Achieve your IAS dreams with The Core IAS – Your Gateway to Success in Civil Services

India’s data protection rules need some fine-tuning

India’s data protection rules need some fine-tuning

(Source – The Hindu, International Edition – Page No. – 8)

Topic : GS2 – Governance

Context
  • Date of Release: On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) introduced the Draft Digital Personal Data Protection (DPDP) Rules.
  • Purpose: The DPDP Rules aim to provide a framework for the protection of personal data in the digital space.
  • Change in Approach: These new rules indicate a significant shift from the previous Personal Data Protection Bill, which many considered overly restrictive.
  • Key Objectives: The DPDP Rules are designed to balance data protection and the need for innovation and growth in the digital economy.
A Practical Approach to Data Protection
  • Flexible Framework:
  • The DPDP Rules adopt a flexible and principles-based approach, contrasting with the rigid nature of the EU’s GDPR.
  • GDPR has faced criticism for:
    • Favoring large corporations.
    • Harming smaller businesses.
    • Failing to foster public trust in online data management.
  • The DPDP Rules aim to avoid these pitfalls by promoting business flexibility and innovation.
Key Features of the Draft Rules
  • Simplified Notice and Consent Framework:
  • Emphasizes clear and simple consent, avoiding unnecessary complexities.
  • Businesses are required to provide only essential information without adhering to stringent user interface guidelines.
  • Protection of Children’s Data:
  • Children’s data receives stricter protections.
  • Certain sectors, such as education and healthcare, have specific exemptions.
    • For example, schools can monitor student behavior to enhance learning without needing parental consent, as long as appropriate safeguards are implemented.
Challenges and Concerns
  • Data Localisation Requirements:
  • Large entities, referred to as Significant Data Fiduciaries (SDFs), may be required to store data within India. This could deter foreign investment.
  • An alternative, sector-specific approach, similar to the RBI’s regulations for payment data, may be more effective.
  • Ambiguities in Provisions:
  • Businesses currently lack clarity on how to handle excessive or unreasonable data requests.
  • There are concerns regarding potential government access to sensitive business data and the protection of trade secrets.
Future Considerations
  • Impact of Data Breaches:
  • In 2024, data breaches cost Indian businesses an average of ₹19.5 crore, highlighting the need for stronger data protection measures.
  • Exploring Privacy Solutions:
  • India should consider privacy solutions beyond just consent, especially with the advent of technologies like IoT, 5G, and AI, which generate vast amounts of data.
  • Public Consultations:
  • Ongoing consultations should be encouraged to refine the rules, ensuring a balance between flexibilityindustry needs, and individual rights.
Conclusion
  • The DPDP Rules present a practical framework that promotes innovation and economic growth while safeguarding personal data.
  • By addressing existing gaps and focusing on flexibility, India can develop effective data protection laws that avoid the challenges seen in more rigid models like the GDPR.