The Hindu Editorial Analysis- 13th January 2025 | Current Affairs & Hindu Analysis: Daily, Weekly & Monthly - UPSC PDF Download

India’s data protection rules need some fine-tuning

Why in news?

On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection (DPDP) Rules. 

• The DPDP Rules represent a shift from the earlier Personal Data Protection Bill, which was seen as overly restrictive. 

A Practical Approach to Data Protection 

• The DPDP Rules adopt a flexible and principles-based approach, unlike the European Union’s GDPR, which is more rigid. 
• GDPR has been criticized for benefiting big companies, hurting smaller businesses, and failing to build public trust in online data handling. 
• India’s rules avoid such issues by focusing on business flexibility and innovation.

Key Features of the Draft Rules 

Simplified Notice and Consent Framework 

• The rules focus on making consent clear and simple, avoiding unnecessary details. 
• Businesses only need to publish important information without following strict guidelines for user interfaces. 

Protection of Children’s Data 

• Children’s data is given stricter protection, but some industries like education and healthcare have been granted thoughtful exemptions. 
• For example, schools can track student behavior to improve learning without needing parental consent, as long as safeguards are in place.

Challenges and Concerns 

Data Localisation Requirements

• Large businesses, called Significant Data Fiduciaries (SDFs), may need to store data within India, which could discourage investment. 
• A sector-specific approach, like the RBI’s payment data rules, may work better. 

Ambiguities in Provisions 

• Businesses lack clarity on handling excessive or unreasonable data requests. 
• Concerns exist about whether the government can access sensitive business data and how it would protect trade secrets. 

Future Considerations

• In 2024, data breaches cost Indian businesses ₹19.5 crore on average, showing the need for better data protection. 
• India should explore privacy solutions beyond consent, especially with technologies like IoT, 5G, and AI collecting vast amounts of data. 
• Public consultations should refine the rules to balance flexibility, industry needs, and individual rights.

Conclusion 

• The DPDP Rules are a practical framework that supports innovation and economic growth while protecting personal data. 
• By addressing gaps and focusing on flexibility, India can create effective data protection laws without the issues seen in rigid global models like the GDPR.

Draft digital data protection rules and authoritarianism 

Why is it in the News?

 The draft Data Protection Rules, 2025 raises concerns about executive overreach, lack of transparency, and inadequate regulatory independence.

Reflections on Privacy

In August 2024, India commemorated six years since the K.S. Puttaswamy judgment, which reaffirmed privacy as a fundamental right. This exclusion underscores the necessity to address these issues in the ongoing discussions regarding the Draft Digital Data Protection Rules, 2025.

Executive Overreach and Lack of Transparency

• Rulemaking should ensure that laws passed by Parliament are enforceable while allowing for flexibility. However, the draft Data Protection Rules raise concerns about executive overreach and vague governance.
• The Digital Personal Data Protection Act, 2023 was enacted swiftly and criticized for undermining the democratic process.
• This Act grants the government broad discretion with unclear provisions, using vague phrases like “as may be prescribed.”
• The draft Rules were released 16 months after the Act’s passage, restricting public access and participation.
• Feedback submission is limited to the MyGov platform, lacking transparency regarding public comments or counter-comments.
• The consultation process resembles corporate consultations rather than genuine public engagement.

Structural Issues in the Data Protection Rules

Intentional Vagueness and Executive Dominance

• Compliance requirements outlined in the Rules are intentionally vague, leaving room for interpretation by companies or government discretion. 
• For instance, Rule 3 on consent notices mandates the use of “clear and plain language” but fails to provide a definition, leading to ambiguity in India’s diverse linguistic context.
• Additionally, the absence of specific timelines for data breach notifications poses risks to individual safety in critical situations.

•  The Act notably avoids the establishment of an independent regulatory body, consolidating power within the Union Government. 
•  The Data Protection Board (DPB), tasked with adjudicating data breaches, lacks the necessary independence. 
•  Concerns about political influence arise from the fact that the DPB chairperson is selected by a committee chaired by the Cabinet Secretary. 
•  Furthermore, DPB members are bound by government service conditions, undermining the board’s ability to act autonomously. 

Challenges in Accountability and Safeguards

•  Rule 5, which exempts data processing for subsidies from consent requirements, weakens accountability measures. 
•  The DPB may encounter difficulties in addressing complaints involving powerful entities such as the UIDAI, responsible for managing Aadhaar data. 
•  Rule 22 raises concerns about potential misuse by allowing the government to requisition information without clear safeguards in place. 

Conclusion

 The draft Data Protection Rules are perceived as delayed, vague, and inadequate in meeting India’s digital privacy requirements. The lack of transparency, clarity, and regulatory independence raises doubts about the framework's ability to effectively uphold individual rights in the digital realm.