DailyPost 3060
DIGITAL PERSONAL DATA PROTECTION (DPDP) RULES 2025
The agony of living in the digital world does not seem to end anytime soon, given the direction the statute and rules pertaining to data protection are taking to get operational. This is not to forget the time being taken for the purpose. Right to Privacy was declared the fundamental right way back in 2017 and now in the beginning 2025 we have the draft rules circulating for getting feedback. From the feedback to finalisation, to the structures coming in place and law hitting the ground may still take around two years. If hurried, it would be adding insult to injury, by which I mean, it might be unleashed with congenital flaws.
While the Puttaswamy case judgement ushered in hope to bring privacy to a pedestal it deserved. It was diluted to mean privacy in the digital world only. Even that accepted, Justice Srikrishna Committee’s report and draft bill digital personal data protection was diluted in the final bill tabled, which later went to the Joint Parliamentary Committee for consultation with experts and stakeholders. It was finally passed in 2023. The dye was cast and rules had to fill the template provided. It could not even be done. It is bereft of the techno-legal nature of the statute, and has not been able to provide operational teeth to the legislation.
In the current system, data is not under our control and the vast majority of data principals are not even aware of that situation either. Throughout the rules there is no effort discernible that the effort to retrieve the lost ground. What is nearly clearly visible is that consent becomes the main tool in the hands of the data principal or data owner. How does it anyway differ from the nature of consents taken today? How many of the data owners would even be aware of it? Who knows the current scenario may keep continuing while the law remains promulgated. A new concept messes the story further, that of the creation of a layer of Consent Managers between Data Principal and the Data Fiduciary.
For having another private sector entity to service him, what would be the cost and effort involved for the hapless owner of data? For the vast majority the current situation would be fine. With barely any accountability fixed on Data Fiduciary at the granular level, and the National Data Protection Board having no idea of the data life cycle, algorithm and the third party ecosystem, very little can really be done. We leave to his goodness of heart broadly, that also for entities for whom the analogy of fence eating the crop ideally fits. The government has broadly excused itself to be treated as Data Fiduciary and also reserved all rights to play around with data, sectors and business entities in the manner it desires. There has never been a poorer owner in human history than the data owner.
THE BURDEN OF THE LAW WILL REMAIN ON THE VICTIM OF THE DIGITAL WORLD – THE DATA OWNER.
Sanjay Sahay