Sign in

Draft rules suggest DPDP Act is a work in progress

With technology permeating every second of our lives, there is deep and constant surveillance of our actions on digital platforms

Published on: Jan 10, 2025, 22:20:44 IST
By
Share
Share via
  • facebook
  • twitter
  • linkedin
  • whatsapp
Copy link
  • copy link

The new year indeed brought good tidings with the draft Digital Personal Data Protection Rules, 2025 being unveiled. The rules augur the possible implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act) shortly. Privacy was and continues to be our fundamental right, but we needed the instrumentality of law to ensure its effective enforcement. That which the Justice Puttaswamy privacy judgment of 2017 mandated, was finally enacted under the DPDP Act in 2023 but the same could not be implemented for want of rules to enumerate modalities. Now the DPDP Rules have been opened for public consultation in January 2025, a year and four months since the DPDP Act was passed. The hope is that the DPDP Act will become effective without further delay.

A man looks at his mobile phone as he sits along a road in front of the India Gate amid heavy smoggy conditions in New Delhi on November 7, 2024. (Photo by Money SHARMA / AFP) (AFP)
A man looks at his mobile phone as he sits along a road in front of the India Gate amid heavy smoggy conditions in New Delhi on November 7, 2024. (Photo by Money SHARMA / AFP) (AFP)

With technology permeating every second of our lives, there is deep and constant surveillance of our actions on digital platforms, which results in individuals being targeted and profiled. An enactment that regulates personal data is, therefore, required to protect the fundamental right of privacy of individuals, against government and corporate surveillance, whilst enabling businesses to use the personal data they collect without infringing such privacy rights. The test of a sound personal data law, therefore, lies in the balance it brings to protecting our privacy, ease of implementation and the scope of its application.

The DPDP Act was made into a simple barebones draft with the promise of ease of implementation and clarity through rules, which were to spell out the privacy protections and lay down modalities for availing the same. This benchmark appears to be still elusive with the draft rules. The rules ought to not only set out specific modalities for enabling the implementation of the DPDP Act but also enumerate limitations and restrictions that the Act mandates to ensure the effective protection of rights.

The rules under the consent and accountability-based DPDP Act spell out modalities for notice for consent and consent managers. It elaborates purpose limitation such as for personal data of children under the fourth schedule. The rules also make a feeble attempt at laying down modalities for personal data handling by the State but these lack clarity and specificity. The same rules that explicitly set out category-wise time limitation for e-commerce, online gaming or social media intermediaries, fail to enumerate purpose and time limitations or restrictions for the State, in the usage of personal data collected. This is a critical gap that needs to be addressed. For instance, in 2021, the government publicly reported a revenue of about 100 crore from the sale of Vaahan and Saarthi data. This was personal data collected by the government to issue vehicle registration and driving licences; i.e., data that an individual entrusted to the government in furtherance of its regulatory function. Hence, restricting such acts through not only purpose limitation but an explicit restraint against exceeding purpose is critical when it comes to personal data collected by State agencies.

Age gating for children through parental consent and exemptions is well enumerated. However, the illustrations and the minister’s public statements indicate the use of both the child’s and parents’ verifiable information to determine age. Given the suggested options for age verification, it is equally critical to provide protective measures against corporate surveillance and restrain the use of data submitted beyond the purpose, including for deletions upon age verification and restraining profiling.

The possibility of data localisation by a committee of the Union government was a bit of a googly for technology companies. The clarification that has come from the ministry in this regard is that such localisation is likely to be sectoral and that the committee may comprise representation from industry. Such specificity, including the constitution of the committee and category for data localisation, must be captured in the rules to obviate uncertainty for the industry.

The absence of rules with respect to enforcing penalties does not in any manner dilute the same, as has been voiced by some. With the parent Act providing the penalties, the message is clear and unequivocal. The board is likely to set out further modalities. That which needs to be addressed in the rules, however, concerns compensation to victims.

One aspect that certainly needed specificity and clarity in the rules was for explaining the opt-out option for users i.e., that users would not be refused a service merely because they may refuse consent for being tracked or profiled. Such clarity would have ensured parity in protections for Indians on par with European Union citizens. This is a criticality that should be addressed under the ambit of Section 6 of the DPDP Act. These rules are not likely to be a catch-all, and there will be more to come from the board as well through further rules. But ensuring specificity and clarity under these rules before notification would further the cause of privacy and victim rights.

NS Nappinai is a senior advocate practising before the Supreme Court of India and Founder of Cyber Saathi. The views expressed are personal