DPDP Rules Are Too Little, Too Vague and Too Late: Internet Freedom Foundation
Moneylife Digital Team 06 January 2025
Expressing concern over the insufficient provisions of Digital Personal Data Protection Rules, 2025 (DPDP Rules) with several points of contention, the Internet Freedom Foundation (IFF) says the DPDP Rules are 'too little, too vague and too late'. Last week, the Union ministry of electronics and information technology (MeitY) released the long-awaited DPDP Rules.
 
"Upon a preliminary reading of the DPDP Rules, we find that several provisions fail to meet the constitutional requirements outlined in the KS Puttaswamy judgment, which explicitly stated that 'the matter shall be dealt with appropriately by the Union government, with due regard to what has been set out in this judgment'. At the outset, we express concern about the DPDP Rule's insufficient provisions with several points of contention. In a line, the DPDP Rules are 'too little, too vague and too late'. For example, terms like 'reasonable safeguards', 'appropriate measures', or 'necessary purposes' are used without adequate elaboration," IFF says in a statement.
 
Apart from the issues with the consultation process, IFF expressed preliminary concerns over five issues in the DPDP Rules. IFF'sf concerns include vagueness, over-reliance on discretionary powers, weak oversight and accountability mechanisms, overbroad exemptions for State processing and a step towards universal and mandatory registrations. 
 
1. Vagueness: For instance, under Rule 5, in pursuance of Section 7(b) of the DPDP Act,  the government has been allowed over-broad data processing powers in the context of the provision or issue of a subsidy benefit, service, certificate, licence, or permit. Further, Rule 6 on reasonable security safeguards for preventing personal data breaches is vague and requires more specifics. 
 
2. Over-reliance on Discretionary Powers: Significant discretionary authority is granted to the Union government and data fiduciaries, such as determining exemptions (Rule 11), processing standards (Second Schedule), and data transfers (Rule 14). The exemption allowing for data retention for compliance with the law (Rule 8) from the general obligation for purpose limitation is unclear and may be potentially misused. The DPDP Rules also propose that the Union government can define the kind of data that significant data fiduciaries will have to localise within India's borders (Rule 12(4)). This gives the government a lot of power without clear criteria. 
 
3. Weak Oversight and Accountability Mechanisms: The DPDP Rules do not establish strong enforcement or oversight mechanisms. While penalties may be levied, there is no explicit provision for independent audits or compliance monitoring. Here, the foundational deficiencies of the principal enactment, viz., the DPDP Act, bear repetition since it failed to create a regulatory framework through an independent data protection authority. Hence, large parts of the implementation and enforcement will be administered by the MeitY raising apprehension.
 
4. Overbroad Exemptions for State Processing: The rules allow the State and its instrumentalities to process personal data for broad purposes, such as issuing subsidies, benefits, or services under laws, policies, or public funds (Rule 5). However, the lack of specificity regarding the scope and limits of such processing creates room for potential misuse. The language within them avoids the limitations that emerge from the Puttaswamy judgement on the principles of, 'proportionality' and, 'necessity' that are essential safeguards in any data protection regime.  
 
5. A Step Towards Universal, Mandatory Registration: The requirement for verifiable parental consent (VPC) for children's data is contestable on multiple levels (Rule 10). There seems to be no internet-wide age gating and only individuals who identify themselves as children require VPC. Hence, if the government requires age verification (rather than self-declarations) to check if a user is a minor, it may in future, require every online user to verify their age through government credentials. This holds the potential for mass surveillance with government IDs linked to every user's online credentials. These provisions also violate principles of data minimisation or retention limitations and risk over-collection and prolonged storage of personal data.
 
IFF says it is dismayed that, after such a long wait, the DPDP Rules have failed to meet the expectations of clear and detailed rules that would iron out the lacunae in the DPDP Act. "However, the DPDP Rules seem to be continuing the trend of the DPDP Act of vagueness, extensive powers to the executive and insufficient data protection principles. If passed into law, these draft rules will serve power and profit rather than the people of India."
Comments
soumen.mukherjee
1 week ago
Rules are good enough to start with amendments will come in due course, also the government should have the absolute power else India will become a failed state..
rangarao.ds
2 weeks ago
"......If passed into law, these draft rules will serve power and profit rather than the people of India." That's what it's meant for!
parimalshah1
2 weeks ago
Need to check the detailed and genuine ownership of the Internet Freedom Foundation (IFF).
Children of Illiterate Parents Banned from Social Media? A Critical Look at Rule 10 of the DPDP Rules 2025
Adv (Dr) Prashant Mali 06 January 2025
The recently proposed Rule 10 of the Digital Personal Data Protection (DPDP) Rules, 2025, while aiming to safeguard children's privacy, raises significant concerns about the potential unintended consequences for marginalised...
No 3-day Fund Settlement for Clients if No Transaction in Past 30 Days: SEBI
Moneylife Digital Team 06 January 2025
Funds of client-investors who have not done any transaction in the past 30 days will be settled in the upcoming dates of the monthly running account settlement cycle as notified by exchanges in the annual calendar issued by them from...
Explainer: Draft Digital Personal Data Protection Rules, 2025
Moneylife Digital Team 04 January 2025
The Draft Digital Personal Data Protection (DPDP) Rules, 2025, introduced by the ministry of electronics and information technology (MeitY), marks a crucial step in shaping India’s data governance framework. These Rules operationalise...
Ketan Parekh, 21 Others Caught in Front-running Scam, SEBI Asks Them To Disgorge Rs65.77 Crore Illegal Gains
Moneylife Digital Team 03 January 2025
Ketan Parekh, or KP, once the poster child of stock market manipulation in India, has again been caught in the Securities and Exchange Board of India's (SEBI's) net. Known for his infamous role in the stock market scam of the early...
ArrayArray
Free Helpline
Legal Credit
Feedback