How the draft rules for implementing data protection falls short

Sub: Polity

Sec: Legislation in news

Context:

After a prolonged wait of 16 months, the Ministry of Electronics and Information Technology (MeitY) has released the draft rules for the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act). These rules are open for public feedback until mid-February.

About the DPDP Act:

The DPDP Act is India’s first comprehensive data privacy law, which aims to regulate the collection, processing, and management of personal data in various sectors.
The DPDP Act establishes a legal framework for data protection in India, applying to all spheres of commerce and industry.
It outlines operational obligations for data processors, provides special protections for children, grants rights to users, and establishes a grievance redressal mechanism in the form of the Data Protection Board of India.

Key Provisions of the Draft Rules:

Notice and consent requirements for users when collecting and processing data.
Intimation of data breaches to affected parties.
Collection of parental consent for data processing involving children.
Data localization
Procedures for establishing the Data Protection Board.

Criticism of the Draft Rules:

Despite the extended period for drafting and consulting experts, the draft rules have been criticized for being vague and incomplete. They fail to provide the necessary operational clarity to ensure effective implementation of the DPDP Act.
Experts have called for more detailed guidelines and further consultations before finalizing the rules.

Shortcomings in User Rights Implementation:

The DPDP Act grants the users rights over their personal data, such as the right to access, correct, update, and erase their data. However, the draft rules do not provide clear instructions on how users can exercise these rights.
For instance, the right to erasure allows users to request the removal of their data, such as asking search engines to de-list certain links. However, the draft rules do not specify standards for processing such requests.
There is no mention of the conditions under which data processors may object to erasure requests, which could potentially impact third-party speech online.

Challenges in Protecting Children’s Data:

The DPDP Act mandates that data processors must obtain verifiable parental consent before processing the personal data of children under the age of 18. However, the draft rules fall short in providing a clear mechanism for verifying parental consent.
They fail to answer critical questions, such as how to verify parental identity, how to handle children lying about their age, or how to identify children sharing devices with family