Draft Digital Personal Data Protection Rules 2025 will only be a nominal checkbox: Apar Gupta
On January 3, 2025, the Union Ministry of Electronics and Information Technology (MeitY) released the long-awaited draft ‘Digital Personal Data Protection Rules, 2025’ and invited feedback or comments before January 18, 2025. The draft rules will help implement the Digital Personal Data Protection Act, 2023, after it was approved by the President on August 11, 2023.
Down To Earth spoke with Apar Gupta, co-founder of New Delhi-based non-profit The Internet Freedom Foundation, about the need for data governance, what the Act and the recent draft rules mean for people, and why people should actively engage in it. Excerpts:
Rohini Krishnamurthy (RK): What is the Digital Personal Data Protection Act, 2023, and why should people be more concerned about the recent draft rules?
Apar Gupta (AG): Every person is a data point today. This is in the sense of their personal data including name, age, gender; or even inferential data such as if you are availing a subsidy or ration, whether you are below the poverty line or what is your eligibility for a scheme. For people in urban households, this could include details on whether you are using apps to order food. This data is being used by both the public and private sector to make choices on your behalf. This makes data governance necessary.
This data governance framework is largely defined by the personal data protection act, which is a parliamentary legislation. And the rules to enforce them called the draft ‘Digital Personal Data Protection Rules, 2025’ have been put to public consultation [on January 3, 2025]. This is why I think more people need to be engaged in this process. It is just not about technical experts, policy wonks or lawyers. It is about every person in India, virtually.
RK: What is the current state of personal data protection in India?
AG: At present, a person might not have adequate knowledge on why their personal data is being collected and whether they have the opportunity of refusing to share it or not, or under which conditions it will be stored and with whom it will be further shared. This has led not only to people lacking a public and a private boundary, allowing every detail of a person being available on Google, but it has enabled a vast industry of advertisement, which micro targets and then uses that information to make giant dossiers on the habits and the characteristics of each person. But over and above that, it is also the government which holds a massive amount of personal information about its citizens. This means more surveillance or political control. It could also affect people’s lives. A large part of India relies on some subsidies, benefits, rations, or they might have a complaint that their personal data is not accurately reflected in the official record. Here, our data protection law offers them the ability to ask for a right of modification and correction based on them having a legal right.
This is what has been missing. Even today, there is a large vacuum in India in the way our personal data is being governed. That is because the Digital Data Protection Act is not enforceable in a way that allows people to seek actual remedy. It is leading to a large deprivation of our own sense of power or autonomy to make choices.
People need to also consider that data protection is just not about privacy. It is about the wider entitlement of choices, which are determined based on your personal information today. It is not about the debate that I have nothing to hide or that government surveillance on me may not impact me. Rather, it is about a wider canvas which impacts all of us in a digitised society. For instance, there has been a sharp rise in cybercrimes. People can pose as trusted representatives of service providers such as banks or financial institutions and based on the information available to them about a potential victim, they can siphon off money from their bank accounts, withdraw their savings, break fixed deposits, or even impersonate their identities. This is one very tangible way how data today is a commodity.
RK: There have been different iterations of the Act. How have they evolved over the years?
AG: The bill was passed by Parliament in 2023. I, including several other experts, questioned it for being, excessively vague. The Centre explained that this vagueness was present in the law because it would permit flexibility in its application.
Now, the problem with a vague law is that its enforcement is uncertain. The protection it provides people and the exemptions it provides businesses — both are up to the government’s discretion without any foundational principle attached to it. For instance, the government could determine that there will not be any kind of user rights for a certain class of data, or a government department can be completely exempted from the application of the bill without any guiding principles within the legislation. In this case, the law does not work in favour of the people for whom the law has been made. At its very root, data protection is about protecting people and their personal information. That is the foundational objective behind the legislation.
The data protection regime, as it is evolving in India, seeks to preserve the status quo in a way that companies are not impacted. Any kind of compliance will add to their costs and will reduce the innovation. But an effective data protection regime will require them to provide notices, get consent, etc. This, for companies, is a cumbersome and expensive process, which reduces their efficiency. The same holds true for the government, which seeks to use more of our data for beneficiaries’ schemes, but also in a way mapping out people for purposes of political control, which I have criticised quite often in my columns. I have shown how it has been happening. For instance, the government has routinely put out tenders to gather information and create dossiers about our online activity through social media hubs being created. This enables them to catalogue each person participating on a social media networking platform, what kind of post they do, etc.
The current Digital Data Protection Act is excessively vague. It allows for large amount of government exemptions, does not have a regulatory body, and permits the government to exempt certain businesses from compliances under it. So, I think, it does not work in the favour of the people for whom the intended legislation has been made.
RK: You have also expressed concerns over the way the draft rules have been opened for consultation.
AG: Yes. The consultation notice by the Union Ministry of Electronics and Information Technology states that the comments will be received and kept in a fiduciary capacity [comments from various stakeholders will not be disclosed]. This means that the comments will not be shared or be made public either proactively by the government or by anybody making an application under the Right to Information Act.
In a way, we do not know how the choices for the enforcement of the law have been made in the rules, what changes will be made, who said what, and what was the reasoning behind those changes. This is why I think the consultation process lacks transparency.
RK: What are some of the other concerns about the draft rules?
AG: The data protection board is an authority that has been created under the principal Act, which is to adjudicate any complaints made on data breaches. So, if somebody is in contravention or is not in compliance with the protections under the Digital Data Protection Act, you can register a complaint with the data protection board. This data protection board is not an independent authority for adjudication because it does not have any autonomy and is appointed, selected, and its tenure and service conditions are determined by the central government.
There will be issues from the very selection process, which could open up questions about the level of political control, which is also there in other bodies, where the central government selects committees, appoints chairpersons and other members, or how will it deal with complaints of data breaches which are made against other public authorities like the home ministry or the Unique Identification Authority of India (UIDAI). There is a large amount of legitimate concern on the data protection board and its potential lack of ability to be an independent adjudicator for enforcing the law.
RK: What about data breaches linked to multinational companies?
AG: There are requirements for data localisation, where the government may prevent data transfer from India to an offshore site for processing. This will impact multinational companies. But that again is left to be determined by the government. How will it [the government] seek to enforce the law? There is a lack of clarity.
RK: Do the Act and rules deal adequately with issues like the 2018 Cambridge Analytica controversy?
AG: The personal information of Facebook users was utilised by Cambridge Analytica [a now defunct British political consulting firm] without their knowledge. Information on the characteristics and activity on Facebook was then used by political parties for microtargeting those users with political messages. Now, this law does provide you the ability of providing a notice or knowledge about information being used only for a specific purpose. But the question remains on how it will be made operational. So, you can say it is dealt with within the ambit of the law. But will this be enforced is a big question and, an even bigger answer to that would be a ‘No’.
This is because there is no regulatory body which has been created under the legislative framework that can issue standards, conduct investigations, and can potentially prevent this from happening through proactive suo motu action. The data protection board is the only adjudicatory authority. You must go to it and make a complaint. But how can an individual do that given that they may lack the ability, the resources, and the know-how to research this?
RK: What happens if the rules are applied as is?
AG: If the rules are accepted the way they are, the status quo will continue to remain. So, there will no tangible data protection law under which an ordinary person in India can seek redress. Even when a person wants to make a complaint for a data breach, it will go to a data protection board, which will lack independence. My takeaway from this is that the Data Protection Act 2023 and the Data Protection Rules will only be a nominal checkbox, in a way in which India can claim it has a data protection law.
But for all practical purposes, that law does not offer any real remedy, redress, or sets up a system of regulation in India.