PM IAS EDITORIAL ANALYSIS – JAN 13

Editorial #1 India’s data protection rules need some fine-tuning

India’s Digital Personal Data Protection Rules: Progress and the Need for Fine-Tuning

Context

The release of the Draft Digital Personal Data Protection (DPDP) Rules by the Ministry of Electronics and Information Technology (MeitY) on January 3, 2025, marks a significant milestone in India’s journey to regulate digital personal data. This development follows the enactment of the DPDP Act, 2023, steering India toward operationalizing a robust framework for personal data protection.

A Progressive Shift in Approach

Departure from Earlier Models

1. Industry-Friendly Framework: The draft rules signify a clear departure from the Personal Data Protection Bill, criticized for being overly restrictive and detrimental to industry interests.
2. Decade-Long Consultation: The earlier Bill underwent extensive consultations but was eventually rescinded due to its impracticality, paving the way for a more pragmatic approach.
3. Principles-Based Regulation: Unlike the prescriptive framework of the European Union’s General Data Protection Regulation (GDPR), India’s rules adopt a less interventionist, outcomes-based approach.

Critique of the GDPR and India’s Refreshing Alternative

1. Limitations of GDPR:
   • Favours resource-heavy corporations, stifling smaller enterprises.
   • Has limited success in enhancing public trust in the Internet.
   • Burdens users with consent fatigue through incessant notifications.
2. India’s Measured Path: By avoiding the pitfalls of overly prescriptive regulation, India offers a nuanced alternative, balancing privacy and economic growth.

Strengths of the DPDP Rules

User Rights and Consent Mechanisms

1. Simplicity Over Complexity: The rules simplify user rights, avoiding the cumbersome requirements seen in the GDPR.
   • Businesses need only publish relevant information online.
   • Mechanisms for correction, erasure, nomination, and consent withdrawal are outcome-focused.
2. Reducing Consent Fatigue:
   • Unlike Europe’s issues with consent pop-ups, India’s framework respects user autonomy without inundating them with unnecessary details.
3. Respect for Business Autonomy: By refraining from dictating app or website designs, the rules encourage innovation.

Protection of Children’s Data

1. Stricter Safeguards: The rules impose stringent protections for processing children’s data, recognizing their unique vulnerabilities.
2. Nuanced Exemptions:
   • Educational and health-care institutions, critical for children’s welfare, are exempted from obtaining parental consent for specific activities like behavioral monitoring.
   • These provisions reflect thoughtful, industry-specific policymaking.

Challenges and Areas for Improvement

Cross-Border Data Flow Restrictions

1. Ambiguity and Complexity:
   • Rules governing data localization for Significant Data Fiduciaries (SDFs) introduce unnecessary ambiguity.
   • Differentiating between SDFs and smaller entities risks regulatory arbitrage.
2. Investment Concerns: Localization mandates may deter foreign investment and increase compliance burdens.

Law Enforcement and Data Localization

1. Challenges in Accessing Cross-Border Data:
   • Law enforcement agencies face difficulties in accessing data stored overseas.
2. Need for a Proportional Approach:
   • The RBI’s 2018 mandate for localizing payment data serves as a model for targeted, effective regulation.

Procedural Integrity and Safeguards

1. Verification Mechanisms:
   • Businesses require clear guidelines for verifying user requests to prevent abuse.
2. Handling Excessive Requests: The draft rules lack provisions for managing incessant or unfounded user requests.
3. Sensitive Business Data: Clarity is needed on the government’s access to sensitive business data and its safeguards against misuse.

What Lies Ahead

1. Evolving Privacy Frameworks:
   • With the rise of IoT, 5G, and AI, privacy frameworks must evolve beyond the traditional notice-and-consent model.
   • Reliance on consent in uncontrolled environments (e.g., malls or airports) is impractical.
2. Economic Implications:
   • According to IBM, data breaches cost Indian businesses an average of ₹19.5 crore in 2024. Compliance should be viewed not merely as a regulatory obligation but as critical for protecting business continuity and reputation.
3. Balancing Innovation and Rights:
   • Public consultations must refine the framework to ensure a balance between innovation, economic growth, and individual rights—a challenge many jurisdictions have struggled to achieve.

Conclusion

The Draft DPDP Rules reflect a progressive step toward safeguarding digital personal data in India. However, fine-tuning is essential to address ambiguities, ensure procedural integrity, and balance security with economic competitiveness. As India refines its framework, preserving flexibility and accommodating industry-specific needs will be crucial to creating a model that respects individual privacy while fostering innovation and growth.

