Subscribe

January 9, 2025

📰 FEATURE STORY

Are the draft Digital Personal Data Protection (DPDP) rules robust enough?

Rapid digitisation has made data privacy and online security essential goals. Governments and policymakers worldwide have been racing to catch up. Whether it be the corporate ecosystem, government services, or consumer purchases, there has been an exponential increase in the creation and collection of personal data. This calls for laws to protect this data.

In India, the protection of personal data is more voluntary than mandatory since there aren’t structured data privacy laws. That’s about to change. The government has released the draft Digital Personal Data Protection (DPDP) rules, 2025, to facilitate the implementation of the Digital Personal Data Protection (DPDP) Act, 2023. But are the rules robust enough?

Context

First things first, for a country that’s among the top 3 in internet users, there’s a critical need for data privacy and security legislation. Given the amount of data being shared directly or indirectly by people with various entities, users should have autonomy and control over their data.

The Indian government has recognised this, though formulating legislation has been slow. In 2008, an amendment to the Information Technology Act of 2000 was proposed. Section 43A states that companies must protect all sensitive personal data and information.

Then came the IT Rules of 2011, which specified minimum data protection standards, including requiring companies to have a privacy policy and obtain consent when collecting or transferring sensitive personal data.

Things escalated in 2017 with the Supreme Court judgment in K.S. Puttaswamy v. Union of India, widely known as the “Puttaswamy Judgement”. Simply put, the verdict recognised privacy as intrinsic to the right to life and liberty guaranteed by Article 21 of the Constitution.

The judgment touched upon protections for people in the private sphere. It linked privacy to individual dignity and the State’s responsibility for maintaining and preserving it. This led to the formation of the Sri Krishna Committee which floated the Draft Personal Data Protection Bill in 2018.

Based on feedback, the Personal Data Protection Bill was introduced in Parliament in 2019. Due to challenges in its implementation, the Bill was sent to a Joint Committee of Parliament which spent the next two years deliberating. In 2021, it submitted the revised report, and the legislation was now called the Data Protection Bill 2021.

Last week, the government released the draft DPDP rules. It touched upon aspects like processing personal data for subsidies, benefits, and services, processing personal data of kids or persons with disabilities, setting up a data protection board, procedures for appeal, etc.

Are the rules enough for this day and age?

VIEW: They’re quite thorough

The release of the draft rules ushers in a new era for data protection in India. It’s a significant move towards strengthening India’s data protection landscape. For starters, the rules outline a staggered approach to implementation. This will allow businesses to adapt gradually. A notable aspect is the formation of a Data Protection Board (DPB). It’s a digital office that will investigate breaches, conduct remote hearings, and impose penalties. It can be a formidable regulatory body for data protection.

With more kids and youngsters using the internet than ever, they should be kept safe online. The rules state that processing kids’ personal data mandates verifiable consent from a parent or guardian. Once a child informs the entity that they’re a minor, the company, like Meta or X, should enable their parent to identify themselves. The companies will be required to publish and maintain a grievance redressal system.

The draft rules provide businesses with much-needed direction on compliance. Data fiduciaries, i.e. entities that handle information and manage an online platform, must perform a Data Protection Impact Assessment (DPIA) and annual audit and submit the findings to the DPB. Cross-border data sharing has additional oversight. A committee could recommend that certain personal data can’t be transferred outside India. Broadly speaking, the rules thread the needle between privacy rights and not stifling business innovation thanks to a flexible approach.

COUNTERVIEW: Plenty of holes

The release of the draft rules has been a long time coming and a necessary first step. However, the government hasn’t been very transparent in the rule-making process of such a crucial policy. Since the Justice B.N. Srikrishna committee was formed to draft the first Bill for data protection, the government hasn’t released the recommendations from stakeholders to the public. In several instances, the rules don’t meet the constitutional requirements set out by the Puttaswamy judgment.

Take data fiduciaries, for example. The government can ask for data from them without written justification. Why should companies be mandated to hand over information without reason? This could lead to state-sponsored surveillance. While the idea of a DPB is good, the fact that its Chairperson and members will be appointed by a committee headed by the Cabinet Secretary and their terms of service decided by the government could result in conflicts of interest if the government is under investigation. The DPB doesn’t have regulatory powers and is limited to adjudicating complaints.

Several aspects of the rules are vague and inadequate. The Internet Freedom Foundation noted that “reasonable safeguards” and “appropriate measures” are used without much elaboration. The rules don’t have any internet-wide age gating. Anyone identifying themselves as kids will require parental consent. This means every online user will have to use government credentials for verification. What’s more pressing is that the government is given significant discretionary authority on data processing standards and determining exemptions.

Reference Links:

  • Personal Data Protection Bill (PDPB) – India’s emerging privacy paradigm – Ernst & Young
  • DPDP Rules 2025: India’s Push for Clearer, Simpler Data Privacy Policies – Entrepreneur India
  • DPDP: Here is how India’s new data protection rules will protect children online – The Week
  • Draft DPDP Rules 2025: A closer look at the hits and misses – Fortune India
  • Draft DPDP rules spark debate among Indian LLM stakeholders – Businessline
  • Internet Freedom Foundation’s statement on the Draft Digital Personal Data Protection Rules, 2025 – Internet Freedom Foundation

What is your opinion on this?
(Only subscribers can participate in polls)

a) The draft Digital Personal Data Protection (DPDP) rules are robust.
b) The draft Digital Personal Data Protection (DPDP) rules aren’t robust.

Previous poll’s results:

  • The H-1B visa programme has been worth it: 70.0% 🏆
  • The H-1B visa programme hasn’t been worth it: 30.0%
🕵️ BEYOND ECHO CHAMBERS

For the Right:

India’s BUDS Act needs urgent review. Flaws show government didn’t do cost-benefit analysis in 2019

For the Left:

How Canada can undo Justin Trudeau’s damage to bilateral ties with India

Previous article
Has the H-1B visa programme been worth it?
Next article
Is Blinkit’s 10-minute ambulance service the next step in emergency healthcare?
More Posts

Either View Media Private Limited © 2022. All Rights Reserved.