In 2023, the Digital Personal Data Protection Act (hereafter to be referred as “DPDP Act”) was passed by the Parliament. The Act passed after questions were raised with regard to the protection of data and its regulation within the Indian territory and the Act was passed to safeguard the private sphere of the citizens and to push through the idea of ‘digital economy’.
In a country like India, data breach has been a concern over decades. The only difference is – that the type of ‘data breach’ has been changing its horizons – from taking criminal dimensions to piracy and unlawful activities across the country.
In response to the growing concern over data-breaches, piracy, online/digital scams and other instances, the Central Government notified the DPDP Draft Rules under the DPDP Act of 2023. The said rules have been released and public opinions/consultation is open for the public at-large to give their suggestions and modifications to the said Rules – which will be finalised accordingly. The Rules have been released after a long period of time, but certain provisions have been made without keeping in mind the consequences, and many experts in the field of data protection law have criticised the same and said that this may be an ‘overreach by the Rules and inconsistent with the provisions of the act.’
Let us now examine the draft Rules in the light of the Act and whether the said Rules are feasible enough to tackle these challenges?
Digital Personal Data Protection Draft Rules: What Are the Sticking Points?
1. Draft Rules: A conflict between privacy and balance?
On January 3, the Union Ministry of Electronics and Information Technology (MeitY) notified and released the Draft Rules under the DPDP Act. The said Rules comprise of 22 provisions and 7 schedules which have been formalised in accordance with provisions of the DPDP Act.
The Rules – talk about data fiduciaries, but who are they? What does it mean? The DPDP Act defines the term data fiduciary as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. According to the Act, data principal means the individual to whom the personal data relates and where such individual is a minor then it includes the parents or lawful guardian and if the person with disability, it includes her/their lawful guardian acting on her/their behalf.
Digital platforms with millions of users and subscribers, like Facebook, Instagram, X, Amazon, Netflix and others will qualify as ‘data fiduciaries’ under the Rules and the Act.
Expand2. Parental Control and Social Media??
The Rules, among other things, have proposed to mandate parental consent for data fiduciaries (like social media applications, Facebook, Instagram) to process the personal data of children/minor below the age of 18 years. The Rule reads as follows:
"A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—
(a) reliable details of identity and age available with the Data Fiduciary; or
(b) voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider."
However, the mandate on parental consent is not applicable to data fiduciaries, who are health professionals, mental health professionals, or engaged by educational institutions.
In a nutshell, the Rules say that if ‘A’ who is a child and wants to create an account or profile on any online platform i.e. the Data Fiduciary then the consent of the parents will be required and they will identify ‘A’ through its website where the profile or account has to be created.
This particular rule has been in discussion and discourse as it directly undermines the private sphere of an individual. In India, the right to privacy is a fundamental right and the same was recognized by the judgment of the Hon’ble Supreme Court in KS Puttaswamy vs. Union of India.
The Act emphasizes consent-based data processing, ensuring individuals retain control over their personal information. Noteworthy features include the introduction of rights such as correction, erasure, and data portability. It distinguishes between “data fiduciaries,” entities that collect and process data, and “data principals,” or individuals whose data is being handled.
A crucial conflict between safety and autonomy is brought to light by requiring parental consent for children. Teenagers frequently turn to social media for social contact, education, and self-expression—all of which are critical for personal development. Complete parental control runs the risk of denying young people these possibilities, particularly when family dynamics or socioeconomic circumstances make such consent impracticable.
Expand3. Security safeguards??
Under Rule 6 of the Draft Rules, it has been stated that a Data Fiduciary shall protect the personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security ‘safeguards’ to prevent personal data breach, which shall include, at the minimum –
(a) appropriate data security measures, including securing of such personal data through its encryption, obfuscation or masking or the use of virtual tokens mapped to that personal data;
(b) appropriate measures to control access to the computer resources used by such Data Fiduciary or such a Data Processor;
(c) visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;
(d) reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, including by way of data backups;
(e) for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise;
(f) appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor for taking reasonable security safeguards; and
(g) appropriate technical and organisational measures to ensure effective observance of security safeguards.
Further, Rule 7 talks about intimation of personal data breach. It states that on becoming aware of / about any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without any delay – through its user account or any mode of communication registered.
Under Rule 7, the following things have to be communicated:
(a) a description of the breach, including its nature, extent and the timing and location of its occurrence;
(b) the consequences relevant to her, that are likely to arise from the breach; (c) the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
(d) the safety measures that she may take to protect her interests; and
(e) business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.
