Draft Data Protection Rules – Satisfactory but Not Satisfying

The draft rules, as they stand, risk undermining the Fundamental Right of Privacy through unchecked government powers and inadequate safeguards.

Draft Data Protection Rules Published

The Digital Personal Data Protection Rules, 2025 mark India's earnest attempt to establish a comprehensive framework for regulating personal data in the digital age. While the draft rules lay a solid foundation, they fall short in crucial areas of safeguarding privacy and ensuring robust enforcement. Here’s a closer look at their provisions, critiques, and the path forward. It is hoped that the Central Government will take these concerns into consideration before finalizing and notifying the rules.

Overview of the Draft Rules

The draft rules cover a broad spectrum of data protection aspects, including:

1. Consent Management: Mandating registration and obligations for consent managers.

2. State Data Processing: Allowing state entities to process personal data for public purposes.

3. Security Safeguards: Requiring "reasonable" measures to protect data.

4. Data Breach Notifications: Obligating entities to report breaches within 72 hours.

5. Rights of Data Principals: Providing individuals rights to access, correct, and delete their data.

6. Children’s Data: Special provisions for handling minors’ data.

7. Cross-Border Data Transfers: Guidelines for international data movement.

8. Significant Data Fiduciaries: Imposing additional obligations on entities handling large-scale data.

9. Exemptions: Offering leniencies for research purposes.

10. Data Protection Board: Establishing a body to oversee enforcement and dispute resolution.

While these elements appear robust on the surface, a deeper examination reveals several shortcomings.

Key Critiques

1. Privacy Concerns and Overreach by the State

• Broad Government Exemptions:
  Rule 5 enables state entities to process personal data without explicit consent under the guise of delivering benefits or services. This sweeping exemption raises concerns about potential misuse, such as state surveillance and profiling, which could infringe on citizens' right to privacy.

• Weak Checks on State Access:
  Rule 22 empowers the government to demand personal data from fiduciaries with limited oversight mechanisms. The absence of strong safeguards could lead to disproportionate and arbitrary access by state agencies and, in case of data leakage or breach, difficulty in pin-pointing and fixing the responsibility.

2. Inadequate Data Protection Measures

• Vague Security Standards:
  Rule 6 mandates "reasonable security safeguards" but fails to specify technical standards, leaving room for varied and potentially insufficient implementations.

• Delayed Breach Notifications:
  The 72-hour timeline for reporting breaches (Rule 7) may be too long in cases requiring immediate action, potentially exacerbating the impact of such incidents.

3. Weak User Rights and Consent Mechanisms

• Limited Control Over Personal Data:
  Rule 8 provides for data retention and deletion but lacks clear processes for users to exercise their "right to be forgotten," undermining the principle of data autonomy.

• Inadequate Safeguards for Children's Data:
  Rule 10’s provisions for processing children's data lack robust verification mechanisms, making it easier for entities to exploit minors' information.

4. Ambiguity in Cross-Border Data Transfers

• Unclear Guidelines:
  Rule 14 provides vague directives on cross-border data flows, potentially leading to excessive governmental control and uncertainty for businesses.

5. Lax Enforcement and Penalties

• Insufficient Consequences for Violations:
  The draft rules lack stringent penalties for serious breaches, creating a potential incentive for lax compliance among data fiduciaries.

Suggestions for Improvement

To address these concerns, the following changes are essential:

1. Strengthen Privacy Protections:

   • Clearly define "reasonable security safeguards" with specific technical standards.

   • Establish stricter oversight mechanisms for state access to personal data.

   • Narrow government exemptions under Rule 5 to prevent misuse.

2. Enhance User Rights:

   • Introduce straightforward processes for users to exercise their rights, including data deletion.

   • Implement stronger verification systems for children’s consent.

3. Improve Data Breach Response:

   • Shorten the 72-hour breach notification timeline to 24 hours for critical incidents.

4. Clarify Cross-Border Transfers:

   • Provide clear criteria for allowing or restricting data flows across borders, balancing privacy with business needs.

5. Bolster Enforcement:

   • Introduce heavier financial penalties and potential criminal liability for severe privacy violations.

The Fundamental Right to Privacy

The right to privacy, recognized as a fundamental right by India’s Supreme Court, forms the bedrock of personal liberty under Article 21 of the Constitution. The draft rules, as they stand, risk undermining this right through unchecked government powers and inadequate safeguards. Any limitations on privacy must adhere to constitutional principles of proportionality, necessity, and fairness.

Summing Up

The Digital Personal Data Protection Rules, 2025 demonstrate intent but fall short of delivering on execution. While they provide a much-needed framework, they fail to address critical loopholes that could compromise privacy. To truly protect citizens in the digital era, the government must consider these critiques and make meaningful amendments. Only then can these rules evolve into a comprehensive, effective, and citizen-centric data protection regime.