Weaving the safety net: Finer threads in India’s data shield

India’s Ministry of Electronics and Information Technology recently released the much-anticipated draft rules for the Digital Personal Data Protection (DPDP) Act, 2023. Passed by Parliament in August last year, the Act is a landmark step toward safeguarding personal data in India. The draft rules unveiled in January are open for public consultation until 18 February 2025.

The DPDP Act, designed to provide robust safeguards against misuse of personal data, has been eagerly awaited by the industry for clarity on compliance and operational responsibilities. The draft DPDP rules outline key provisions, including mechanisms for data protection, user rights, and establishing a regulatory framework.

The Strengths

The framework’s emphasis on an interoperable platform and robust record-keeping for consents aligns seamlessly with global best practices. This ensures users retain control over their data while holding Data Fiduciaries and Consent Managers accountable. The mandated seven-year retention of consent records establishes a strong foundation for audit trails, fostering trust and ensuring compliance. By incorporating requirements for encryption, obfuscation, and access controls, the framework takes a proactive stance against prevailing cybersecurity threats.

The framework’s emphasis on an interoperable platform and robust record-keeping for consents aligns seamlessly with global best practices.

The mandatory retention of logs related to unauthorised access for one year is a practical measure that supports investigations and helps prevent future incidents. Additionally, the specified timelines for notifying Data Principals and authorities demonstrate a commitment to responsiveness and transparency in breach management. Requiring breach reports to include mitigation measures promotes proactive risk management and instils user confidence.

The framework’s special attention to children’s data and health-related information reflects a thoughtful approach to the ethical and legal challenges associated with sensitive data. Keeping critical personal data within India underscores the country’s focus on data sovereignty and enhances national security. Lastly, providing easily accessible user rights and clear timelines for grievance redressal will reinforce the user-centric nature of the framework, ensuring greater transparency and accountability.

The Gaps

The document employs broad and undefined terms such as “appropriate measures” and “reasonable security safeguards,” which could lead to varying interpretations and inconsistent enforcement.

The stringent compliance requirements, including the implementation of consent management platforms and data localisation mandates, may disproportionately burden smaller entities, escalating their operational and financial challenges. Although the framework places significant emphasis on data localisation, it provides insufficient clarity on mechanisms for cross-border data transfers, such as adequacy agreements or binding corporate rules, which are critical for businesses with global operations.

The assumption that entities will adhere to the rules in good faith is optimistic. Still, the DPDP Rules lack a detailed approach to monitoring compliance and effectively enforcing penalties for non-compliance. Provisions to prevent conflicts of interest among Consent Managers are commendable; however, their real-time monitoring and enforcement may prove complex and resource-intensive. Similarly, exemptions for research, archiving, and statistical analysis could create loopholes for misuse unless accompanied by robust safeguards.

While digital governance offers efficiency, it risks marginalising users who lack digital literacy or access, particularly those in rural or underserved regions. Addressing these accessibility gaps is crucial to ensure inclusivity and equitable implementation.

Unique Features

The new DPDP Rules mandate that consent managers provide interoperable platforms enabling Data Principals to grant, manage, review, and withdraw consent while adhering to stringent data protection standards. They must maintain consent records for at least seven years and ensure no conflicts of interest with Data Fiduciaries, who are obligated to implement robust safeguards, including encryption, access controls, monitoring, and data-backup measures, to protect against breaches. The new rules also mandate that logs for detecting unauthorised access must be retained for at least one year.

The rules also provide detailed breach notification protocols, requiring timely intimation to affected Data Principals and the Board and reporting mitigation measures and potential impacts. While there is a special obligation to verify parental consent for processing children’s data, the new rule has exempted educational institutions, healthcare providers, and allied services from data processing within specific contexts. The framework also mandates that sensitive personal and traffic data remain within Indian territory, reinforcing data sovereignty principles.

Provisions to prevent conflicts of interest among Consent Managers are commendable, but enforcing them may prove complex and resource-intensive.

According to the draft rules, the Board and the Appellate Tribunal will operate digitally, emphasising techno-legal measures to eliminate the need for physical presence. This will ensure users have easy access to rights, such as data access and erasure requests, through digital platforms with clearly defined timelines for grievance redressal. These provisions prioritise transparency, user control, and strong security while addressing the evolving demands of digital data governance.

Recommendations for Improvement

To eliminate ambiguity and promote uniform implementation of the DPDP Rules, detailed guidelines explaining terms like “reasonable security safeguards” and “appropriate measures” are needed. The government must also introduce tiered compliance requirements tailored to the size and nature of entities, minimising undue burdens on SMEs.

The government must also develop clear frameworks for international data transfers that align with global trade norms and data-sharing practices. Besides, it is critical to establish a mechanism for proactive compliance monitoring and implementing proportionate penalties for violations to discourage non-compliance.

To ensure inclusivity, alternative grievance redressal mechanisms should be incorporated to make them accessible beyond digital platforms. Stricter and more specific conditions for exemptions should be defined to prevent potential misuse under the pretext of research or statistical processing. Addressing these gaps will help the rules achieve a balanced approach, fostering innovation, ensuring robust compliance, and protecting individuals’ rights.

The DPDP rules mandate that sensitive personal and traffic data remain within Indian territory, reinforcing data sovereignty principles.

While the framework introduces commendable measures to strengthen data governance in India, it must address its ambiguities and challenges to achieve its full potential. By refining compliance mechanisms, ensuring greater clarity in its provisions, and fostering digital inclusivity, the framework can serve as a comprehensive and effective regulatory model for the future of data protection.

By Gaurav Sahay

The author is the Practice Head for Technology and General Corporate at Fox Mandal & Associates LLP.

feedbackvnd@cybermedia.co.in