    • Exemptions for Publicly Available Data: The Act does not protect publicly available data, raising concerns about AI training or surveillance misuse. Justice B.N. Srikrishna, who chaired the 2018 Data Protection Committee, criticized the framework for prioritizing state interests over individual rights, calling it a “dilution of privacy protections.”
    • Public Consultation Limitations: Draft rules are available only in English and Hindi, excluding non-Hindi-speaking citizens from meaningful participation.

THE WAY FORWARD:

    • Strengthen Procedural Frameworks: Introduce multilingual consent forms to ensure inclusivity. Develop procedural guidelines with timelines for erasure and checks for verifying data deletion. Specify security standards (ISO certifications, data encryption norms) to remove ambiguity around “adequate” and “reasonable” safeguards.
    • Institute an Empowered Data Protection Authority: Amend the DPDP Act to grant the DPB an independent appointment process (e.g., involving the judiciary) instead of selection by a Cabinet Secretary-led committee. Introduce fixed tenures (five years) with no scope for quick reappointment, akin to SEBI and Competition Commission of India, to ensure independence.
    • Regulatory Oversight: Provide adjudicatory and enforcement powers, including conducting third-party audits and imposing stringent penalties. Mandate the DPB to publish annual reports on the nature and volume of government data requests, akin to “transparency reports” globally.
    • Proportional Surveillance and Government Exemptions Oversight: Incorporate a proportionality test and pre-approval mechanism (judicial or parliamentary) before invoking exemptions for state interest or national security. Restrict use of “public order” grounds by adopting the Supreme Court’s guidelines in Anuradha Bhasin vs Union of India (2020), which call for necessity and least restrictive measures.
    • Develop a Comprehensive Data Literacy: Leverage government schemes under Digital India for large-scale digital literacy programs in regional languages, ensuring informed consent and user awareness. Encourage civil society, academia, and local governance bodies (Panchayati Raj Institutions) to conduct community awareness drives.
    • Strengthen Protective Frameworks for Children’s Data: Allow tokenized age-verification methods or minimal data collection to avoid forcing every user to disclose identity. Draw from GDPR standards, where processing under parental consent is limited to those below 13–16, balancing child protection with digital autonomy. Impose higher penalties for breaches involving children’s data.
    • Well-Defined Cross-Border Data Transfer Mechanism: Conduct country-wise adequacy assessments, allowing data transfer only to jurisdictions with comparable data protection standards, akin to the GDPR approach. Collaborate under G20 Digital Economy Working Group to formulate a global consensus on secure data exchange. Adopt a risk-based approach where only sensitive categories of data require localization, avoiding blanket restrictions that hamper India’s IT outsourcing sector.

THE CONCLUSION:

Clear statutory definitions, independent regulatory regimes, enforcing proportional government access, fostering digital literacy, safeguarding children’s data, and instituting secure cross-border transfer frameworks can rectify structural gaps in India’s DPDP architecture. Such measures, rooted in constitutional principles and global best practices (GDPR, Investigatory Powers Act), will ensure that India’s data protection journey aligns with fundamental rights, national security requirements, and economic innovation.

UPSC PAST YEAR QUESTION:

Q. Data security has assumed significant importance in the digitized world due to rising cybercrimes. The Justice B. N. Srikrishna Committee Report addresses issues related to data security. In your view, what are the strengths and weaknesses of the Report relating to protecting personal data in cyberspace? 2018

MAINS PRACTICE QUESTION:

Q. Critically analyze how the DPDP framework safeguards the fundamental right to privacy while balancing national security and fostering a thriving digital economy.

SOURCE:

https://www.deccanherald.com/opinion/dpdp-rules-and-a-missed-opportunity-3352168

Spread the Word
Categories
Current Affairs (2133) Daily MCQs (782) DTRS (6) Economic Survey (4) Editorials (424) Essay Model Answer (16) Essay Model Answer-2024 (6) Ethics (1) Ethics Model Answer (18) Ethics Terminologies (1) GS Mains Model Answer (20) Mains Focus (723) MIGP PYQs (53) Prelims Mantra (7) Public Admin. Model Answer (25) Public Administration (1) PYQs Mains Question (91) Schemes and Programmes (25) Science and Technology (32) The Lukmaan Newsline (20) Trending (17) Uncategorized (22) UNION BUDGET (6) UPSC (12) UPSC PAPER-2021 (8) UPSC PAPER-2022 (9) UPSC PAPER-2023 (9) UPSC PAPER-2024 (13) UPSC PAPER ANALYSIS (1) WSDP (2573) WSDP_Ethics (17) WSDP_Geography (16) WSDP_PubAD (16) WSDP_Sociology (17)

Lukmaan IAS (Head Office)

Address: 60/17, Ground Floor, Old Rajinder Nagar, New Delhi – 110060

Phone: +91 – 9654034293

WhatsApp No.: +91 – 9818421870

Email: enquiries@lukmaanias.com

Youtube Instagram
twitter
Linkedin Quora Facebook
Index