Further, after the abovementioned communication is received then on becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board, —
(a) without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
(b) within seventy-two hours of becoming aware of the same, or within such longer period as the Board may allow on a request made in writing in this behalf,— (i) updated and detailed information in respect of such description; (ii) the broad facts related to the events, circumstances and reasons leading to the breach; (iii) measures implemented or proposed, if any, to mitigate risk; (iv) any findings regarding the person who caused the breach; (v) remedial measures taken to prevent recurrence of such breach; and (vi) a report regarding the intimations given to affected Data Principals.
Expand4. Notice for consent?
The DPDP draft Rules also specify the contents of the notice to be given by data fiduciaries to obtain the informed consent of users (data principals) to process their personal data. The notice should give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum, —
(i) an itemised description of such personal data; and
(ii) the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing.
A communication link to withdraw consent should also be given.
It further states that every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data.
Lastly, it says that every Data Fiduciary and Consent Manager shall publish on its website or app, or both, as the case may be, the period under its grievance redressal system for responding to the grievances of Data Principals
Expand5. Processing of personal data outside India subject to restrictions imposed by Govt?
Transfer to any country or territory outside India of personal data processed by a Data Fiduciary—
(a) within the territory of India; or
(b) outside the territory of India in connection with any activity related to offering of goods or services to Data Principals within the territory of India, is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.
Expand6. The Road Ahead?
Although there is a need to protect the data across the country, but at the same time such Regulations/Rules should also think about the balance between privacy and personal autonomy. The Rules are still open for public comments and can be modified/rectified accordingly, hence every citizen should come forward and send across their suggestions because the Rules will directly be effecting the daily-lives of everyone, from a small business entity to a teenager using Facebook or Instagram.
According to the Internet Freedom Foundation (IFF), the DPDP Rules are "too little, too vague and too late" and the provision is riddled with implementation challenges. In a statement issued by IFF, it fairly argues that the “requirement for Verifiable Parental Consent (“VPC”) for children’s data is contestable on multiple levels[Rule 10]. There seems to be no internet-wide age gating and only individuals who identify themselves as children require VPC. Hence, if the Government requires age verification (rather than self-declarations) to check if a user is a minor, it may in future require every online user to verify their age through Government credentials. This holds the potential for mass surveillance with Government IDs linked to every user's online credentials. These provisions also violate principles of data minimization or retention limitations and risk over-collection and prolonged storage of personal data.
The government can look into different frameworks in place of excessive regulation. Teaching young people about digital literacy and safe online conduct may enable them to use the internet in an appropriate manner. Platforms should be urged to include strong privacy controls and protections for younger users at the same time. In KS Puttaswamy v. Union of India (2017), the Supreme Court acknowledged that everyone's right to privacy is essential to their autonomy and sense of dignity, including children.
(Areeb Uddin Ahmed is an advocate practicing at the Allahabad High Court. He writes on various legal developments. This is an opinion piece, and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)
Expand
Draft Rules: A conflict between privacy and balance?
On January 3, the Union Ministry of Electronics and Information Technology (MeitY) notified and released the Draft Rules under the DPDP Act. The said Rules comprise of 22 provisions and 7 schedules which have been formalised in accordance with provisions of the DPDP Act.
The Rules – talk about data fiduciaries, but who are they? What does it mean? The DPDP Act defines the term data fiduciary as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. According to the Act, data principal means the individual to whom the personal data relates and where such individual is a minor then it includes the parents or lawful guardian and if the person with disability, it includes her/their lawful guardian acting on her/their behalf.
Digital platforms with millions of users and subscribers, like Facebook, Instagram, X, Amazon, Netflix and others will qualify as ‘data fiduciaries’ under the Rules and the Act.
Parental Control and Social Media??
The Rules, among other things, have proposed to mandate parental consent for data fiduciaries (like social media applications, Facebook, Instagram) to process the personal data of children/minor below the age of 18 years. The Rule reads as follows:
"A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—
(a) reliable details of identity and age available with the Data Fiduciary; or
(b) voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider."
However, the mandate on parental consent is not applicable to data fiduciaries, who are health professionals, mental health professionals, or engaged by educational institutions.
In a nutshell, the Rules say that if ‘A’ who is a child and wants to create an account or profile on any online platform i.e. the Data Fiduciary then the consent of the parents will be required and they will identify ‘A’ through its website where the profile or account has to be created.
This particular rule has been in discussion and discourse as it directly undermines the private sphere of an individual. In India, the right to privacy is a fundamental right and the same was recognized by the judgment of the Hon’ble Supreme Court in KS Puttaswamy vs. Union of India.
