‘There is a broader pattern of executive overreach and vague governance’
| Photo Credit: Getty Images/iStockphoto
In August 2024, as India marked six years since the K.S. Puttaswamy judgment reaffirmed privacy as a fundamental right, the Internet Freedom Foundation hosted its annual “Privacy Supreme” event — not as a celebration, but as a sombre reflection on its unfulfilled promise. Social activist Nikhil Dey shared chilling accounts, from Ajmer in Rajasthan, on how Aadhaar, heralded for efficiency, has excluded vulnerable residents from pensions and rations. This grim reality must be central to tech policy discussions, including the Draft Digital Data Protection Rules, 2025.
Executive overreach, scant transparency
Rulemaking typically fleshes out legislation, ensuring laws passed by Parliament are enforceable while maintaining administrative flexibility. Yet, the draft Data Protection Rules provoke concern on questions of executive overreach and vague governance. Some earlier analysis here bears repetition for these rules are a conscientious pupil in obedience of its master. Here, its parent is the Digital Personal Data Protection Act, 2023, that was rammed through Parliament as “a product of the subversion of the democratic process”. There is more than a mere lack of trust in how the law was created, for its substantive provisions advance a broader policy of “total state control — a digital leash to yank us and make us stand in line than to serve the preambular objectives of the Constitution of India”. Its provisions are deliberately vague, granting broad discretion under the nebulous phrase “as may be prescribed”.
Editorial | No secret affair: On the draft Digital Personal Data Protection Rules, 2025
Despite the Act’s swift passage on August 9, 2023, its implementation remains in limbo. Sixteen months later, the draft Rules have been unveiled for consultation. But are they truly “public”? Published as a 51-page pdf (in Hindi/English as a gazette notification), with a three-page explanatory note that reads as AI glop, a simplistic and vague summary offers little insight into the policy choices during drafting. Comments can only be submitted through the MyGov platform that might encourage expert input but restricts broader participation. Transparency is undermined by the government’s decision to treat submissions as fiduciary, precluding public disclosure and counter-comments. This controlled feedback process resembles a “corporate consultation” rather than a public one.
Substantively, the Data Protection Rules build on a framework of intentional vagueness and executive dominance. Many compliance obligations are either self-determined by companies handling personal data or left to government discretion. Consider Rule 3, which governs consent notices. It mandates “clear and plain language” but fails to define these terms, leaving interpretation subject to India’s vast linguistic and comprehension diversity. Without specific standards, notices risk being overly generic or oversimplified, omitting critical details. Similarly, while the Rules require an “itemized description” of data, they do not clarify whether the disclosure is for categories such as financial or health data; or to specific data points such as account numbers, or even metadata and inferred data. Nor do they define timelines for data breach notifications to users, raising risks for individuals in urgent situations. Such ambiguities, if purely administrative, should have been resolved by the standard setting powers of an independent regulatory authority that does not exist.
No independence for Data Protection Board
The vagueness reflects deeper structural flaws. The Act eschews the creation of an independent regulatory body, instead, consolidating power within the Union Government. Through informal interactions and gazette notifications, the government wields unchecked authority over citizens and the digital marketplace. Even the Data Protection Board (DPB), which has a limited ambit of jurisdiction to adjudicate on breaches, lacks independence. The Board’s chairperson is selected based on recommendations of a search and selection committee chaired by the Cabinet Secretary, raising critical concerns. How will the committee address the critiques of political control that plague similar appointment processes? What value does the search committee offer when it has advance knowledge that its recommendations are not binding on the Union Government?
Even after its formation, the DPB is hamstrung. Its authority is largely limited to determining data breaches, and its independence is compromised by service conditions of its members to central government employees. This contravenes long-standing recommendations, such as the 2006 Planning Commission consultation paper on regulation, which emphasised that “the selection, appointment, and removal of chairpersons and members should be insulated against any perceived interference or manipulation that may influence the outcome”. How will a subservient DPB apply data protection effectively? Rule 5 exempts data processing for subsidies from consent requirements. In such cases, can there be any meaningful accountability? It is not unreasonable to foresee scenarios where the DPB may fail to act promptly or effectively, particularly when complaints involve powerful government entities such as the UIDAI that handles Aadhaar. It raises fundamental doubts about what it means for community organisations that may approach it for redress on user rights for things as simple as getting a data record corrected to receive rations.
Finally, regarding Rule 22, which contains the power of the government to requisition information, there is an absence of limitations and safeguards. As many may read this column, they may still wonder why the data protection rules are too late, too little, too vague? The answer may be provided by Mr. Dey who framed his characterisation of the digital policies of the Indian state with a reference to Through the Looking-Glass. When Alice probes Humpty Dumpty on how the same word can have different meanings, his reply captures the core of India’s data protection regime: “The question is… which is to be master — that’s all.”
Apar Gupta is an advocate and the founder-director of the Internet Freedom Foundation
Published – January 13, 2025 12:08 am IST
