7717211211 |

Contact Us | SignUp |

πŸ”

βœ–

Draft Data Protection Rules

Published On:

The Ministry of Electronics and Information Technology has introduced draft rules for implementing the Digital Personal Data Protection (DPDP) Act, 2023. These draft rules aim to expand the scope of data protection and ensure compliance with the provisions of the Act. Public feedback is currently being solicited to refine the framework, though concerns have been raised about its adequacy in addressing comprehensive data privacy needs.

Data Localisation Mandate

The draft rules mandate data localisation, requiring data to be stored and processed within the country’s borders. This measure seeks to limit cross-border data transfers, confining them to specific countries with adequate safeguards. While this provision enhances data sovereignty, it raises concerns about increased costs for companies and the potential impact on global businesses operating in India.

Rule 22 and Its Implications

Rule 22 under the draft framework empowers the government to demand access to any information from data fiduciaries or intermediaries in the interest of national security, sovereignty, and integrity. This provision allows the government to override end-to-end encryption, which could potentially compromise user privacy and freedom of expression. Furthermore, intermediaries are prohibited from disclosing information regarding such demands, adding another layer of concern about transparency.

Potential Challenges

The draft rules could pose significant operational and compliance challenges for companies, especially small and medium enterprises, due to the costs associated with implementing localisation requirements. Additionally, the provisions have been critiqued for creating opportunities for misuse, as they grant broad powers to the government with limited checks and balances. Critics argue that such sweeping powers could lead to privacy violations and the suppression of dissent.

Way Forward

The draft rules highlight the need for a balanced approach to data protection, focusing on securing individual privacy while fostering economic growth. It is suggested that the framework undergo scrutiny by parliamentary committees and include robust mechanisms to prevent misuse of authority. Adequate safeguards and transparency are essential to building trust among stakeholders and ensuring an effective data protection regime.