The much-awaited Draft Data Protection Rules, 2024 are out. These rules are meant to clarify the obligations set forth in the Digital Personal Data Protection Act, 2023 (DPDPA).  These rules merit close examination. This blog looks at three less-discussed ambiguities.  

Unclear Rationale for Targeting Specific Sectors for Measures Limiting Data Retention

 Some of the rules fail to establish a clear nexus with privacy-related objectives. For instance, e-commerce and social media companies with 20 million Indian users, and gaming companies with five million Indian users must erase user data within three years of collecting it for a specific purpose, even if users do not request the deletion of their data within this period. The intent to minimise data retention aligns with the principle that over-retention potentially increases exposure to risks like breaches and identity theft. However, the rationale for singling these industries out remains unclear.

In recent years, major data breaches predominantly occurred in other industries.

In 2023, the Indian Council of Medical Research leak exposed the sensitive data of 81.5 crore Indians on the dark web. In 2024, the BSNL leak revealed 278 GB of telecom data. Other notable data breaches include an Indian electronics company (7.5 million customers) and government organisations, such as the SPARSH pension portal, Telangana Police’s Hawk Eye app, and Tamil Nadu’s FRS portal. Despite these incidents, these actors are not covered under the draft rules. Conversely, gaming, social media, and larger e-commerce entities, which have not featured prominently in headlines about data leaks, are subject to stringent data retention requirements. The Ministry of Electronics and Information Technology (MeitY) must aim to provide empirical justification for singling them out, as well as clarify why other sectors, where breaches were common, were not included.

Rule 9 is Seemingly Impractical and Potentially Redundant

Certain provisions also appear impractical and counterproductive. Rule 9 requires data fiduciaries -- entities that collect and process personal data -- to provide the contact information of an officer who can answer a user’s questions about the processing of their data. While transparency is important, this requirement overlaps with the obligation of providing detailed information in consent notices about how and why the user’s data is being processed, raising questions about its necessity.

A data protection officer would have to be quite senior if they are to be privy to data processing operations across a large company,. How are they expected to have the time to be fielding questions from consumers – in addition to overseeing internal compliance with the DPDPA? The provision may even be used by competitors to try to obtain commercially sensitive information through strategic queries. Some organisations also silo information about data processing and flows across different verticals to enhance system integrity.

Unintended Consequences on Children’s Safety

The Rules inadvertently compromise the safety of children online. They introduce a complex age verification mechanism, which create disincentives for children to be forthright about their age when signing on to a platform. A recent report Ofcom report, the UK’s digital regulator, for instance, finds that over 35 percent of children falsify their age online. This behaviour is more likely to expose children to content that may not be suitable for them.

The prohibition on tracking and behavioural monitoring of children under Section 9(3) of the DPDPA further complicates the issue. While the intention is to protect children from targeted advertising, it hinders platforms from identifying problematic or risky behavioural patterns as they would not be permitted to oversee children’s activity. Rule 11(2) attempts to address this by exempting tracking activities for, among other things, safety purposes, but limits its scope so narrowly that the exemption is rendered useless.

Specifically, in the context of safety and security, a data fiduciary may track a child to ensure that information likely to be detrimental to their well-being is not accessible to them. On a plain reading, this would indicate an expectation that the data fiduciary must pre-emptively block any and all content that could undermine the welfare of a minor. The provision is impractical, as it is impossible to discern what may potentially harm the interests of a child beforehand. Seemingly innocuous things can also have a deleterious effect. For instance, seeing the image of a model could make a teenage girl feel insecure about her appearance. But such media is not limited to the online world. The girl could just as well have seen the same or similar models in a magazine or on a billboard advertisement. It is unclear how the MEITY envisions the implementation of this provision.

In addition, depersonalisation of the online experience seems to be counterintuitive to safeguarding the interests of children online. On a de-personalised digital platform, a minor will come across random content, not necessarily things they are interested in. This is likely to further incentivise children to falsify their age, thus, enhancing the risk of them being exposed to further risks online.

The purpose of rules is to bring clarity around the implementation of the DPDPA. The draft currently points to a muddled vision for how the MEITY wants data protection to work in the country. Ideally, a data protection law should work to guard against leaks and breaches. It should also refrain from making it difficult for digital businesses to operate. The European Union’s General Data Protection Regulation serves as a cautionary tale, where overly stringent rules have increased costs and stifled innovation. The MEITY must go back to the drawing board and reassess these provisions to ensure they align with both the protection of personal data and the practical realities of carrying on a digital business in India.