| PYQ Relevance: Q) Impact of digital technology as a reliable source of input for rational decision making is a debatable issue. Critically evaluate with suitable examples. (UPSC CSE 2021) |
Mentor’s Comment: UPSC mains have always focused on topics like ‘Impact of digital technology’ (2021) and ‘N. Srikrishna Committee Report’ (2018).
According to the AuthBridge Report in 2024, the average cost of a data breach in India reached ₹19.5 crore ($2.35 million), reflecting a 9% increase from the previous year and a 39% rise since 2020.
Today’s Editorial focuses on the present Data Protection law passed by the legislators. While the Digital Personal Data Protection (DPDP) Rules, 2025 represent a significant step forward, they require adjustments to ensure effective implementation and protection of individual rights without stifling innovation. This content can be used for – data privacy issues in India, e-governance and cross border mechanism in your Mains Answer Writing.
_
Let’s learn!
Why in the News?
On January 3, 2025, the MeitY released the much-anticipated Draft Digital Personal Data Protection (DPDP) Rules — a key moment in India’s journey to regulate digital personal data.
- This step follows the passage of the DPDP Act, 2023, bringing India closer to operationalising its framework for safeguarding personal data.
| Key highlights for Draft Digital Personal Data Protection (DPDP) Rules, 2025 are as follows: • Citizen-Centric Framework: The rules prioritize citizens’ rights, allowing them to demand data erasure, appoint digital nominees, and manage their data through user-friendly mechanisms provided by data fiduciaries (entities that process personal data). • Consent Mechanisms: Data fiduciaries must obtain informed consent from individuals before processing their data, providing clear information about data usage and allowing easy withdrawal of consent. • Data Erasure and Retention: Data can be retained for up to 3 years from the last interaction with the user, with a requirement for prior notification before data erasure. • Digital-First Approach: The rules advocate for a “digital by design” framework, establishing a Data Protection Board of India (DPBI) that will handle grievances and ensure compliance through online mechanisms. • Graded Responsibilities: Different obligations are set for various entities based on their size and impact, easing compliance burdens for startups and small businesses while imposing stricter requirements on larger platforms. • Public Feedback: The Ministry has invited public comments on the draft rules until February 18, 2025, aiming for an inclusive approach to law-making. About the Digital Personal Data Protection (DPDP) Act, 2023 and the key features include: • Consent Requirement: Organizations must obtain explicit consent from individuals before processing their personal data, with limited exceptions for specific legitimate uses. • Data Fiduciaries’ Obligations: Entities handling personal data (data fiduciaries) are mandated to ensure data accuracy, security, and deletion after the purpose is fulfilled. They must also report data breaches to the Data Protection Board (DPB) within 72 hours. • Rights of Individuals: Individuals have rights to access, correct, and erase their data, as well as to seek grievance redressal. • Data Protection Board: The DPB will oversee compliance and address grievances regarding data processing practices. • Border Data Transfer: The Act allows for the transfer of personal data outside India, subject to government restrictions. The DPDP Act aims to balance individual privacy rights with the need for data processing in a digital economy, marking a significant step in India’s approach to data protection. |
How Pragmatic is the present Data Protection law?
- Simplicity Over Complexity: India’s rules focus on clear and straightforward consent processes, reducing “consent fatigue” that users experience in Europe due to excessive details.
- Outcome-Based Framework: Instead of strict regulations on how to present information, the DPDP Rules allow businesses to decide how to inform users about their rights, promoting innovation and respecting business autonomy.
- Children’s Data Protection: The rules provide stricter protections for children’s personal data but also recognize the value of monitoring in educational contexts. Certain sectors, like educational institutions and healthcare, are exempt from needing parental consent for tracking, as long as they follow specific guidelines.
| Did you know? • While the EU’s General Data Protection Regulation (GDPR) was initially praised, it now faces criticism for favoring large corporations and not effectively building public trust. • In contrast, India is adopting a more pragmatic and balanced method with this present Digital Personal Data Protection Act (DPDPA), aiming to protect individual privacy without imposing overly strict regulations that could hinder smaller businesses. • This offers a refreshing alternative to Europe’s more interventionist policies. |
What are the limitations and flaws in the present law?
- Complexity in Cross-Border Data Flow: The draft rules introduce complications regarding cross-border data transfers, imposing localization mandates on Significant Data Fiduciaries (SDFs) that may exceed the original intent of the legislation.
- Regulatory Arbitrage Risk: Differentiating between SDFs and smaller entities creates potential for smaller businesses to exploit relaxed rules, leading to unfair advantages and possible deterrents to investment in India.
- Law Enforcement Challenges: The push for data localization stems from law enforcement’s need for access to cross-border data, but a more targeted approach could be more effective than a blanket regulation.
- The rules lack clarity on how businesses can verify the legitimacy of user information requests and do not address excessive or unfounded requests for data.
- Sensitive Business Data Concerns: Uncertainty exists regarding government access to sensitive business data, raising concerns about the protection of trade secrets and competitive information.
- These issues highlight the need for improved procedural safeguards to ensure that businesses can protect sensitive information while complying with regulations.
What should be the way Forward?
- Importance of Compliance: Businesses should view compliance with data protection laws as essential for protecting their reputation and ensuring operational continuity, rather than just a regulatory obligation.
- Need for Evolving Privacy Frameworks: India must move beyond traditional notice-and-consent mechanisms to better protect citizens’ privacy, especially in environments where consent is difficult to obtain.
- With advancements in IoT, 5G, and AI leading to increased data collection, new privacy frameworks should focus on broader protections rather than solely relying on consent.
- Targeted Data Localization: The draft rules should consider a more targeted approach to data localization that addresses law enforcement needs without imposing excessive burdens on businesses.
