What to Read in The Hindu Editorial( Topic and Syllabus wise)

Editorial 1: India’s data protection rules need some fine-tuning

Context

The largely positive response to the Draft Digital Personal Data Protection (DPDP) Rules flows from its less prescriptive, principles-based approach.

 

Introduction

On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the much-anticipated Draft Digital Personal Data Protection (DPDP) Rules — a key moment in India’s journey to regulate digital personal data. This step follows the passage of the DPDP Act, 2023, bringing India closer to operationalising its framework for safeguarding personal data.

 

Departure from the Personal Data Protection Bill

• Overly restrictive and hostile to industry interests: The draft rules represent a departure from the earlier and controversial Personal Data Protection Bill, which many deemed was overly restrictive and even hostile to industry interests.
• Extensive framing and consultations: The Bill underwent extensive framing, reframing, and consultations over nearly a decade.
• Rescinded decision: The Bill was rescinded when committees and government stakeholders wisely decided it was untenable.
• Principles-Based Approach: In contrast, the positive response to the DPDP Act and its accompanying rules, reflected in conversations with businesses and in media coverage, stems from the less prescriptive, principles-based approach of the draft rules.
• Rush to regulate under Brussels Effect” Unlike the earlier rush to regulate under the so-called “Brussels Effect”, where global digital rulemaking mirrored the European Union (EU)’s interventionist regulatory ethos.
• Criticism of the GDPR: The EU’s General Data Protection Regulation (GDPR), once hailed as a gold standard by privacy experts, now faces criticism for unintended consequences:
  1. Favouring well-resourced corporations.
  2. Stifling smaller enterprises.
  3. Failing to significantly enhance public trust in the Internet.
• Refreshing Alternative to the EU's Policies: India’s measured approach thus far offers a refreshing alternative to Europe’s interventionist policies.

 

The hits as pragmatism and flexibility

• Simplicity and clarity: One of the draft rules’ standout features is their principles-based framework for notice and consent.
• Cumbersome requirements of GDPR: While the GDPR has cumbersome requirements, such as notifying users of indirect data acquisition, cross-border data transfers, and automated decision-making processes, India’s rules emphasise simplicity and clarity.
• Reducing consent Fatigue: This helps reduce “consent fatigue”, a significant issue in Europe, where users are inundated with unnecessary details, such as the location of data processing — information of little practical use.
• Growing frustration over consent Pop-Ups: In 2023, the European Commission introduced the Cookie Pledge Initiative to address growing frustration over incessant consent pop-ups.
• Burden created by prescriptive regulation: However, such course correction would have been unnecessary had the EU taken a less invasive approach to regulating user interfaces and consent mechanisms. The very existence of this pledge highlights the burdens created by prescriptive regulation.

 

India’s Approach to User Rights and Consent Mechanisms

• Outcomes over processes: India’s DPDP Rules sidestep these pitfalls by focusing on outcomes rather than processes, empowering users without drowning businesses and consumers in unnecessary complexities.
• Avoiding dictating details: The rules avoid dictating how entities should enable users to exercise their rights to correction, erasure, nomination, withdrawal of consent, and to seek information from entities.
  1. They require only the publication of relevant information on apps and websites.
• Respecting business autonomy: In contrast, the GDPR is prescriptive about how similar information should be presented, including instances where entities may need to provide this information orally to users.
  1.  Why should the state dictate every aspect of an app or website’s design or user interface? India’s approach, thankfully, respects business autonomy and innovation.

 

Protection of Children’s Personal Data

• Stricter protection for children’s data: The processing of children’s personal data requires stricter protection compared to other types of data processing — which the rules provide for.
• Educational institutions and monitoring exemption: However, as more children engage with digital technologies online, they increasingly benefit from certain activities, such as monitoring and tracking, which are of value in specific contexts.
  1. Take the case of educational institutions, including supplementary education and vocational training services. They rely on activities such as behavioural monitoring and tracking to deliver targeted interventions tailored to students’ academic performance.
• Allowing Exemptions for Specific Industries: Recognising this, the rules thoughtfully allow exemptions for specific industries. Educational institutions, clinical and mental health establishments, allied health-care providers, and child-care centres are not required to verify parental consent for tracking and behavioural monitoring, as long as they adhere to guardrails.
• Demonstrating Nuanced Policymaking
  1. The exemption for such industries demonstrates a nuanced understanding of industry-specific needs, reflecting the principles of thoughtful policymaking.

