Given the spate of digital frauds based on leveraging user data for trapping unsuspecting citizens into “digital arrests” and myriad such crimes, there is an enhanced concern over how people’s data is used and leaked. And therefore, the rapid digitization of India’s economy and society has necessitated robust mechanisms to protect personal data and ensure privacy. To address these challenges, the Indian government introduced the draft Digital Personal Data Protection (DPDP) Bill, 2023. The framework seeks to address the need to balance individual privacy rights with the innovation and growth potential of the digital ecosystem.
The draft of the rules as envisaged under different sections of the Act have now been made and is open to public feedback. The Rules provide for the necessary details and implementation framework of the Act.
So who does the rules apply to? The DPDP Bill applies to the processing of digital personal data within India and also to entities outside the country if their processing activities target individuals in India. This extraterritorial application is intended to safeguard Indian citizens from misuse of their data by foreign entities.
The draft rules emphasize obtaining clear, informed, and specific consent from individuals before collecting or processing their personal data. Consent must be revocable at any time, empowering individuals to exercise control over their information.
The rules provide for a safer operating environment to individuals and provides for several rights, including the right to access and correct their data, the right to data portability, the right to erasure of data in certain circumstances and the right to be informed about data breaches affecting them.
The bill differentiates between data fiduciaries, who determine the purpose and means of data processing, and data processors, who process data on behalf of fiduciaries. Both entities have distinct responsibilities, with fiduciaries bearing the primary accountability for compliance.
Clearly, the draft rules enhance personal privacy by granting individuals greater control over their data. They empower users to make informed decisions about how their data is used and provide mechanisms to address grievances effectively.
However, some concerns have been raised from a few quarters. Telecom companies have raised the concern that clauses around transferring personal data outside of India may affect International Long Distance calls (ILD) and sending text messages overseas or even sending whatsapp messages to international numbers. However, such “transfer” of data would clearly be with the consent of the Data Principal (i.e. the owner of the data), and a few tweaks to the clickwrap agreements would ensure alignment to the proposed rules. Therefore, such concerns are not unsurmountable or are a major roadblock.
Some others have the view that the compliance costs for telecom companies and other Significant Data Fiduciaries would go up, and such costs will be passed to the consumers in the form of tariff hikes. Given the costs that individuals and society has to bear for unsanctioned use of personal data, leading to frauds and impact on lives of people, a marginal increase in cost of transactions, if any, is something that can be borne. There cannot be enhanced protection of personal data without a cost. However, such a cost is expected to be insignificant to consumers.
While the framework imposes compliance costs, it also creates opportunities for businesses to build trust with consumers by adopting transparent data practices. The rules align India with global data protection standards, facilitating smoother international collaborations.
There is also a fear of reciprocal regulations by other countries, thereby impacting Indian businesses. But then again, such regulations such as the European GDPR already puts restrictions on how data of Europeans living within Europe and also living outside Europe, are to be processed.
It is important to understand that when our data moves outside of our shores, entities managing such data are not under the jurisdiction of the Indian government. Therefore, none of the Indian regulations, including the data protection rules, are applicable on such entities, thereby limiting the ability of the Indian government to enforce its will and protect its citizens. Hence the draft rules proposing that certain data must stay within the Indian borders is not necessarily for data protectionism but it is for the safety of the citizens.
Another aspect of the regulation that is being applauded is the mechanism to age-gating by using educational institutions, thereby ensuring that the parental consent is verifiable.
At the end of the day, the Data Protection Rules strengthens India’s position as a digitally sovereign nation. By regulating data flows and safeguarding citizens’ information, the government aims to create a secure and inclusive digital environment.
The draft Data Protection rules mark a critical step towards building a secure and accountable digital ecosystem in India. While the framework promises to empower individuals and foster trust, its success hinges on effective implementation, clarity in provisions, and collaboration between stakeholders. As the rules undergo further deliberation, it remains essential to strike a balance between safeguarding privacy and enabling economic growth in the digital age.
Jaijit Bhattacharya, President, Centre for Digital Economy Policy Research
