What do draft data protection rules state?

(Source – The Hindu, International Edition – Page No. – 4)

Introduction to Digital Personal Data Protection (DPDP) Draft Rules

• These rules were introduced 16 months after the DPDP Act was notified in August 2023.
• The government is seeking public feedback on these draft rules.

Concerns Over the Data Privacy Framework

• Critics argue that the DPDP Act, along with the draft rules, is insufficient to establish a comprehensive data privacy framework.

• Concerns include the need for further scrutiny and review of these rules by a parliamentary standing committee before final approval.

Data Localisation Mandate

• The draft rules propose a data localisation mandate that goes beyond what was initially intended by the DPDP Act.
• Data localisation refers to restrictions on transferring data outside the country’s borders.
• The rules suggest that a government-appointed committee will define which types of data cannot be exported.
• Significant data fiduciaries (SDFs), such as large tech companies, are likely to be affected by this rule.
• The main motivation for this provision is to help law enforcement access cross-border data for investigations more easily, as seen with the Reserve Bank of India’s 2018 mandate for payment data localisation.
• A two-year timeline is proposed for the industry to set up systems for compliance with data localisation requirements.

Challenges of Data Localisation

• Data localisation could pose operational challenges for both large tech companies and start-ups.

• Companies may face difficulties in segmenting and determining which data to store where, leading to higher operational costs and limitations on business operations.
• The process could be complex and costly for businesses to comply with, especially for international companies with vast data needs.

Executive Overreach and Government Powers

• Section 36 of the DPDP Act grants sweeping powers to the government to demand information from data fiduciaries or intermediaries in the name of national security, sovereignty, or integrity.
• These powers could be misused for surveillance or political control, with concerns about compromising privacy.
• Rule 22 also prevents companies from disclosing government demands for information if it could harm national security, raising fears of government overreach and lack of transparency.

Concerns Over Lack of Safeguards

• Critics argue that these provisions give the government excessive discretion without proper checks and balances.
• There are concerns that the government could access data without notifying individuals involved, undermining transparency and accountability.
• Some suggest that the government should adopt safeguards, similar to those in the Information Technology Act, 2000, to protect citizens’ privacy while ensuring the proper management of data requisition by authorities.

Conclusion

• The draft rules, although aimed at enhancing data protection, raise concerns about operational challenges, government overreach, and the absence of adequate privacy safeguards.
• The industry and legal experts recommend more scrutiny and proper checks before final implementation.