India's Draft Rules for Protecting Privacy

India's approach to protecting privacy through draft rules includes selective dynamic controls, aiming for easier implementation and balancing business and regulatory needs.

Sectoral Requirements and Data Localisation

• The rules involve sector-specific requirements for data localisation.
• There is a focus on critical personal data, like health or finance, which faces less resistance regarding export control.
• Lesser restrictions are placed on less-sensitive information, facilitating digital commerce.

Regulatory Approach

• India's method aligns with a conservative regulatory approach that has been effective over time, avoiding radical changes.
• Data fiduciaries are categorized based on volume and sensitivity of data processed, allowing differentiated treatment.

Implementation and Security Measures

• The phased implementation aids entities in adopting necessary safeguards.
• Security measures include breach intimations and mitigation provisions to protect data integrity.
• Industry is expected to adapt more swiftly compared to government agencies.

Public Scrutiny and Government Carve-outs

• The draft rules aim to establish a framework governing official data collection and processing.
• Basic privacy protection involves declaring data collection purposes and managing consent.

Consent Management and Minors

• Rules regulate consent management through intermediaries to protect consumer interests.
• Parental consent rules for minors might set a precedent for other regions dealing with similar issues.

Stakeholder Engagement and Legal Updates

• Intensive stakeholder engagement led to the scrapping of a previous law and the introduction of a revised version.
• The new law awaits finalization of rules, expected with minor revisions.

Draft Digital Personal Data Protection Rules, 2025

The draft Digital Personal Data Protection Rules, 2025, represent a significant step toward enforcing the fundamental right to informational privacy for Indians, as affirmed by the Supreme Court in the landmark case of Justice K.S. Puttaswamy vs. Union of India (2017).

Background and Context

• The Digital Personal Data Protection Act was passed over a year ago, and the draft rules aim to enforce it.
• The seven-year delay in implementing these rules coincides with rapid digitization, impacting data privacy concerns.

Key Provisions of the Draft Rules

• Online services must communicate the purposes of data collection to users.
• Establish safeguards for children's data online.
• Formation of the Data Protection Board of India (DPBI).
• Set standards for government agencies to be exempt from the Act's provisions.
• Outline procedures in case of personal data breaches by data fiduciaries.

Concerns and Criticisms

• The proposed DPBI's institutional design concerns remain unresolved, potentially unrealistic for subordinate legislation.
• The government has conducted the rule-making process in secrecy, limiting stakeholder engagement.

Recommendations for Transparency and Participation

For legislation with high stakes for individual users and technology firms, an open deliberative process is crucial. This includes:

• Facilitating equal participation of industry associations and the public with transparency into differing viewpoints.

Long-term Goals and Urgency

• The government needs to adhere to principles of minimizing data collection, promoting disclosures, penalizing neglect, and discouraging surveillance.
• Timely implementation is essential for regaining public confidence in data protection commitments.