Holes In Digital Data Protection Rules: What Experts Say

Parental consent for minors, cross-border data sharing and privacy rights were among the issue raised. Hopefully, these will be addressed as policymakers take it up with expert sub-committees and solve the issues before the final rules come into play. 

Here’s a look at the key concerns flagged by groups like the Internet Freedom Foundation (IFF), Indian Governance and Policy Project (IGAP), Indian Society of Artificial Intelligence and Law (ISAIL), and National Law University’s Centre for Cyber Laws (CCL).

Parental Consent For Minors

Rule 10 of the draft DPDP Rules deals with verifiable consent for processing data of children (below the age of 18) and disabled individuals. 

IFF’s concern is that neither the DPDP Act nor the draft rules require companies to verify the age of their users to ensure they are not children. “Instead, Rule 10 (1) requires the adoption of "appropriate technical and organisational measures", but does not specify how age verification or parental consent will be enforced.”

Without clear enforcement rules, platforms rely on self-declaration, which is either easy to bypass or leads to excessive identity checks. IFF says this could result in widespread internet age-gating and force platforms to collect sensitive guardian data, raising further privacy risks.

ISAIL also flags that there currently exists no liability framework for companies that fail to prevent minors from bypassing age restrictions.

CCL has a completely different take. It argues that the age limit of 18 is too high, and should be lowered to 16.

"In today's day and age, a child of age, say, 16-17 years, would be well aware of the kind of interactions they should be having online. Such a child would be less likely to divulge personal details, putting themselves or their families at risk, as compared to a child who is even younger," Aparajita Bhatt, CCL Director told The Secretariat via email.

"This is comparable to adult maturity in that an adult would also be aware of their surroundings and would also likely not give out information and personal details that could put themselves or their families at risk."

Internationally, the General Data Protection Regulation (GDPR) sets the limit at 16 (with flexibility to lower it to 13), while the US requires parental consent for those under 13 on certain sites.

Cross-Border Sharing And Localisation

While the DPDP Act puts restrictions on transferring data to specific countries, Rule 14 talks about putting restrictions on government agencies of particular countries. As pointed out in IGAP’s recommendations, this wording shifts the focus from territorial restrictions to specific entities, thus creating a notable dissonance between the Act and the Rule.

IFF says that the new requirement might impose more stringent restrictions than under the Act’s blacklist model. IFF warns that this creates confusion for businesses, particularly foreign companies in India, adding compliance hurdles and increasing the risk of stricter localisation requirements.

IGAP, which shared its report with The Secretariat, suggests that to avoid confusion, Rule 14 should clearly distinguish between setting conditions for data transfers and completely restricting them. It also recommends that the rule's language should align with Section 16 of the DPDP Act, with specifying restrictions on transfers to countries or regions, rather than individual people or agencies.

Meanwhile, ISAIL suggests that the government introduce sector-specific exceptions for businesses requiring global data transfers (eg, fintech, telecom, e-com). It also recommends that the government align with global adequacy frameworks (eg, GDPR, APEC CBPR) to create seamless cross-border data flow mechanisms.

Rule 22: Violative Of Privacy Rights?

Rule 22 of DPDP states that the central government can request a data fiduciary or intermediary to provide personal information when national security is at risk. The government can also compel a company to disclose an individual’s personal information without notifying the individual whose information is being disclosed to the government.

CCL says that this bypasses consent of the data fiduciary and undermines privacy protections as well as Supreme Court safeguards against state surveillance. It suggests that “any call for information shall be made via a formal written request by the authorities to the data fiduciary”.

It also suggests that there should be a review committee to oversee requests and a requirement to state why the information is needed. Companies must tell people when the government asks for their data, ensuring it follows legal rules on necessity and fairness. CCL also recommends a way to appeal decisions and an independent body to ensure transparency and accountability.

ISAIL’s report concurs and gives similar recommendations. It says that the rule is likely to be challenged in court as it violates the Supreme Court guidelines in PUCL Vs Union of India, and is unlikely to fulfil the three-fold requirement for legality, legitimacy and proportionality in the K S Puttaswamy judgement.

Meanwhile, IGAP says that the wording of Rule 22 is unclear about when and where confidentiality rules apply. This could lead to confusion about whether data fiduciaries are required to keep information requests private, or if they can disclose them in certain situations.

IGAP recommends that data fiduciaries receive clear guidelines on confidentiality when responding to information requests. And since it’s also unclear if companies are required to decrypt encrypted data when asked, even though another rule (Rule 6) requires them to keep data secure through encryption, IGAP recommends that the rules clarify if there is an obligation to decrypt data.

Meanwhile, IFF takes a more dramatic stance, calling for the complete removal of Rule 22. Why? Because it says Rule 22 doesn't set limits on how long data can be stored or how it can be used, raising privacy concerns, and gives the government broad powers to collect data without clear rules or transparency.