Finally, a legal framework for data protection in India
Updated - January 06, 2025 at 10:02 PM.
A significant provision is that personal data must be collected and used only with explicit consent from the data principal — the individual
Data fiduciaries, or those who collect and process this data, are now required to inform individuals of the specific purpose of using their data | Photo Credit: anyaberkut
After much delay, India has finally unveiled the draft Personal Data Protection Rules at a time when digital technologies have become deeply intertwined with people’s lives, and frequent data breaches and rising cyber frauds have become commonplace. The journey to these rules has been protracted, marked by significant delays and revisions, underscoring the complexity of balancing individual rights with the needs of a rapidly evolving digital economy. However, the culmination of this process is a welcome development, finally providing a legal framework for data protection.
The rules do provide individuals with some control over their personal data. A significant provision is that personal data must be collected and used only with explicit consent from the data principal, i.e., the individual. In addition to this, principals are empowered to request the deletion of their personal data. Data fiduciaries, or those who collect and process this data, are now required to inform individuals of the specific purpose of using their data. They cannot retain the data for more than three years, and principals must be informed 48 hours before its deletion, with the option to review it. Further, the rules offer protection to vulnerable groups such as children and individuals with disabilities, requiring explicit consent from legal guardians before collecting their data.
However, the draft rules also raise concerns, especially regarding the balance between individual rights and government powers. In several crucial areas, the rules fail to meet the constitutional requirements set out by the landmark 2017 KS Puttaswamy judgment, which upheld privacy as a fundamental right. The new rules allow the government to call for information from data fiduciaries without requiring written justification, unlike safeguards in place for interception orders. This broad, unregulated access undermines the privacy of individuals and could lead to state-sponsored surveillance without sufficient oversight. Additionally, there is no clear timeline for notifying individuals about data breaches or responding to their requests for grievance redressal. While companies are required to inform the Board about breaches within 72 hours, individuals only need to be informed “to the best of your knowledge, without delay”.
Another key concern lies in the proposed structure of the Data Protection Board. The Chairperson and members of the Board will be appointed by a committee headed by the Cabinet Secretary, and their terms of service will be determined by the government. This raises concerns about potential conflicts of interest, particularly when the government may be a subject of investigation. Furthermore, the Board lacks regulatory powers and is primarily limited to adjudicating complaints, leaving unclear how it will enforce the rules effectively. While these concerns must be addressed, the very fact that the government has introduced these rules is a step in the right direction. The law should essentially focus on data user behaviour.
