The draft Digital Personal Data Protection Rules, 2025, are a significant move toward safeguarding India’s right to informational privacy, as recognized in the 2017 Justice K.S. Puttaswamy case. However, critics highlight challenges that still need to be addressed.
Background on Data Protection Laws in India
- 2017 – Justice K.S. Puttaswamy vs. Union of India Case: In 2017, the Supreme Court recognized the right to privacy as a fundamental right under the Indian Constitution in the landmark case of Justice K.S. Puttaswamy vs. Union of India.
- Digital Personal Data Protection Act: In 2023, India enacted the Digital Personal Data Protection Act to safeguard personal data.
- To implement this Act effectively, the government introduced the Draft Digital Personal Data Protection Rules in 2025, providing detailed guidelines for data protection.
- These draft rules are open for public consultation until February 18, 2025, allowing stakeholders to submit feedback before finalization.
Enroll now for UPSC Online Course
Key Provisions Introduced
1. Parental Consent for Children’s Data: Social media and online platforms must obtain verified parental consent before allowing children to create accounts, using government-issued ID proofs (e.g., Aadhaar) for identity verification.
- For instance, to create a Facebook account, a child’s parent must submit a valid Aadhaar card for consent.
- However, institutions like schools, healthcare providers, and daycare centers are exempt from these rules.
- For example, parental consent is not required when a school enrolls children in an online learning program.
2. Role and Responsibilities of Data Fiduciaries
- Data Fiduciaries: Entities that collect and process personal data.
- Significant Data Fiduciaries (SDFs): Organizations handling large volumes of sensitive data that could impact national security or public order. Example: Uber, Paytm, and other fintech companies.
|
- Data Retention: Data fiduciaries can retain user data only for the duration of consent.
-
- Once consent is withdrawn or the retention period expires, the data must be deleted.
- Security Measures: Data fiduciaries must implement security protocols such as encryption, access controls, and monitoring for unauthorized access to ensure data safety.
3. Consent Management
- Consent Managers: Entities responsible for managing user consent must ensure accurate verification and provide users with a mechanism to withdraw consent.
- They must also maintain detailed records of all users who have given or withdrawn consent.
- Grievance Redressal: Fiduciaries must address user complaints promptly and efficiently.
4. Data Localization: As per this provision, certain personal data must be stored within India and cannot be transferred abroad.
- A government committee will determine which categories of data (e.g., health or financial data) cannot be transferred outside the country.
Check Out UPSC CSE Books From PW Store
5. Data Breach Reporting: If a data breach occurs, fiduciaries must notify affected users and the Data Protection Board within 72 hours.
- They must disclose details such as the nature of the breach, the time it occurred, and the measures taken to mitigate it.
6. Safeguards for Government Data Processing: Government agencies must adhere to lawful procedures when processing citizen data, even when exemptions are made for national security or public order.
- For example, if the government uses citizens’ mobile data to track COVID-19 cases, it must ensure that the data is deleted once the purpose is fulfilled and is not misused for any other reason.
Associated Challenges
- Compliance Challenges: Platforms may need significant redesigns to manage user consent records and provide clear opt-out mechanisms.
- For instance, current opt-out options are often not easily visible on many apps, making it difficult for users to exercise their rights.
- Infrastructure Investments: Organizations may need to invest heavily in secure storage, data handling, and tracking mechanisms to comply with the new rules.
- Apps like Meta may need to build new data centers in India, which could impact service delivery times and increase operational costs.
- Ambiguity in Security Standards: Experts have pointed out that the rules lack specific guidance on security measures, leading to varying interpretations.
- For example, one company might encrypt only passwords, while another encrypts addresses and phone numbers as well.
- This inconsistency could result in uneven compliance. Therefore, clearer and more detailed security standards are needed to ensure uniformity.
Penalties and Enforcement
- Non-compliance with the data protection rules can lead to penalties of up to ₹250 crore.
- Repeat offenders may face suspension or cancellation of their licenses.
- For example, if a fintech app consistently fails to address user grievances or mishandles data, it could lose its operating license.
|
Enroll now for UPSC Online Classes
Conclusion
The government must act urgently to implement data protection laws, as Indians have awaited these rights since 2017, and further delays are unacceptable. Transparency is crucial; the lack of disclosure on stakeholder recommendations, since the Srikrishna Committee drafted the Bill, undermines public trust. To ensure effective data protection, the government must prioritize transparency, establish clear rules, and take timely action to safeguard privacy and maintain public confidence.
January 6, 2025