 

The misses as data localisation, overreach

• Complexity and ambiguity in Cross-Border Data Flow Restrictions: The draft rules are not without flaws. Their provisions for restricting cross-border data flows introduce unnecessary complexity and ambiguity.
• Localisation mandates for Significant Data Fiduciaries (SDFs): Significant Data Fiduciaries (SDFs) — large enterprises handling substantial data volumes — face potential localisation mandates that extend beyond the legislation’s original scope.
• Differentiation between SDFs and smaller entities: While the DPDP Act allows the government to restrict personal data transfers, it limits such action to specific notified countries. Differentiating between SDFs and smaller entities, where the second enjoy relaxed transfer rules for the same data, creates the risk of regulatory arbitrage. Smaller entities could exploit the lighter regime to gain an unfair advantage.
• Investment deterrence and regulatory Risks: These inconsistencies may deter investment and drive businesses out of India.

 

Localisation Provision and Law Enforcement Challenges

• Challenges faced by law enforcement agencies: The localisation provision likely stems from the challenges faced by law enforcement agencies in accessing cross-border data for investigations. While these agencies undeniably need access to such data, a narrower sectoral approach to localisation could prove more effective than a centralised one.
• Example of proportionate regulation: The Reserve Bank of India’s 2018 mandate for localising payment data is a prime example of proportionate regulation. Tailored specifically to the financial sector, it effectively addressed legitimate industry concerns without causing too many business disruptions.
• Balancing Security, Compliance, and Economic Competitiveness: Applying this approach to personal data could balance security and compliance with economic competitiveness.

 

Areas Requiring Greater Clarity

• Safeguards for verifying user requests: Some areas still require greater clarity. Businesses need safeguards to verify whether users requesting information about data processing are legitimate. This necessity is acknowledged even in the GDPR.
• Handling incessant or excessive Information Requests: However, India’s draft rules do not address scenarios where businesses face incessant information requestsor provide scope for businesses to charge a reasonable fee for requests that are excessive or even unfounded.
• Access to sensitive business data: A related ambiguity is whether the government can demand access to sensitive business data. If so, how will it ensure the protection of such information from falling into the hands of competitors? What if this information is a trade secret?
• Need for procedural integrity: These gaps highlight the need for thinking about procedural integrity.

 

What lies ahead

• According to IBM, data breaches cost Indian businesses an average of ₹19.5 crore ($2.35 million) in 2024.
• Compliance with data protection laws should not be seen as a regulatory obligation, but as critical to protecting business reputation and ensuring continuity.
• India must also move beyond reliance on notice-and-consent mechanisms to safeguard citizens’ privacy in future laws.
• Notice and consent originate from the medical profession, where they can still be deemed to work effectively in controlled settings.
• However, in environments such as malls, airports, or even beaches, individuals have little opportunity to provide consent.

 

Conclusion

With the convergence of the Internet of Things, 5G, and artificial intelligence enabling unprecedented data collection, India must envision privacy frameworks that do not exclusively rely on the fallible principle of consent. As public consultations refine the draft rules, prioritising preservation of the framework’s flexibility and industry-specific accommodations is key. This approach will help maintain a balance between innovation, economic growth, and individual rights — something not many jurisdictions have managed to get right.

Editorial 2: The draft digital data protection rules will advance authoritarianism

Context

There is a common thread with the parent Digital Personal Data Protection Act, 2023, with its digital leash.

 

Introduction

In August 2024, as India marked six years since the K.S. Puttaswamy judgment reaffirmed privacy as a fundamental right, the Internet Freedom Foundation hosted its annual “Privacy Supreme” event — not as a celebration, but as a sombre reflection on its unfulfilled promise. Social activist Nikhil Dey shared chilling accounts, from Ajmer in Rajasthan, on how Aadhaar, heralded for efficiency, has excluded vulnerable residents from pensions and rations. This grim reality must be central to tech policy discussions, including the Draft Digital Data Protection Rules, 2025.

 

Executive overreach, scant transparency

• Rulemaking typically fleshes out legislation, ensuring laws passed by Parliament are enforceable while maintaining administrative flexibility.
• Yet, the draft Data Protection Rules provoke concern on questions of executive overreach and vague governance.

