Draft data protection rules can be improved

On January 3, 2025, the ministry of electronics and information technology released the Draft Digital Personal Data Protection Rules, 2025, for public consultation. These rules are proposed to be enacted under the authority of the Digital Personal Data Protection Act, 2023, and in order to implement the provisions of that Act.

The publication of the draft rules marks a significant milestone, as they are necessary before the Data Protection Act can actually be implemented in a way that effectively protects the rights of Indian citizens. With that said, however, in their present form, the rules suffer from various potential flaws, which might hamper the ability of the law to perform that function.

First, there is the procedure for the selection of the chairperson and members of the Data Protection Board (DPB) itself. The Data Protection Board is crucial to the functioning of the Act, as it constitutes, in essence, the infrastructure through which the law will be implemented. Potentially, and in many cases, the Board will be handling complaints against State organs for wrongful processing of data. In such a context, it is essential that the Board be adequately independent of the government. However, the Rules take forward the logic of the Act in setting up a procedure of appointment (through a search-and-selection committee) that is entirely under the control of the central government. The terms and conditions of the officers are also set within the rules, which makes them amenable to being altered through mere executive fiat. All of this raises doubts with respect to how independent the Board can truly be.

In this context, it is important to note the best practices of other jurisdictions. Many countries have entrenched the independence of data protection authorities or boards within the law to ensure that appointments and tenures are free of partisan political influence. Such authorities work as what are commonly known as “fourth branch institutions”; that is, a wing of the State that is separate from the legislature, the executive, and the judiciary, but performs vital functions in ensuring the implementation of rights, integrity and accountability in public functions. At the moment, under a combination of the Data Protection Act and the draft rules, the Data Protection Board falls short of being a genuine “fourth branch institution” — but there is still time to rectify this.

Secondly, the rules allow a very wide leeway to the State or its instrumentalities to process personal data to provide “any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds”. These are extremely wide categories, which risk undoing the fundamental premise of the law, which is that the consent of citizens is mandatory before collecting or processing their data. While in certain exceptional cases, it might be permissible to mandatorily collect data in violation of the right to privacy, the jurisprudence of the Supreme Court has made it clear that any such violation must take place strictly in compliance with the test of proportionality. The rules do not incorporate this test, and the safeguards they require (such as data minimisation) fall short of constitutional standards.

Thirdly, the rules provide for “reasonable security safeguards” that data fiduciaries must undertake with respect to data under its possession or control. However, a look at these provisions (under Rule 6) shows that they are not worded clearly and do little more than refer to appropriate measures or standards. Concerns of vagueness are present throughout the rules, including with respect to exemption provisions and data retention. When dealing with something as crucial as citizens’ right to privacy and informational self-determination in the digital age, it is of utmost importance that rules be framed in the most precise terms possible, and leave the least scope for discretion, as this lends itself to over-collection of data and potential abuse.

Finally, the provision of the rules with respect to children is problematic. Rule 10 requires data fiduciaries to ensure that “verifiable consent of the parent is obtained before the processing of any personal data of a child” and, furthermore, to undertake due diligence to ensure that “the individual identifying herself as the parent is an adult who is identifiable”. As the Internet Freedom Foundation has noted in its note on the rules, a requirement for age verification opens the door to potential mass surveillance with “the potential for mass surveillance with Government IDs linked to every user’s online credentials. These provisions also violate principles of data minimisation or retention limitations and risk over-collection and prolonged storage of personal data.”

It must be noted that in many ways, the issues with the rules replicate issues with the Data Protection Act, which were pointed out during the time when the Act was being drafted and deliberated upon. It was hoped that the rules would plug some of these gaps through more precise and narrower language. It is to be hoped that during this period of consultation, some of these issues will be brought to the notice of the ministry, and appropriate action taken, so that, in their final form, the rules come closer to a rights-protecting data regime.

Gautam Bhatia is a New Delhi-based advocate.The views expressed are personal