On 3rd January 2025, the Ministry of Electronics and Information Technology (“MeitY”) released the draft Digital Personal Data Protection Rules (Draft DPDP Rules 2025) while inviting objections and suggestions on the same till 18th February 2025. In this blog post, we will look at how the framework for consent – as elaborated within the draft Rules – is likely to impact the people of India and their everyday usage of the digital ecosystem. Relevant provisions governing this aspect seem to discount the power dynamics between the everyday Indian user and a Data Fiduciary. The first part of this blog post will analyze whether the notice requirements (as prescribed under Rule 3) align well with the extant framework within the Act. Thereafter, the second part will unravel how the Consent Management provisions under the draft Rules are likely to impact Indian users. Finally, we will analyze which aspects of foreign data protection laws can be or have been adopted – given the primary framework in the Act.
The framework under the Act and the draft Rules seems to assume an ideal dynamic between the Data Fiduciary [1] and the Data Principal[2] – where the former is sufficiently accountable and transparent towards the latter. However, scholars have commented on the power imbalance between the average user of digital platforms and the corporations that control the same.[3] In its current form, the entire framework fails to recognize this power dynamic and even the odds. In fact, the legislative intent is shaped more towards enabling data processing – without ensuring adequate safeguards.
Analysis of Proposed Framework
Notice to Data Principals
Under the Act, Data Fiduciaries cannot process any digital personal data without obtaining consent from Data Principals that is “free, specific, informed, unconditional and unambiguous with a clear affirmative action’.[4] However, the text of Rule 3 only prescribes how the Data Fiduciary will provide notice to obtain the Data Principal’s consent for processing their personal data. There are quite a few gaps –
- Notably, Data Fiduciaries are required to limit the processing of personal data that is necessary for the specified purposes.[5] On the contrary, Data Fiduciaries are not effectively guided on how to obtain consent in such a manner. Arguably, Data Fiduciaries could obtain consent for data processing that is not necessary for the specified purposes as well. This could potentially dilute the data minimisation principle in practice.
- Data Fiduciaries do not have enough guidance on how to obtain consent in a manner that is ‘unambiguous’ and ‘unconditional’.[6] Rule 3 only prescribes how Data Fiduciaries can inform Data Principals about the purposes and the nature of personal data that will be collected.
- Additionally, Data Fiduciaries do not have enough guidance on how to receive consent for data processing through a clear affirmative action. This is crucial as the parent Act conveys an intent that the provision of consent and its acceptance would signify an agreement. Data Fiduciaries have extensive flexibility to determine exactly what could constitute as a ‘clear affirmative action’.
- This also further dilutes the agency of the Data Principal as the Act requires that consent for data processing is obtained for a limited set of purposes. Rule 3(b)(ii) of the draft Rules does not necessarily limit the “specific purpose” in relation to the personal data being collected. Rather, the term specified purposes to be stated for processing in relation to the goods and services.
- Under the Act, Data Principals should be able to withdraw consent from a Data Fiduciary through a Consent Manager. However, Rule 3 does not elaborate how a Consent Manager will be involved in the event a Data Principal wants to withdraw consent for processing of their personal data. The clause does not mention the latter anywhere.
Qualifications of a Consent Manager
It remains unclear as to how the Board will determine whether an applicant has sufficient technical, operational and financial capacity – to fulfill its obligations. Additionally,they will be directly accountable to Data Principals. There is no transparency mechanism for the Board to evaluate how capable an applicant/Consent Manager is to fulfil its obligations towards Data Principals.
Again, vague terms like general reputation and record of fairness and integrity are used. These are, in substance, normative obligations and not legal obligations unless it is linked to relevant provisions in an existing law. Standards must be prescribed on how Consent Managers will act in the interests of the Data Principal. Moreover, Applicants/Consent Managers should operate in a manner that is in the “best interests” of Data Principals.
Obligations of Consent Manager
Consent Managers are not specifically obligated to obtain consent from Data Principals in a manner as specified under Section 6(1) of the Act. It is critical that such essential obligations are directly linked to the language and the spirit of the Act itself. Instead the primary focus on obtaining this consent seems to be to facilitate processing of personal data rather than ensuring transparency and accountability from Data Fiduciaries vis-a-vis Data Principals.
