🚨 UPSC EXAM NOTES presents the January edition of our comprehensive monthly guide. Access it  to enhance your preparation. We value your input - share your thoughts and recommendations in the comments section or via email at Support@upscexamnotes.com 🚨

Critical Topics and Their Significance for the UPSC CSE Examination on January 22, 2025

Daily Insights and Initiatives for UPSC Exam Notes: Comprehensive explanations and high-quality material provided regularly for students

What do draft data protection rules state?

For Preliminary Examination:  Right to Privacy, Freedom of Speech

For Mains Examination: GS II - Governance

Context:

The Ministry of Electronics and Information Technology on January 3, 2025, released the draft rules for implementing the Digital Personal Data Protection (DPDP) Act, 2023 — 16 months after the law was notified in August 2023. The Union government is currently soliciting feedback on the draft rules through a fiduciary framework that effectively precludes both public disclosure and the submission of counter-comments

Read about:

Fundamental Rights

Fundamental Duties

Key takeaways:

On January 3, 2025, the Ministry of Electronics and Information Technology published draft rules for implementing the Digital Personal Data Protection (DPDP) Act, 2023, 16 months after the Act's notification in August 2023. The government is currently seeking feedback on the draft rules through a fiduciary framework, which excludes public disclosure and submission of counter-comments. Critics argue that the draft rules, alongside the legislation, fall short of creating a robust data privacy framework and have called for parliamentary scrutiny of the rules by a standing committee.

What is the Data Localisation Mandate?

• The draft rules introduce a data localisation requirement that goes beyond the DPDP Act's original scope. Data localisation involves restricting the flow of data to remain within a country's borders.
• While the DPDP Act permits restrictions on personal data transfers only to specified notified countries, the draft rules propose establishing a government-appointed committee to identify categories of data that cannot be exported from India.
• This mandate primarily targets significant data fiduciaries (SDFs), designated by the government based on the volume and sensitivity of the personal data they handle. Major tech firms like Meta, Google, Apple, Microsoft, and Amazon are likely to fall under this classification.
• The localisation push seems to address law enforcement agencies' difficulties in accessing cross-border data for investigations. A similar precedent exists in the Reserve Bank of India's 2018 directive requiring payment data operators to localise their data within India. Currently, financial, payment, and insurance data must be stored domestically, with overseas copies allowed only for international transactions.
• To prevent disruptions to industries, the government plans to form a central committee to coordinate with other ministries and regulators for implementing data localisation uniformly. Union Minister of Information and Broadcasting Ashwini Vaishnaw indicated that industries would be given a two-year timeline to build the necessary infrastructure for compliance.

Concerns of Executive Overreach

• Section 36 of the DPDP Act, along with Rule 22, grants the government broad powers to request “any” information from data fiduciaries or intermediaries to safeguard national sovereignty, integrity, or security. Experts caution that such expansive powers could be misused for surveillance or stifling dissent.
• Additionally, the provisions may pressure social media platforms to weaken end-to-end encryption, as highlighted by Meta-owned WhatsApp in its 2021 challenge to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules.
• Rule 22 also prevents companies from disclosing information about government data reque