TrendingVideosIndiaWorldSports
State | Himachal PradeshPunjabJammu & KashmirHaryanaChhattisgarhMadhya PradeshRajasthanUttarakhandUttar Pradesh
City | ChandigarhPatialaBathindaAmritsarLudhianaJalandharDelhiShaharnama
Opinions | CommentEditorialsThe MiddleLetters to the EditorReflections
Diaspora
Features | Time CapsuleSpectrumIn-DepthTravelFood
EntertainmentLifestyle
Business | My MoneyAutoZone
UPSC | Exam ScheduleExam Mentor
Advertisement

Legal framework to protect digital data must be flexible

The goal of the draft DPDP Rules is to strike a balance between the right to privacy and technological advancement.
Illustration by Sandeep Joshi
Advertisement

THANKS to our growing digital dependence, the majority of our personal data is now in the digital form. To facilitate the implementation of the Digital Personal Data Protection Act, 2023, which creates a framework for processing digital personal data in India, the Ministry of Electronics and Information Technology (MeitY) has created the draft Digital Personal Data Protection (DPDP) Rules, 2025.

By providing necessary details and in an effort to strike a balance between the need to process personal data for legitimate purposes and the right of individuals to protect their data, it seeks to fortify the legal framework for the protection of digital personal data. The government has given stakeholders 45 days to give inputs or comments on the draft rules.

Advertisement

The journey of data protection legislation is intriguing. The World Economic Forum (WEF) started a project called “Rethinking Personal Data” in 2010 to deepen the collective understanding of how a principled, collaborative and balanced personal data ecosystem can evolve. The main goals of the General Data Protection Regulation (GDPR), which was created by the European Union in 2018, are to simplify the regulatory framework for international business and to improve individuals’ ownership and rights over their personal data. In fact, the UK also kept the law even after breaking with the EU. Additionally, countries such as Brazil, South Korea, South Africa, Japan and Turkey — and the American state of California — adopted the GDPR as a model for protecting personal data. China’s Personal Information Protection Law became operative in November 2021.

In today’s social media-driven world dominated by the Big Techs, data localisation is a delicate issue. Data localisation refers to actions that restrict data flow within a jurisdiction’s boundaries. Under the Data Protection Act cleared in August 2023, the Government of India had stated that it would merely inform the territories where Indian personal data cannot be taken to. Following immaculate lobbying efforts by the tech companies against a provision in an earlier draft bill that required severe localisation rules, this was viewed as a significant victory. Companies were required to keep copies of certain sensitive personal data, such as financial and health information, within India under the Data Protection Bill, which was first introduced in 2019 and later withdrawn from Parliament in 2022.

Additionally, it was forbidden for companies to export any undefined “critical” personal data from India. Rob Sherman, vice-president and deputy chief privacy officer of Meta, said in 2022 that the country’s data localisation regulations might make it “difficult” for the business to provide its services there. And Keith Enright, the chief privacy officer at Google, stated that norms for data localisation should be as “narrowly tailored as possible”.

Advertisement

Significantly, the draft Digital Personal Data Protection Rules, 2025, reinstated data localisation, a Big Tech annoyance that had been eliminated in the Data Protection Act, 2023. The goal is to establish a central body that will collaborate with sectoral regulators and other ministries to successfully deploy local data storage without interfering with business operations. The government is considering giving the industry two years to transition to the new law and set up their systems for compliance.

The introduction of possible obligations for “significant data fiduciaries” with relation to cross-border data sharing is an intriguing feature in the draft regulations. While businesses and organisations that gather and handle personal data are considered data fiduciaries, “significant data fiduciaries” will be chosen based on the quantum and sensitivity of the personal data they handle as well as the potential threats to India’s sovereignty and integrity, electoral democracy, security and public order. It is anticipated that the Big Tech companies, such as Amazon, Microsoft, Apple, Google and Meta, will be categorised as important data fiduciaries.

Additionally, the draft regulations permit tech businesses to put in place a system for obtaining “verifiable” parental approval prior to processing children’s personal data. In essence, when companies expressed dissatisfaction over the potential difficulty of implementing the rule, the government has decided not to propose a mechanism from its end and has instead left it up to the companies to choose a system.

In the event of a data breach, data fiduciaries will be required to notify affected parties “without delay” about the breach, including its nature, scope, timing and location; the implications that the breach is likely to have for the impacted user; and the steps that have been taken or are being taken to reduce risk, among other things. Failure to take adequate precautions to avoid a data breach could result in a fine of up to Rs 250 crore.

The Data Protection Act has given the government or its agencies broad exemptions for processing the personal information of residents on the basis of “public order”, “friendly relations with other states”, and “national security”, among other things. Additionally, the government has suggested that health experts, educational institutions, creche and daycare facilities be excused from requiring parental agreement before processing children’s personal data.

“Yet, we can’t just hit the ‘pause button’ and let these issues sort themselves out. Building the legal, cultural, technological and economic infrastructure to enable the development of a balanced personal data ecosystem is vitally important to improving the state of the world,” the 2011 WEF report said. For similar reasons, we also urgently need a concrete law. The goal of the draft DPDP rules is to strike a balance between the right to privacy and technological advancement.

In the near future, the quantum, dynamics and discoveries of the hidden potential and risks of personal data will undoubtedly vary due to the constantly shifting pattern, purview, domain, demand and scope of data transmitting into an unknown horizon. Additionally, there ought to be a dynamic alteration in the pattern with technological evolution, our intrusion into the AI world and changes in the global climate, geopolitics and trade. Any legislation pertaining to the protection of personal data should have the ability to easily and continuously adapt to the changes. We can at best hope that our legislation will be able to incorporate that level of adaptation and flexibility as effectively as possible.

Advertisement
Show comments
Advertisement