[Answered] Critically analyze whether the Digital Personal Data Protection (DPDP) Rules exacerbate the weaknesses of India’s privacy framework.

The landmark Justice K.S. Puttaswamy (Retd.) vs Union of India (2017) judgment upheld the right to privacy as a fundamental right under Article 21 of the Constitution. The Digital Personal Data Protection Act (DPDPA), 2023, and its recently released DPDP Rules, instead of strengthening privacy protections, have exacerbated existing weaknesses by prioritizing state surveillance, weakening regulatory oversight, and providing excessive leeway to industries.

Weaknesses Exacerbated by the DPDP Rules

• Delayed and Inadequate Implementation: Despite being enacted in August 2023, the Act remains inoperative due to a delay in notifying the DPDP Rules, which took 16 months for public consultation. This delay has left India without an operational data protection regime, contrary to the Supreme Court’s directive in the Puttaswamy judgment.
• Expansion of Government Surveillance and Exemptions: The government can exempt its agencies from compliance with the law on broad grounds such as sovereignty, public order, and national security (Section 17 of the DPDPA). The DPDP Rules go further by allowing the central government to demand any information from data fiduciaries under vague justifications.
• Weak Regulatory Oversight and Lack of Independent Adjudication: The Data Protection Board of India (DPBI), envisioned as an independent regulatory authority, remains under the direct control of the central government. The B.N. Srikrishna Committee (2018) recommended an independent data protection authority with adjudicatory powers, but the DPDP framework strips it of such autonomy.
• Dilution of Data Principal Rights: The right to compensation for data breaches has been removed, leaving individuals without recourse against privacy violations. Unlike GDPR, the DPDP framework lacks robust protections against algorithmic decision-making, allowing unchecked profiling and digital manipulation.
• Industry-Friendly, Weak Compliance Standards: The Rules largely codify existing corporate practices, requiring only minimal changes in industry compliance. The classification of Significant Data Fiduciaries (SDFs), which would face stricter compliance obligations, remains ambiguous.
• Inadequate Protection for Children’s Data: The earlier drafts classified certain entities as Guardian Data Fiduciaries, which were prohibited from profiling and behavioral monitoring of children. However, the final version allows targeted advertising toward children under specific conditions, diluting previous safeguards.

Potential Benefits of DPDP Rules

• The Act introduces data minimization and purpose limitation principles, requiring entities to process only necessary data. It imposes penalties of up to ₹250 crore for violations, which could act as a deterrent. The framework attempts to simplify compliance for small businesses and startups by reducing regulatory burdens.

Conclusion

A stronger, rights-based approach with independent regulatory oversight is essential to ensure meaningful data protection in India.