 

Digital Personal Data Protection Act, 2023

• The parent of the draft rules is the Digital Personal Data Protection Act, 2023, that was rammed through Parliament as “a product of the subversion of the democratic process.”
• There is more than a mere lack of trust in how the law was created, for its substantive provisions advance a broader policy of “total state control — a digital leash to yank us and make us stand in line than to serve the preambular objectives of the Constitution of India.”
• Its provisions are deliberately vague, granting broad discretion under the nebulous phrase “as may be prescribed.”

 

Delay in Implementation and Unveiling of Draft Rules

• Despite the Act’s swift passage on August 9, 2023, its implementation remains in limbo.
• Sixteen months later, the draft Rules have been unveiled for consultation.
• But are they truly “public”? Published as a 51-page pdf (in Hindi/English as a gazette notification), with a three-page explanatory note that reads as AI glop, a simplistic and vague summary offers little insight into the policy choices during drafting.
• Comments can only be submitted through the MyGov platform that might encourage expert input but restricts broader participation.
• Transparency is undermined by the government’s decision to treat submissions as fiduciary, precluding public disclosure and counter-comments.
• This controlled feedback process resembles a “corporate consultation” rather than a public one.

 

Substantive Issues with the Data Protection Rules

• The Data Protection Rules build on a framework of intentional vagueness and executive dominance.
• Many compliance obligations are either self-determined by companies handling personal data or left to government discretion.

 

Rule 3: Consent Notices

• Rule 3 mandates “clear and plain language” for consent notices but fails to define these terms.
• This leaves interpretation subject to India’s vast linguistic and comprehension diversity.
• Without specific standards, notices risk being overly generic or oversimplified, omitting critical details.

 

Ambiguity in Data Disclosure

• While the Rules require an “itemized description” of data, they do not clarify whether the disclosure is for categories such as financial or health data; or to specific data points such as account numbers, or even metadataand inferred data.
• Nor do they define timelines for data breach notifications to users, raising risks for individuals in urgent situations.
• Such ambiguities, if purely administrative, should have been resolved by the standard setting powers of an independent regulatory authority that does not exist.

 

No independence for Data Protection Board

• The vagueness reflects deeper structural flaws in the Act.
• The Act eschews the creation of an independent regulatory body, instead consolidating power within the Union Government.
• Through informal interactions and gazette notifications, the government wields unchecked authority over citizens and the digital marketplace.
• The Data Protection Board (DPB): Even the Data Protection Board (DPB), which has a limited ambit of jurisdiction to adjudicate on breaches, lacks independence.
• The DPB’s chairperson is selected based on recommendations of a search and selection committee chaired by the Cabinet Secretary, raising critical concerns.
• How will the committee address the critiques of political control that plague similar appointment processes?
• What value does the search committee offer when it has advance knowledge that its recommendations are not binding on the Union Government?

 

Limitations of the DPB After Formation

• Even after its formation, the DPB is hamstrung.
• Its authority is largely limited to determining data breaches, and its independence is compromised by service conditions of its members to central government employees.
• This contravenes long-standing recommendations, such as the 2006 Planning Commission consultation paper on regulation, which emphasized that “the selection, appointment, and removal of chairpersons and members should be insulated against any perceived interference or manipulation that may influence the outcome.”

 

Effectiveness of a Subservient DPB

• How will a subservient DPB apply data protection effectively?
• Rule 5 exempts data processing for subsidies from consent requirements. In such cases, can there be any meaningful accountability?
• It is not unreasonable to foresee scenarios where the DPB may fail to act promptly or effectively, particularly when complaints involve powerful government entities such as the UIDAI that handles Aadhaar.
• This raises fundamental doubts about what it means for community organisations that may approach it for redress on user rights for things as simple as getting a data record corrected to receive rations.

 

Conclusion

Regarding Rule 22, which contains the power of the government to requisition information, there is an absence of limitations and safeguards. As many may read this column, they may still wonder why the data protection rules are too late, too little, too vague? The answer may be provided by Mr. Dey who framed his characterisation of the digital policies of the Indian state with a reference to Through the Looking-Glass. When Alice probes Humpty Dumpty on how the same word can have different meanings, his reply captures the core of India’s data protection regime: “The question is… which is to be master — that’s all.”