The mechanism for digital data protection—a matter of deep concern for both individuals and organisations—seems to be finally falling in place. On January 3, the electronics and IT ministry released the long-awaited draft Digital Personal Data Protection Rules 2025 for public consultation. The process so far has been slow and grinding. The first draft of the Data Protection Bill was introduced in 2018; but it was withdrawn soon after it faced serious criticism.
Then, without much discussion, the Data Protection Act was pushed through parliament and received the president’s assent in August 2023. Now, after 17 months, the crucial rules for implementation are being discussed. Data fiduciaries, or entities that collect and process data, must work with informed consent; in other words, they must provide clear and accessible information on how personal data is being processed.
The rules make an important statement on citizens’ rights, empowering them to demand data erasure after 3 years and appoint digital nominees. The protective scheme envisages the recognition of ‘consent managers’—companies that will work with fiduciaries to collect consent from users and inform ‘principals’ of the purpose for collection. Entities with a large threshold of users—such as e-commerce companies and gaming outfits with millions of subscribers—are labelled ‘significant’ fiduciaries who bear a higher degree of responsibility. Safety of children is an important feature. Consent of a parent is required before processing data of a child, while kids below 18 must seek parental consent to create a social media account.
There is, however, concern that overzealous government controls might upset the delicate balance between safeguarding individual data privacy and allowing free flow of information. For instance, the law gives a wide berth to government agencies to collate and store data without much accountability. The Internet Freedom Foundation has pointed out that the government’s ‘discretionary’ authority is substantial and undefined as in the case of rule 14, which permits ‘exemptions’; or rule 12(4), which allows the government to decide what data the significant fiduciaries must locally store. There are no safeguards against a clampdown on digital news flow in the name of ‘formal consent’ not being taken from individuals—an issue that has been flagged by the Justice B N Srikrishna Committee. Data protection is a new frontier and the fact that the government is taking measured steps suggests it is listening.