Draft Data Protection Rules: Implications for Privacy, Industry, and Governance

Syllabus:

GS-2:

Government Policies & Interventions

GS-3:

E-GovernanceIT & Computers

Focus:

The Ministry of Electronics and IT released draft rules for the Digital Personal Data Protection Act, 2023. These rules propose data localisation mandates, empower government oversight, and raise concerns over privacy and encryption. Feedback is being sought, but transparency and safeguards remain key challenges.

Draft Data Protection Rules: Implications for Privacy, Industry, and Governance

Draft Data Protection Rules:

  • Ministry of Electronics and Information Technology released draft rules on January 3, 2025, for implementing the Digital Personal Data Protection (DPDP) Act, 2023.
  • Draft rules surfaced 16 months after the law was notified.
  • The government is seeking feedback but faces criticism for lack of transparency.

Criticisms

  • Experts argue the rules fail to create a comprehensive data privacy framework.
  • Advocacy groups urge parliamentary standing committee scrutiny for fairness.

Draft Digital Personal Data Protection Rules, 2025: Key Features and Framework

Salient Features

  • Notice by Data Fiduciaries
  • Clear notices for Data Principals about data usage, consent withdrawal, and grievance redressal.
  • Consent Management
  • Requirements: Prior, informed consent is mandatory and can be withdrawn anytime.
  • Consent Managers: Facilitate consent tracking and management.
  • Obligations of Data Fiduciaries
  • SDFs Obligations: Conduct data impact assessments, audits, and ensure no harm to Data Principals’ rights.
  • General Obligations: Maintain transparency, publish grievance mechanisms, and provide clear terms of service.
  • Rights of Data Principals
  • Right to access, erase data, and file grievances within specified timeframes.
  • Nominate representatives for incapacitation or death.
  • Security Measures
  • Fiduciaries must implement encryption, access control, and retain logs for at least one year.

Other Key Components

  • Processing Outside India: Transfers require government approval and are restricted for sensitive data.
  • Data Breach Intimation: Fiduciaries must notify affected individuals and the Board within 72 hours.
  • Data Erasure: Notify principals 48 hours before erasure of invalid-purpose data.
  • Children’s Data: Verifiable parental/guardian consent is mandatory.
  • Government Powers: Authority to request data and restrict sensitive data disclosures affecting sovereignty or public order.

Data Localisation Mandate:

What is Data Localisation?

  • Refers to policies restricting data transfer outside a jurisdiction.
  • The DPDP Act limits personal data transfers to specific notified countries.
  • Draft rules extend these restrictions by creating a government-appointed committee to classify non-exportable data.

Changes Introduced by Draft Rules

  • Applies to significant data fiduciaries (SDFs), such as Meta, Google, Apple, Microsoft, and Amazon.
  • Aims to address law enforcement challenges in accessing cross-border data.

Precedents and Clarifications

  • RBI’s 2018 mandate required payment data localisation, setting a precedent.
  • Government promises a two-year compliance timeline for industry players.

Challenges for Tech Companies

  • Operational difficulties in data segmentation and determining data storage locations.
  • Expected to increase operational costs and restrict business activities.

Concerns About Executive Overreach and Surveillance

Section 36 and Rule 22

  • Section 36 of the DPDP Act, with Rule 22, grants the government powers to demand “any” information from data fiduciaries or intermediaries.
  • Justified under concerns of national security or sovereignty.

Impact on Privacy and Encryption

  • Rule 22 restricts companies from disclosing government requisition requests if it affects national security.
  • Raises concerns about compromising end-to-end encryption, as highlighted by WhatsApp.

Experts’ Criticism

  • Advocates argue these powers can lead to misuse, enabling surveillance.
  • Contradicts the 2012 recommendations of the Group of Experts on Privacy advocating transparency in interception orders.

Impact on Industry and Commercial Interests

Operational Impacts

  • Localisation mandates pose challenges for global tech firms managing cross-border operations.
  • Smaller companies and startups face high compliance costs.

Stifling Innovation

  • Regulatory uncertainty could deter investment and stifle innovation.
  • Companies may focus more on regulatory compliance than growth and innovation.

Way Forward and Recommendations:

Transparent Public Consultation

  • Transparent consultation processes involving civil society and industry stakeholders are essential.
  • Draft rules should be scrutinized by a parliamentary standing committee.

Safeguards Against Overreach

  • Introduce checks and balances on government powers to avoid misuse.
  • Implement safeguards like those in the IT Act, 2000, ensuring citizen rights

Support for Industry Compliance

  • Clearer guidelines and support mechanisms for businesses, particularly startups.
  • A balanced approach that ensures data privacy, national security, and economic growth.

Conclusion:

The draft rules aim to strengthen data governance but face criticism for potential privacy violations, operational hurdles, and executive overreach. A balanced approach with transparent consultations, safeguards against misuse, and support for industry compliance is essential to achieve a robust and equitable data protection framework.

Source: TH

Mains Practice Question:

Q: Discuss the implications of the draft Digital Personal Data Protection Rules, 2025, on data localisation, privacy rights, and the tech industry in India. Suggest measures to ensure a balanced approach to data governance.