What do draft data protection rules state?

Sub: Sci

Sec: Awareness in IT and Computer

Context:

Recently, the Ministry of Electronics and Information Technology (MeitY) released the draft rules for implementing the Digital Personal Data Protection (DPDP) Act, 2023.
This comes 16 months after the Act was notified in August 2023, and the government is seeking feedback on the draft rules.
There are concerns about the limited public disclosure of the draft rules and the lack of mechanisms for submitting counter-comments.

Data Localisation Mandate:

Definition: Data localisation refers to the requirement that data must be stored and processed within a specific jurisdiction, limiting its flow across borders.
Changes in Draft Rules: The draft rules introduce a data localisation mandate that extends beyond the scope of the original DPDP Act. While the Act allows data transfer restrictions to certain countries, the new rules propose forming a committee to determine which classes of data cannot be exported from India.
Targeted Entities: The data localisation mandate applies to Significant Data Fiduciaries (SDFs), which include major tech companies such as Meta, Google, Apple, Microsoft, and Amazon. These entities are defined based on the volume and sensitivity of the personal data they handle.
The government plans to provide a two-year timeline for the industry to implement systems for compliance with the localisation mandate.

Purpose of Data Localisation:

The primary reason behind data localisation is to address challenges faced by law enforcement agencies in accessing cross-border data during investigations.
For instance, the Reserve Bank of India implemented a similar mandate in 2018 requiring payment data operators to store data domestically.

Operational Challenges:

Industry experts, including Aparajita Bharti, highlight that data localisation could present significant operational challenges, especially for large tech firms and start-ups.
Managing different data sets and ensuring compliance across multiple jurisdictions can increase operational costs and complicate business operations.

Fear of Executive Overreach:

Section 36 of the DPDP Act, along with Rule 22, grants the government sweeping powers to demand information from data fiduciaries or intermediaries in the interest of national security, sovereignty, or integrity of India.
Experts worry that this could lead to misuse, enabling surveillance or suppression of dissent.
This could lead to compromising end-to-end encryption for services like WhatsApp, a concern raised by Meta in 2021 regarding the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules.
Rule 22 further prohibits companies from disclosing government demands for information if it could jeopardize national security or sovereignty. This provision raises alarms over transparency and accountability.

Justice A.P. Shah Committee:

The 2012 recommendations of the Group of Experts on Privacy, led by Justice A.P. Shah, suggested that individuals subject to data interception should be notified.
This contrast is evident in the DPDP Act, where there is a lack of such safeguards, potentially allowing the misuse of interception orders by authorities under political influence.