The Draft Data Protection Rules, 2025
Red Book
Red Book

Mains Guidance Program (MGP) for UPSC CSE 2026, Cohort-1 starts 11th February 2025. Registrations Open Click Here to know more and registration.

Source: This post on The Draft Data Protection Rules, 2025 has been created based on article “What do draft data protection rules state?” published in The Hindu on 22nd January 2025.

UPSC Syllabus topic: GS Paper 3- Technology

Context: This article discusses the draft rules released by the Indian government on January 3, 2025, to implement the Digital Personal Data Protection (DPDP) Act, 2023.

What are the Draft Data Protection Rules, 2025?

  1. The Ministry of Electronics and Information Technology released draft rules for implementing the Digital Personal Data Protection (DPDP) Act, 2023, on January 3, 2025.
  2. These rules aim to establish a framework for data privacy and localisation but have been criticized as inadequate for a comprehensive data protection regime.
  3. Feedback on the draft rules is being collected through a fiduciary process, which precludes public disclosure and counter-comments.

What is the Data Localisation Mandate?

  1. Definition: Data localisation restricts the flow of data within a country’s borders.
  2. Scope: The draft rules expand the Act’s provisions, proposing a government-appointed committee to identify data categories that cannot be exported from India.
  3. Impact: This applies to significant data fiduciaries (SDFs), which process large volumes of sensitive personal data. Major tech companies like Meta, Google, Apple, Microsoft, and Amazon are expected to fall under this category.

Why is Data Localisation Introduced?

  1. Purpose: To address challenges faced by law enforcement in accessing cross-border data for investigations.
  2. Precedent: A similar mandate by the Reserve Bank of India in 2018 required localisation of payment data.
  3. Sectoral Collaboration: The proposed central committee will work with ministries and regulators to prevent ad hoc localisation mandates and ensure smooth industry operations.

What Challenges Do Companies Face?

  1. Operational Issues: Companies, including start-ups, may struggle to segment data for localisation, increasing costs and restricting operations.
  2. Timeline: The government plans to provide a two-year compliance period.

How Does Rule 22 Enhance Section 36 of the DPDP Act?

  1. Broad Powers: Section 36, along with Rule 22, allows the government to demand any information from data fiduciaries or intermediaries in the interest of sovereignty, integrity, or national security.
  2. Lack of Transparency: Companies cannot disclose government requests if such disclosure could harm state interests.

What Are the Concerns Over Executive Overreach?

  1. Potential Misuse: Experts warn that discretionary powers could lead to surveillance and suppression of dissent.
  2. End-to-End Encryption: Social media intermediaries, like WhatsApp, could be forced to compromise encryption under Rule 22. WhatsApp previously challenged similar provisions under the IT Rules, 2021.

Are There Any Checks and Balances?

  1. Criticism: The provisions lack adequate safeguards, contrasting the 2012 A.P. Shah Committee recommendations, which advocated notifying individuals subject to data interception.
  2. Expert View: Legal experts highlight the risk of misuse by politically influenced agencies and call for safeguards similar to those under the Information Technology Act, 2000.

Discover more from Free UPSC IAS Preparation Syllabus and Materials For Aspirants

Subscribe to get the latest posts sent to your email.

Print Friendly and PDF
Blog
Academy
Community