Context of the Draft Rules:
- Released by MeitY: The Ministry of Electronics and Information Technology (MeitY) released the draft rules for the Digital Personal Data Protection Act (DPDP Act), 2023 after a 16-month wait.
- The rules, open for public feedback until mid-February, outline the implementation framework of the DPDP Act, India’s first comprehensive data privacy law.
- Critics, especially civil society, have expressed concerns about the lack of a specialized regulator, insufficient protections against government data access, and excessive delegation of regulatory functions to the government.
Relevance : GS 2(Governance )
Lack of Detail in Draft Rules:
- General Guidance Provided: The draft rules touch on key mechanisms such as notice and consent for data collection, breach notifications, and parental consent for children’s data.
- Shortcomings in Detail: The rules provide limited practical guidance on how these mechanisms will be implemented to improve the lives of India’s digital citizens.
Shortcomings in User Rights:
- Right to Access and Erasure:
- The DPDP Act grants users the right to access, correct, and erase their data, but the rules fail to clarify how users can exercise these rights.
- The rules only mention that users must follow steps published by businesses to make requests, without specifying clear processes for exercising the right to erasure (e.g., removing specific search engine links).
- The rules also lack clarity on how data processors can object to erasure requests, especially if they affect third-party content.
Shortcomings in Protecting Children’s Data:
- Parental Consent Requirement:
- The DPDP Act mandates that data processors seek verifiable parental consent before processing the personal data of children under 18, but the draft rules offer no clear mechanism for how businesses should identify children and collect this consent.
- The rules only state that data processors must ensure parents are identifiable adults but do not address critical questions such as verifying parent-child relationships or dealing with children lying about their age.
- The rules do not provide solutions for cases where families share devices or for platforms that need to verify age claims.
Overall Evaluation:
- Despite a long drafting and consultation period, the rules released by MeitY are criticized for being vague, incomplete, and lacking operational clarity.
- The government needs to consult experts, address practical implementation questions, and clarify timelines for rule enforcement.
Call to Action:
- The government must seek expert advice, conduct consultations, and refine the rules to ensure they address privacy concerns and provide clear guidelines for businesses and data processors before finalizing the implementation framework.