The Consent Managers are required to act in a manner that does not involve any conflict of interest with Data Fiduciaries. However, Part B fails to elaborate on the possible situations that could involve the same. Vagueness on this front will complicate implementation and leaves Consent Managers in the dark on how to protect Data Principals’ interests while avoiding such conflicts.
Comparative Analysis with Data Protection Frameworks in European Union, United States of America and Brazil
Scope
While the Act takes some inspiration from the structure of the European Union General Data Protection Regulation (“GDPR”), the legislations, in substance, are quite different. The GDPR prioritizes privacy as a whole whereas the Act takes a different approach in some key areas. Firstly, the scope of the Act is limited to personal data that has been digitised or will be digitised.[7] This could be primarily attributed to the Government of India’s vision to achieve greater levels of digitisation across different government based services and to build a more prolific digital-public ecosystem. Additionally, the Act deviates from the GDPR because it does not incorporate or implement the principles of data minimisation, accuracy & storage restriction[8].
No transparency for third-party data sharing
Further, the Act paired with the draft Rules do not prescribe a mandate to Data Fiduciaries to provide information to Data Principals on sharing of digital personal data with third parties. Rule 3 should provide for this information as well since this would ensure a higher level of privacy protection, transparency and accountability towards Data Principals. Similar provisions exist in the California Consumer Privacy Act in the USA, where third parties are obligated to the same extent as business (CCPA equivalent of Data Fiduciary).[9]
Broader concerns with the notice framework
Data Principals are likely to possess a more diluted form of agency – specifically when they intend to withdraw their consent for processing of their digital personal data. While the Act prescribes that the ease of withdrawing consent should be comparable to the ease of giving such consent.[10] However, the Act also burdens Data Principals with certain unspecified and discretionary consequences under Section 6(5) of the Act. This could, in practice, create difficulties for Data Principals in which Data Fiduciaries create mechanisms to discourage users from opting out – even if they are apprehensive about an application or software’s privacy implications. Additionally, the draft Rules could adopt provisions from the Brazilian law – which imposes the onus on the data controller to demonstrate that consent was duly obtained in compliance with the law.[11]
Lack of Necessity in Purpose Limitation
Given the principles established within the Act, the draft Rules do not necessarily require Data Fiduciaries to limit the collection of personal data in relation to specified purposes. Rule 3 only requires Data Fiduciaries to state both of these aspects in an itemised form. Rule 3 could have taken inspiration from the GDPR – which prescribes a test for evaluating whether consent for data processing was free given. Article 7, Paragraph 4 states that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. The addition of such a rule would ensure that Data Principals are not coaxed into consenting to divulge their digital personal data that is not necessary for
