Ever since the Government of India notified the draft rules for DPDPA on January 3, 2025, there have been hectic discussions in the industry circles about understanding the rules and also suggesting changes. It is understood that more than 6000 comments have already been received by the MeitY and obviously many more will be received before 18 th February 2025, which is the last date fixed for filing of public comments.
Under these circumstances, the demand of one section of the industry that more time is required for filing the comments and the last date for submission should be extended is meaningless. We therefore hope that the consultation process will end on 18th February 2025 and MeitY will release the final version of the rules shortly thereafter.
A large number of discussions in industry fora tend to demand that the MeitY should give a checklist of how to comply with the law so that the compliance can be simplified and automated. Industry which is bitten by the AI bug wants a DPDPA Compliance algorithm which at the click of a button will generate a DPDPA Compliance structure for their company. While the new generation of AI tools can generate a well drafted DPDPA Compliance policy for an organization at the click of a button, since DPDPA Compliance is a “Legal Compliance”, automation will have its own limitations in arriving at a human like compliance structure.
Further, “Compliance” does not end with the generation of some 20-30 policies which is taken on record by a company. They have to be converted into practice for which the “DPDPA Compliance Culture” is required to be developed across all the members of the workforce of an organization and its business associates. Hence human intervention in compliance would be essential and this does not happen with “Automation”.
At present, companies are using al their clout to convince the MeitY to convert the rules into a “Check List” so that they can make their compliance work easy. The public consultations where there are representatives of the Meity are therefore often used as a means of convincing the Government that a point by point “To Do List” is released as the Rules.
The Government seems to be well aware that if it falls into this trap there will be possibilities of some rules being termed as “Ultra-Vires the Act” and a potential legal challenge may emerge to the entire set of rules. The Big Tech which is in the forefront of such litigations are perhaps already in the process of drafting their objections whether on the infeasibility of the “Verifiable Parental Consent” or ” Data Localization” or any other provisions to claim that the rules are “Vague”, “Impractical”, “Killing innovation”, “Causing a Chilling effect on the industry” etc.
It would therefore be wise for the MeitY to avoid the trap by the “Risk Avoidance” strategy and release only such rules as are necessary and mandated by the DPDPA 2023 and nothing more. Just as we say that data should be shared on “Need to Know basis” to reduce the risk, it is recommended that Meity may notify only such rules that fit the criteria of “Need to Notify” and avoid excessive clarification.
Since what ever notification or advisories that come from the MeitY directly will be considered as “Subordinate Legislation”, they will be used in Courts to defend disputed compliance.
It is often seen in the ITA 2000 disputes that the defendant companies say “I have a certificate of ISO 27001 certification and hence I am in deemed compliance of Section 43A of ITA 2000 and hence should not be held liable for any negligence”. Similarly any announcements of MeitY through the notified rule or an advisory that certain compliance may be achieved by XYZ method, they become a subordinate legislation.
For example, if MeitY says that Personal Data may be anonymized with the use of Technology A, then Technology A becomes the “Deemed Compliance” for anonymisation and used in defence at the Courts even though it might have failed to protect a given data breach.
Hence one of the first principles that the MeitY should adopt is that “Law is already there and the Rules can only be made as required under the Law” and nothing more. It is for the industry to find ways of complying with what the law intends and defend it’s means in the Courts when a dispute arises.
The outer boundary of rules should therefore be Section 40 sub sections (a) to (z).
Let us explore in the next article, these 26 sub sections of Section 40 as what the Law prescribes as limitations to the rule making and try to map it with the 22 rules presently notified and see where there is a risk of the rules being “Ultra-Vires”.
Naavi