Editorial 2: The draft digital data protection rules will advance authoritarianism

India’s Draft Digital Data Protection Rules: A Path Toward Authoritarianism?

Context

The Draft Digital Data Protection Rules, 2025, arise from the Digital Personal Data Protection (DPDP) Act, 2023, a law perceived as a symbol of executive overreach. As India celebrated six years since the landmark K.S. Puttaswamy judgment, reaffirming privacy as a fundamental right, questions about its unfulfilled promise were starkly highlighted during the Internet Freedom Foundation’s annual “Privacy Supreme” event. At its heart lies the paradox: the promise of privacy juxtaposed with the centralization of state power in digital governance.

Concerns over Governance and Transparency

Executive Overreach and Democratic Deficit

1. Subversion of Democratic Norms:
   • The DPDP Act, 2023, was passed in Parliament amidst allegations of bypassing proper legislative scrutiny.
   • Its provisions are deliberately vague, granting unchecked discretion under the phrase “as may be prescribed,” fostering state control rather than safeguarding individual rights.
2. Delayed Implementation and Flawed Consultation:
   • Despite the Act’s swift passage in August 2023, its operationalization has been slow, with draft rules unveiled only after 16 months.
   • The consultation process is narrow, conducted via the MyGov platform, excluding broad public participation.
   • Lack of transparency: The government treats submissions as fiduciary, preventing public scrutiny or counter-comments, reducing the process to a controlled corporate consultation rather than an inclusive democratic exercise.

Substantive Issues with the Draft Rules

Ambiguity in Compliance and Enforcement

1. Undefined Consent Standards:
   • Rule 3 mandates the use of “clear and plain language” for consent notices without defining these terms, creating ambiguity in India’s linguistically diverse landscape.
   • Generic or oversimplified notices may lead to inadequate user awareness.
2. Data Disclosure Ambiguities:
   • While requiring an “itemized description” of data, the rules fail to clarify whether this refers to broad categories (e.g., health or financial data) or specific data points (e.g., account numbers or metadata).
   • Absence of timelines for data breach notifications poses risks for individuals in critical situations.
3. Lack of Independent Oversight:
   • The Act eschews the establishment of an independent regulatory body, consolidating power within the Union Government.
   • The Data Protection Board (DPB), limited to adjudicating breaches, lacks autonomy due to its members’ status as central government employees.
   • The chairperson’s appointment process, overseen by a committee chaired by the Cabinet Secretary, raises concerns about political interference.

Structural Flaws and Impact on Citizen Rights

A Subservient Data Protection Board

1. Limited Jurisdiction and Independence:
   • The DPB’s authority is constrained to determining breaches, with no power to impose meaningful accountability in cases involving government entities such as UIDAI (Aadhaar).
   • This compromises its ability to address grievances, including basic requests like correcting data records for accessing public welfare benefits.
2. Exemptions and Accountability Challenges:
   • Rule 5 exempts data processing for subsidies from consent requirements, further eroding accountability.
   • Vulnerable groups reliant on government welfare are particularly at risk, with limited avenues for redress.

Unchecked Government Powers

1. Rule 22 and Government Oversight:
   • Rule 22 grants the government sweeping powers to requisition information without sufficient limitations or safeguards, raising concerns over misuse.
   • This centralization of authority mirrors a broader trend of authoritarian control rather than a democratic approach to data governance.

Delay and Policy Gaps

1. Implementation Lag:
   • The slow unveiling of the rules highlights inefficiencies, creating uncertainty for businesses and citizens alike.
2. Transparency Deficit:
   • Failure to ensure open consultations undermines public trust in the policymaking process.
3. Lack of Procedural Integrity:
   • Procedural ambiguities, particularly regarding safeguards for user rights, expose the draft rules to criticism of being “too late, too little, and too vague.”

Conclusion

The Draft Digital Data Protection Rules, 2025, represent a significant moment in India’s digital policy landscape but are fraught with concerns of executive overreach, lack of transparency, and structural flaws. As social activist Nikhil Dey aptly framed it, the regime mirrors Humpty Dumpty’s cryptic reply in Through the Looking-Glass: “The question is… which is to be master—that’s all.”

For India to uphold the principles of the Constitution and the promise of the Puttaswamy judgment, its data protection framework must prioritize independent oversight, transparency, and the protection of individual rights over centralized state control. Only then can it strike a balance between innovation, efficiency, and the preservation of fundamental freedoms.