## Full Text *Ported over from LinkedIn with [permission](https://www.linkedin.com/feed/update/urn:li:activity:7281190748845154305?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7281190748845154305%2C7281231768341377025%29&replyUrn=urn%3Ali%3Acomment%3A%28activity%3A7281190748845154305%2C7281950568611303424%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287281231768341377025%2Curn%3Ali%3Aactivity%3A7281190748845154305%29&dashReplyUrn=urn%3Ali%3Afsd_comment%3A%287281950568611303424%2Curn%3Ali%3Aactivity%3A7281190748845154305%29)* (Part 1/3 - see comments for 2 and 3) As promised - impressions from the draft DPDP Rules (just re-emphasising the 'draft' part - it will at least be a few months, being optimistic, to see the final notification). The DPDPA uses the phrase 'as may be prescribed' around 31 times, but the Rules also leave a lot more cans to be kicked down the road. I'll say again, even with the Rules, the DPDPA is an entirely inadequate legislation to deal with privacy harms and is an entirely missed opportunity to have learned from the failures of the notice-and-consent model around the world. There is nothing revolutionary, and it is outdated to deal with the forms of material and non-material harms we see unfolding every day, especially in relation to algorithmic opacity and behavioural data collection. 1. The rules on the form of a privacy notice, and reasonable security safeguards would actually be easy to comply with, if you have a halfway decent privacy program, these would already be things you include in your notice and undertake as safeguards. Especially if you have a good infosec function and are ISO compliant, 99% of this is taken care of, with a few small tweaks on data subject rights and making complaints to the Board. Data principal rights can be integrated into existing grievance redressal systems. 2. Many things are still up in the air. ==Consent manager requirements are spelled out when it comes to net worth, but not much else - it looks like the Board will have a heavy hand in evaluating the viability of a consent manager's operations, and we will only really know how this plays out once we have the Board. But it is unclear whether the consent manager is a company that can ONLY carry out the function of consent management (for example, like Account Aggregators, or can be a company which offers consent management as a part of a suite of services). In that vein, I see many overlaps with the Account Aggregator framework. == 3. Data breach rules might scare people, but there is sufficient language around it to request permission from the board, and also a lack of clarity on when one 'becomes aware' of a breach. Again, I don't think we can speculate much until the Board starts dealing with breaches. 4. Sweeping exemptions for the government to call for information and personal data are even more sweeping. The criteria to call for this info under the Seventh Schedule of the Rules could encompass anything under the sun. 5. Parental verification and associated due diligence obligations are...weird. Not only from the perspective that verifying government ID details of every parent and child are a compliance headache, but I do not think it solves for harms faced by children online (the 2018 and 2019 drafts had much more robust provisions to this effect). [CONTINUED IN THE COMMENTS] (2/3) 5. The Fourth Schedule exempts some entities from compliance with the provisions on childrens' data - exempting from the parental verification may be understandable, ==but why exempt from the prohibition on targeted advertising and behavioural monitoring of children?== Why would these entities even need to do that? 6. ==Cross border transfers, again subject to future orders, with Significant Data Fiduciaries needing to follow additional localisation requirements which are very vague and broad - again, I think localisation is a misplaced regulatory priority. == 7. ==Rules on data deletion after a certain time period (3 years) apply only to online gaming cos, e-commerce, and social media - why? Why 3 years? What if the purpose is actually fulfilled earlier? Confusing. == 8. Significant Data Fiduciaries - have some basic heightened due diligence obligations, which a big tech co should be doing anyway, with the extra nod that they should ensure that 'algorithmic software' should not 'pose a risk to the rights of data principals'. ^6054ee (3/3) ==I have been talking about algorithmic accountability provisions endlessly, but if you are going to introduce them, it should be in the Act, should be MUCH less vague. For eg, what rights? Rights under the DPDPA? Or fundamental rights? No clue. Also, we still don't know which entities will be SDFs. == > [!note] > My reading is that this pertains to Rights of a Data Principal under the DPDPA. Ultimately, many of these issues are fleshed out in enforcement, if we can learn from the GDPR experience. ==One hopes that the Data Protection Board is an active body which continually works to issue opinions like the European Board, but many of the functions that would enable that have been removed in the DPDPA, and every aspect of the Board's functioning is in substance overseen by Central Govt.== > [!note] > I keep thinking of the reported 2 Cr outlay in the budget. I might say that the Act and Rules together are a sheep in wolf's clothing, but the sheep is vague and the wolf is even more so ## Colophon title: type: [[full-text]] url:: https://www.linkedin.com/feed/update/urn:li:activity:7281190748845154305/ date:: [[2025-01-04]]