Draft data protection rules can be improved - 20250109

## Colophon tags:: [[&arc]] [[&article]] [[* 2025 DPDPA Rules]] url:: https://www.hindustantimes.com/opinion/draft-data-protection-rules-can-be-improved-101736347719241.html date:: [[2025-01-09]] %% title:: Draft data protection rules can be improved type:: [[clipped-note]] file:: published:: 2025-01-08T20:18:38+05:30 [Click to Archive](https://web.archive.org/save/https://www.hindustantimes.com/opinion/draft-data-protection-rules-can-be-improved-101736347719241.html) %% archive:: ## Notes short:: ###### On Data Protection Board Lack of independence a continuing theme from the Act, and the need for it to be 'fourth branch institution' > The Data Protection Board is crucial to the functioning of the Act, as it constitutes, in essence, the infrastructure through which the law will be implemented. Potentially, and in many cases, the Board will be handling complaints against State organs for wrongful processing of data. In such a context, it is essential that the Board be adequately independent of the government. However, the Rules take forward the logic of the Act in setting up a procedure of appointment (through a search-and-selection committee) that is entirely under the control of the central government. The terms and conditions of the officers are also set within the rules, which makes them amenable to being altered through mere executive fiat. All of this raises doubts with respect to how independent the Board can truly be. ... > Many countries have entrenched the independence of data protection authorities or boards within the law to ensure that appointments and tenures are free of partisan political influence. Such authorities work as what are commonly known as “fourth branch institutions”; that is, a wing of the State that is separate from the legislature, the executive, and the judiciary, but performs vital functions in ensuring the implementation of rights, integrity and accountability in public functions. At the moment, under a combination of the Data Protection Act and the draft rules, the Data Protection Board falls short of being a genuine “fourth branch institution” — but there is still time to rectify this. ###### Data Processing by The State > ... the rules allow a very wide leeway to the State or its instrumentalities to process personal data to provide “any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds”. These are extremely wide categories, which risk undoing the fundamental premise of the law, which is that the consent of citizens is mandatory before collecting or processing their data. While in certain exceptional cases, it might be permissible to mandatorily collect data in violation of the right to privacy, the jurisprudence of the Supreme Court has made it clear that any such violation must take place strictly in compliance with the test of proportionality. The rules do not incorporate this test, and the safeguards they require (such as data minimisation) fall short of constitutional standards.