No secret affair: on the  draft Digital Personal Data Protection Rules, 2025

The deliberations on the draft Digital Personal Data Protection Rules, 2025 must be transparent 

The draft Digital Personal Data Protection Rules, 2025, is a long overdue advance in the direction of enforcing the fundamental right to informational privacy for Indians, affirmed by the Supreme Court of India in the landmark case, Justice K.S. Puttaswamy vs. Union of India (2017). The Digital Personal Data Protection Act, which these draft rules seek to enforce, was passed in Parliament over a year ago. This seven-year wait has most likely not been without costs for the privacy of the data of Indians, as it coincided with a period that saw a rapid growth in digitisation. The proposed rules offer direction on how online services will be required to: communicate the purposes of their data collection to users; safeguard children’s data online; establish the Data Protection Board of India (DPBI); set the standards for government agencies to follow to be exempt from the Act’s provisions, and spell out the procedures to be observed if personal data is breached by a data fiduciary. The concerns regarding the proposed DPBI’s institutional design have not been resolved by these proposed Rules, and it may not be realistic to expect such an outcome from subordinate legislation.

It is regrettable that the government continues to cloak the rule-making process of a critical policy such as this in secrecy. Since the Justice B.N. Srikrishna committee was convened to draft the first Bill for data protection, the government has consistently declined to place recommendations from stakeholders in the public domain, and has foreclosed such disclosure for these draft rules as well. For legislation where the stakes are high for individual users as well as for large technology firms, an open deliberative process is essential. It can only be facilitated when industry associations and the general public can find equal footing by being equal participants with transparency into each other’s viewpoints during the consultation process. In the short and medium term, it is essential for the government to proceed with these principles in mind, while never departing from the key aims of any data protection law: minimising data collection, promoting disclosures, penalising neglect in protecting user data, and discouraging surveillance practices, both by the private sector and the government. This process must also play out in a timely fashion, as Indians have been waiting far too long to finally obtain the rights that were affirmed for them in 2017. Else, people’s confidence in the government’s seriousness about protecting their data from government agencies as well as private enterprises would be shaken.

Published - January 06, 2025 12:20 am IST