The Act emphasizes consent-based data processing, ensuring individuals retain control over their personal information. Noteworthy features include the introduction of rights such as correction, erasure, and data portability. It distinguishes between “data fiduciaries,” entities that collect and process data, and “data principals,” or individuals whose data is being handled.
A crucial conflict between safety and autonomy is brought to light by requiring parental consent for children. Teenagers frequently turn to social media for social contact, education, and self-expression—all of which are critical for personal development. Complete parental control runs the risk of denying young people these possibilities, particularly when family dynamics or socioeconomic circumstances make such consent impracticable.
Security safeguards??
Under Rule 6 of the Draft Rules, it has been stated that a Data Fiduciary shall protect the personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security ‘safeguards’ to prevent personal data breach, which shall include, at the minimum –
(a) appropriate data security measures, including securing of such personal data through its encryption, obfuscation or masking or the use of virtual tokens mapped to that personal data;
(b) appropriate measures to control access to the computer resources used by such Data Fiduciary or such a Data Processor;
(c) visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;
(d) reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, including by way of data backups;
(e) for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise;
(f) appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor for taking reasonable security safeguards; and
(g) appropriate technical and organisational measures to ensure effective observance of security safeguards.
Further, Rule 7 talks about intimation of personal data breach. It states that on becoming aware of / about any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without any delay – through its user account or any mode of communication registered.
Under Rule 7, the following things have to be communicated:
(a) a description of the breach, including its nature, extent and the timing and location of its occurrence;
(b) the consequences relevant to her, that are likely to arise from the breach; (c) the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
(d) the safety measures that she may take to protect her interests; and
(e) business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.
Further, after the abovementioned communication is received then on becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board, —
(a) without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
(b) within seventy-two hours of becoming aware of the same, or within such longer period as the Board may allow on a request made in writing in this behalf,— (i) updated and detailed information in respect of such description; (ii) the broad facts related to the events, circumstances and reasons leading to the breach; (iii) measures implemented or proposed, if any, to mitigate risk; (iv) any findings regarding the person who caused the breach; (v) remedial measures taken to prevent recurrence of such breach; and (vi) a report regarding the intimations given to affected Data Principals.
Notice for consent?
The DPDP draft Rules also specify the contents of the notice to be given by data fiduciaries to obtain the informed consent of users (data principals) to process their personal data. The notice should give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum, —
(i) an itemised description of such personal data; and
(ii) the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing.
A communication link to withdraw consent should also be given.
It further states that every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data.
Lastly, it says that every Data Fiduciary and Consent Manager shall publish on its website or app, or both, as the case may be, the period under its grievance redressal system for responding to the grievances of Data Principals
Processing of personal data outside India subject to restrictions imposed by Govt?
Transfer to any country or territory outside India of personal data processed by a Data Fiduciary—
(a) within the territory of India; or
(b) outside the territory of India in connection with any activity related to offering of goods or services to Data Principals within the territory of India, is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.
The Road Ahead?
Although there is a need to protect the data across the country, but at the same time such Regulations/Rules should also think about the balance between privacy and personal autonomy. The Rules are still open for public comments and can be modified/rectified accordingly, hence every citizen should come forward and send across their suggestions because the Rules will directly be effecting the daily-lives of everyone, from a small business entity to a teenager using Facebook or Instagram.
According to the Internet Freedom Foundation (IFF), the DPDP Rules are "too little, too vague and too late" and the provision is riddled with implementation challenges. In a statement issued by IFF, it fairly argues that the “requirement for Verifiable Parental Consent (“VPC”) for children’s data is contestable on multiple levels[Rule 10]. There seems to be no internet-wide age gating and only individuals who identify themselves as children require VPC. Hence, if the Government requires age verification (rather than self-declarations) to check if a user is a minor, it may in future require every online user to verify their age through Government credentials. This holds the potential for mass surveillance with Government IDs linked to every user's online credentials. These provisions also violate principles of data minimization or retention limitations and risk over-collection and prolonged storage of personal data.
The government can look into different frameworks in place of excessive regulation. Teaching young people about digital literacy and safe online conduct may enable them to use the internet in an appropriate manner. Platforms should be urged to include strong privacy controls and protections for younger users at the same time. In KS Puttaswamy v. Union of India (2017), the Supreme Court acknowledged that everyone's right to privacy is essential to their autonomy and sense of dignity, including children.
(Areeb Uddin Ahmed is an advocate practicing at the Allahabad High Court. He writes on various legal developments. This is an opinion piece, and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)