India’s Data Protection Rules Need Some Fine-Tuning
Jan. 13, 2025

Context

  • On January 3, 2025, India reached a significant milestone in its data protection journey with the Ministry of Electronics and Information Technology (MeitY) releasing the Draft Digital Personal Data Protection (DPDP) Rules.
  • This development follows the passage of the DPDP Act, 2023, marking a crucial step towards operationalising a robust framework for safeguarding personal data.
  • The draft rules symbolise a pragmatic departure from India’s earlier, more rigid data protection efforts, emphasising a balanced approach that avoids overreach while promoting flexibility.

India’s Journey Toward the DPDP Rules

  • The Fall of the Personal Data Protection Bill (PDPB)
    • The PDPB's downfall can be traced to its failure to balance privacy with economic and operational feasibility.
    • It sought to impose rigorous obligations on businesses, mirroring the European Union’s General Data Protection Regulation (GDPR) approach.
    • Although the GDPR was widely regarded as a benchmark for privacy laws, its rigid rules inadvertently created barriers to innovation and imposed significant compliance costs, particularly on small and medium enterprises (SMEs).
    • India's PDPB similarly drew concerns for being too interventionist and industry-hostile.
    • It mandated exhaustive consent requirements and strict data localisation, creating fears that the compliance burdens would deter foreign investment, stifle startups, and limit technological innovation.
  • The Shift to a Principles-Based Framework
    • The shift from the PDPB to the DPDP Act and its draft rules represents a fundamental change in philosophy.
    • Learning from the challenges of the PDPB and the limitations of global models like the GDPR, India adopted a less prescriptive, more principles-driven framework.
    • The DPDP rules focus on empowering users without micromanaging businesses, emphasising simplicity, flexibility, and proportionality.
    • This pragmatic approach reflects an understanding of India’s unique socio-economic and technological landscape.
    • Unlike the EU, where a mature digital economy can absorb the costs of stringent regulations, India’s ecosystem is characterised by diverse entities, ranging from multinational corporations to fledgling startups.
  • Avoiding the Brussels Effect
    • India’s decision to move away from the Brussels Effect, a global trend of replicating the EU’s interventionist regulatory ethos, is a notable aspect of this journey.
    • The EU’s GDPR, once hailed as a gold standard, has faced growing criticism for its unintended consequences.
    • These include favouring well-resourced corporations capable of absorbing high compliance costs, marginalizing SMEs, and failing to significantly enhance public trust in digital platforms.
    • India has instead chosen a path that prioritises outcomes over processes.
    • By focusing on what needs to be achieved rather than dictating how to achieve it, the DPDP rules aim to minimise unnecessary complexity and compliance fatigue.

Challenges and Ambiguities

  • The Complexity of Cross-Border Data Flows
    • One of the most contentious provisions in the draft rules is the restriction on cross-border data flows, particularly the mandate for Significant Data Fiduciaries (SDFs) to localise certain data within India.
    • The DPDP Act allows the government to notify specific countries where personal data can be transferred, but the rules extend beyond this provision, introducing added complexities for SDFs.
    • Such localisation mandates can have far-reaching implications. For global businesses operating in India, maintaining separate infrastructure for data storage can significantly increase operational costs.
  • Gaps in Safeguards Against Misuse
    • The draft rules lack clarity on mechanisms to verify the legitimacy of user requests for information on data processing activities.
    • Without adequate safeguards, businesses may face a barrage of excessive or frivolous requests, diverting resources away from their core operations.
    • For example, malicious actors could exploit the lack of verification processes to overwhelm a company’s compliance infrastructure or gain access to sensitive information.
    • Furthermore, the rules do not specify whether businesses can charge a reasonable fee for processing such requests, especially if they are excessive or unfounded.
  • Ambiguity Around Government Access to Data
    • A particularly concerning gap in the draft rules pertains to the government’s potential access to sensitive business data.
    • While the rules grant the government the authority to demand information, they do not provide clear safeguards to protect this data from misuse or exposure.
    • For instance, businesses may have to share proprietary information, trade secrets, or confidential data with the government, raising questions about how this information will be protected from competitors or malicious actors.
    • The absence of specific provisions addressing these scenarios creates uncertainty and creates apprehension among businesses, particularly those operating in industries where intellectual property and trade secrets are critical assets.

Necessary Measures to Address these Challenges

  • Strengthening Procedural Clarity
    • A critical aspect of the way forward is to address the procedural gaps in the current draft rules.
    • Clear guidelines must be established to manage potential conflicts between user rights and business operations.
    • For instance, in scenarios where users request data correction or erasure, businesses need clarity on the extent of their obligations, especially if such requests conflict with operational or legal requirements.
  • Addressing Cross-Border Data Flow Concerns
    • The draft rules' provisions for restricting cross-border data flows require careful reconsideration.
    • While data localisation can address legitimate concerns around law enforcement access, it risks deterring foreign investment and stifling innovation if applied indiscriminately.
    • A more nuanced, sector-specific approach could provide a solution.
    • For example, the Reserve Bank of India’s 2018 mandate for payment data localisation struck a balance between regulatory oversight and business needs.
    • A similar strategy tailored to industries handling sensitive data, such as finance, healthcare, and national security, could address law enforcement concerns without burdening all businesses equally.
  • Rethinking the Consent Model
    • The reliance on the notice-and-consent model, while traditional, is increasingly inadequate in the face of modern technologies like IoT, AI, and 5G.
    • These advancements enable vast, often invisible data collection in public and digital spaces where obtaining informed consent is impractical.
    • To address this, India must explore alternative mechanisms that go beyond consent-based frameworks.
  • Anticipating Emerging Technologies
    • India’s data protection framework must also account for the rapid evolution of technology.
    • Innovations such as generative AI, augmented reality, and autonomous systems are redefining how data is collected, processed, and used.
    • The convergence of these technologies with 5G and IoT is creating a hyper-connected environment, increasing the complexity of privacy challenges.
    • Future-proofing the DPDP rules will require integrating flexible, principles-based approaches that can adapt to technological changes.

Conclusion

  • The Draft DPDP Rules mark a pivotal moment in India’s journey toward a modern data protection
  • However, their potential will only be realised if the government addresses the challenges, clarifies ambiguities, and prepares for the complexities of the digital future.
  • By focusing on innovation, ensuring procedural integrity, and building public trust, India can establish a framework that protects privacy while enabling economic growth and technological leadership.

 

Enquire Now