After a long wait of 16 months, the Ministry of Electronics and Information Technology (MeitY) has released the draft rules for implementing the Digital Personal Data Protection Act, 2023 (DPDP Act). These rules are open for public feedback until the middle of February. Various stakeholders, including civil society, academia, and industry, have been eagerly awaiting the publication of these proposed rules as they contain the baseline implementation framework of the DPDP Act. 

The DPDP Act is India’s first comprehensive data privacy law that applies to all spheres of commerce and industry. It lays down operational obligations for data processors, special protections for children, and rights for all users, and a body for grievance redressal called the Data Protection Board of India. At the time of release, the DPDP Act was criticised by civil society for not instituting a specialised regulator, not incorporating standard protections against government access to data, and excessive delegation of regulatory functions to the Central government. 

Lack of detail

The draft rules propose operative guidance for critical mechanisms such as notice and consent to a user for data collection and processing, intimation of data breaches, collection of parental consent on behalf of children, data localisation measures, and the procedure for setting up the Data Protection Board. Although the draft rules provide some guidance for implementing the DPDP Act, they lack detailed guidelines to help improve the lives of India’s digital nagriks. Let’s illustrate some shortcomings from the perspective of two critical avenues that the DPDP Act seeks to introduce — rights of users and the protection of children’s data.

User rights

The DPDP Act enhances the autonomy of users over their personal data by providing them with the right to access, correct, complete, update, and erase their data. The law leaves it to the corresponding rules for clarifying the manner in which users can exercise these rights. Unfortunately, the draft rules do not make it clear how users may make these requests. They simply state that users can make requests to data processors for exercising their rights by following the steps published by businesses. This is simply restating what the Act lays down in another language.

For example, as per the right to erasure, can users ask search engines to remove links to certain websites? Courts in India have frequently asked Google to ‘de-list’ certain links from showing up on its public search engine. The rules could have prescribed standards to clarify the mechanism in these situations such as requiring that users share specific hyperlinks for erasure.

Since the right to erasure may also impact a third-parties’ online speech, the draft rules could have articulated certain modes or conditions for objection that data processors could make against such an erasure request. However, the draft rules do not bring out any such clarity.

Protecting children

Today children are increasingly using various websites on the internet including social media platforms.

To safeguard children, the DPDP Act obligates data processors to seek verifiable parental consent before accessing the personal data of children under the age of 18. The manner of obtaining parental consent was to be laid down in the subsequent rules. However, here again the draft rules fall short. There is no detailing of an exact mechanism for identifying children and collecting parental consent. The rules provide that data processors will need to adopt appropriate technical and organisational measures to ensure parental consent is obtained prior to accessing data of a child. The rules focus on how data processors must exercise due diligence for checking that parents are identifiable adults. This is a simple rephrasing of what the law lays down in the DPDP Act.

The rules were required to lay down detailed procedures for how businesses are expected to verify the identity of parents. They simply lay down illustrations where parents could either point to their existing user details on a common platform, or prove their identity by providing details of any kind of formal identity, for example a government issued ID. Again, critical questions remain.

How will data processors identify parental relations, that is, that the adult proving their identity and providing consent is actually the guardian of the child? What if children lie about their actual age when accessing a website? What mechanisms do platforms need to put in place to gauge the veracity of an age claim? Indian families, including children, often share a single device to access digital services, how will businesses identify children in these cases? The draft rules do not provide any guidance to these practical implementation questions. 

Despite a 16-month window for drafting and consulting experts for the framing of these rules, the MeitY has released a document that is vague, incomplete, and rushed. Typically guidelines are very detailed, account for consumer privacy, and provide operational clarity for businesses and data processors. Unfortunately, the proposed rules leave much to be desired. 

The government needs to seek appropriate expert advice, conduct wide consultations, and clarify timelines for implementation, before finalising the rules that will form the back-bone of India’s first data privacy law. 

Jhalak M. Kakkar is the Executive Director and Shashank Mohan is the Associate Director at the Centre for Communication Governance at the National Law University Delhi.