[1] “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data’, Digital Personal Data Protection Act, § 2(i) (2023) (India)
[2] “Data Principal’ means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such child; and (ii) a person with disability, includes their lawful guardian;”, Digital Personal Data Protection Act, § 2(j) (2023) (India)
[3] Tuulia Karjallainen, The battle of power: Enforcing data protection law against companies holding data power, 47 COMP. & SEC. L. REV. (2022), https://pdf.sciencedirectassets.com/271884/1-s2.0-S0267364922X00046/1-s2.0-S0267364922000851/main.pdf?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDEaCXVzLWVhc3QtMSJHMEUCIQD6%2Byj5K101YPsMGCELCuNbsmI5x%2FR348IT28Yk%2Bo1cVAIgGDdtjEeR%2Fz7tMQ0sCN6DUFpYHXEhtyTWcRk7iRWsA4oqswUIKhAFGgwwNTkwMDM1NDY4NjUiDBl21d6fXwaC7xoUUSqQBavZDvuLhZwPoWgB5kmKsnPK0nRGT0O87JpY13haJaPRP8me6sHgtw0m9jR%2BCe8TTLConOewW11My8UTrVZKoKIUYV9l%2B73BrUD9Z1jq6ePnM663xtGoBNuoe6w%2B7gcydb4OvLUEBH8G4MS69pT7nkRZuwM2J8DhK6V0U%2BaWS9aqgid11oPZ9zwXjeKQCStWtGrXVsOXM8AiW4ok2mg42GACiSPdfWO9S4JoO4cG3GlR2ZEb%2Fy5jTKKx4ghwomx5EtcBbSH8bI%2BrdB5Ey5moWnI%2BUwQP67aJdzuWKRlrwHDjea95a7M0mefnQnJUsaMIhWMEf0wRticZkEoxBH8MFTbXko8G1HxaWmvw8rJzbKxg2jEyxM1ahJiJ4q26K5G%2FceFspgV1n%2FtuppigZxnSCD6be4ug7SBnOTJZfeuMG0HQBEKzlr%2F4Dtfie0l6I96DZzi2NVRXJp9xDn5AF8ahm6B7DxqPsvs6z%2BB122t4qvdk8rbXcuB%2FyjeW3mbA917a9j1TBNedI50PoBye%2BjRLSVoxEKGs2zZCeVJ1yAO%2FyQdNEkSOwRhYASMEXL3jqYC%2B3jjrANPoS90zMqCZ%2FckFwa0PfAUcyazVHaB23uSvVh7Reqz13brYWlvuRs9GVXq%2FTRtBi8jtO%2BFr%2B6rPtQlH3KWsozD1K%2FhrDV6PMWvEtqaG%2F3wWIoNMU3cDnTMkC0CJ%2BJD%2FqyAHAQsW0bBjNBqWIlkmfBn1vB26Mo6JHQ0Sneyybu0l0cZhaLuJLlC1OdpZa%2BAjabSkQ5O8TBEOkE7ocTC16ohGE5c8Gyo1IPOPhf682QSVzT4hVVU2ProfIN0jtjvgSDves7KVBAMmIeXhpreA3AhGZqAOEFT1DFhTGGPMMKDknbwGOrEBnOLn%2F6j2ZG7l0BHIQiyzeucX%2BuuXxREPhtaR71kNLSykNdbwabUUjlER3Gbuhw0U9qILOKGEPe%2BF%2BgtZVY5NRVKU9itqT0jtqK7ARb4k3fNWPtnS6bLE6FbXSW%2Fz0PcDN8DuWN9EHVNzVqIm7Iip6ZBmdZ3Ff5S0UU%2FpjRRx2ytcwbx1Mc1U3loQcCos1OsqcCU71MI7q%2BTU0VkS0nVsFfz3gC%2BrZNU%2BTYzLEiuo%2B4Cd&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250115T094518Z&X-Amz-SignedHeaders=host&X-Amz-Expires=300&X-Amz-Credential=ASIAQ3PHCVTYY53E7V4P%2F20250115%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=ad8f3f6570ae6a9a1ef41da0cccedf669c110c0c396bbc318cdaf2864b2ca49c&hash=ba9d02639b81ade39b7ed84f41086d4141fc6a451673772e527767cd94595eb4&host=68042c943591013ac2b2430a89b270f6af2c76d8dfd086a07176afe7c76c2c61&pii=S0267364922000851&tid=spdf-5d5d9c1a-e4fd-4f51-a3ea-ce5f1f93020a&sid=ad7c8e6d6a1ef74cc38a1dd08a2a801371c6gxrqb&type=client&tsoh=d3d3LnNjaWVuY2VkaXJlY3QuY29t&ua=0f005f53525105000454&rr=9024eea07abb5501&cc=in; E. Carmi & S. Yates, (2023). Data Citizenship: Data Literacies to Challenge Power Imbalance Between Society and “Big Tech”., 17 INT. J. COMM. 3619, 3619-3637 (2023) https://openaccess.city.ac.uk/id/eprint/30525/1/Data%20Citizenship%20-%20Data%20literacies%20to%20challange%20power%20imbalance%20between%20socirty%20and%20big%20tech.pdf.
[4] Digital Personal Data Protection (2023) [“the Act”], sec 6(1).
[5] Ibid.
[6] Ibid.
[7] The Act, sec. 3.
[8] Article 5 of GDPR
[9] Cal. Consumer Privacy Act § 1798.100.
[10] The Act, sec 6(4).
[11] Brazilian General Data Protection Law, 2018, art. 8, No. 13.709 of 2018 (Brazil).
