Around eight years since the judgment of the Supreme Court of India, in Justice K.S. Puttaswamy (Retd) vs Union Of India, upholding the fundamental right to privacy, the state of privacy law in India remains in limbo. Despite the Digital Personal Data Protection Act (DPDPA) having been notified in August 2023, its provisions remain inoperative due to the delay in the notification of the Digital Personal Data Protection Rules (DPDP) Rules. Now, after a 16 month delay, the DPDP Rules have been released for public consultation. Optimistically, this means that it will be a few more months at the very least before they are finally notified.
The DPDPA is a piece of legislation which is entirely inadequate to deal with emerging privacy harms, especially those stemming from the collection of behavioural data, algorithmic surveillance, and the deployment of Artificial Intelligence (AI) systems which depend on the mass collection of personal data. It is primarily based on the notice-and-consent model of data protection, which relies on the knowledge of the individual whose data is being collected (the data principal) about the consequences of their consent. This becomes essentially impossible in a market where a large information asymmetry exists between the data principals (us), and the companies that aggregate and process our personal information to make inferences about us on a collective level, create manipulative digital interfaces, and trade in the increasingly precise profiles created about us.
In this landscape, the DPDP Rules are underwhelming at best, and dangerous, at worst. Where the Rules were supposed to provide clarity on the provisions of the DPDPA (most of which were subject to future notification), several aspects remain either unclear or low effort for industry.
Business as usual
Many of the prescriptive provisions in the DPDP Rules such as the form that privacy notices should take (Rule 4), reasonable security safeguards (Rule 6), and the form of reporting a data breach (Rule 7) would form a part of very basic privacy programmes, with a bare minimum level of overhaul required to most existing processes followed by companies.
‘Significant Data Fiduciaries’, which are entities classified as such due to the volume and sensitivity of personal data they process, have certain heightened obligations such as conducting data protection impact assessments and audits, but these are practices that most large companies follow in any event. In fact, there is still no clarity on which entities will fall within the ambit of this definition. Significant Data Fiduciaries are required to ensure that the rights of data principals are not affected using algorithmic systems — however, there are no further specifications on the types of decisions these systems should not make, addressing the systemic risks they pose, and any due diligence on the training and operation of such systems, particularly where they are AI based.
Misguided measures
Other provisions are misguided. For example, entities processing children’s personal information must verify, in every instance, the details of the person claiming to be the parent or guardian of the child. This assumes that every parent has such ID details and, more importantly, the requisite level of digital literacy to make informed decisions on behalf of children. In fact, the thoughtless construction of this requirement risks further worsening India’s digital divide. That aside, this measure does not otherwise address the very real harms faced by children online, for which there were more robust provisions in the earlier drafts of the Act — such as classifying such entities as ‘guardian data fiduciaries’, which were barred from profiling, behavioural monitoring and otherwise processing data in a manner that would cause harm to the child. Further, for certain purposes specified in the Fourth Schedule, the prohibition on behavioural monitoring and targeted advertising directed towards children has been done away with, when there is no rationale for why such monitoring is needed in the first place.
Powers for the government to exempt its instrumentalities from the requirements of the Act and to issue blocking orders under the Act, are further expanded, with the Rules empowering the central government to call for any information from a data fiduciary or intermediary if it is in the interest of protecting the sovereignty and integrity of India, or to perform any function under law. This essentially allows the central government unfettered access to any information collected by a data fiduciary, potentially paving the way for a surveillance state. It is likely that we could see such a provision challenged for excessive delegation of powers.
Dilution of rights
The rights of data principals to seek compensation, and the vision of the B.N. Srikrishna Committee for an independent data protection board with a range of adjudicatory and regulatory powers, no longer exist under the Act. The Rules, while specifying a range of provisions on the data protection board, subject all the aspects of the board’s functioning to the scrutiny of the central government. This leaves data principals without an independent regulator. Moreover, there is no clarity on the timeline for establishing the board, during which time there remains no forum for redress against private entities.
The common narrative around the DPDPA and Rules is that they are tough-on-industry, due to the ostensibly large fine amounts of up to ₹250 crore that could theoretically be levied. In reality, the final form of the legislation is largely diluted from the first draft proposed in 2018 on all counts — from reducing the requirements for conducting due diligence and data protection impact assessments, removing privacy by design provisions, removing the types of harms which were legally recognised, removing the rights of data subjects to seek compensation, and provisions protecting individuals against algorithmic decision making which could affect their rights. The Rules exacerbate the flaws of this framework, and in fact, should come as a relief to the industry.
Regulators around the world have moved well beyond data protection laws and are now focused on regulating the next big issue in technology, being AI. While India lags, it does so at the expense of all our individual and collective rights to privacy, which is the state’s positive obligation to enable. In not only failing to fulfil this positive obligation, but also relaxing requirements for the industry, expanding state surveillance and further delaying the establishment of the Data Protection Board, India’s data protection law fails to meet the basic requirements in the Puttaswamy judgment.
Sriya Sridhar is an academic based in Chennai, and studies the regulation of emerging technologies
Published – February 13, 2025 04:00 am IST