Rubayya Tasneem and Injila Muslim Zaidi 
The Draft Digital Personal Data Protection Rules released on January 3 paint a worrying picture. Though aimed at establishing a comprehensive data protection framework, the Rules fall short in crucial areas like enforcement and transparency, with a particularly troubling provision under Rule 22.
The Digital Personal Data Protection Act, enacted in 2023, granted authority to the Union government under Section 36 to demand information from data fiduciaries or intermediaries. Rule 22 has taken this a step further, allowing the government broad discretion to demand sensitive personal data from companies without the consent of individuals, with the criteria under the Seventh Schedule of the Rules for such requests remaining vague and undefined.
What does it mean for personal data?
Under the Rules, one of the primary grounds to demand data is “in the interest of sovereignty and integrity of India or security of the State,” as outlined in the Seventh Schedule. This justification is alarmingly vague, allowing for potential overreach and arbitrary use without clear, enforceable limits.
Additional grounds for requesting data include “performing functions under existing laws, fulfilling obligations under any law in force, actions by persons authorised under applicable laws, and conducting assessments to designate certain entities as Significant Data Fiduciaries”. These broad and ambiguous criteria give government authorities almost unchecked power to access personal data whenever they see fit.
Notably, there is no requirement for a formal, written request by the authorities, who are themselves appointed by the government. This creates a system where government-appointed agents can demand sensitive information at will, bypassing the need for individual consent and raising significant concerns about privacy and misuse of power.
Second, Rule 22 permits the government to withhold information if its disclosure is deemed to jeopardise national security or sovereignty. The phrasing – “prejudicially affect the sovereignty and integrity of India or security of the State” – is alarmingly broad and could potentially be invoked broadly and without clear, enforceable limits.
Also read: Digital Personal Data Protection Law Raises Questions About Consistency With Right to Privacy Ruling
In the past, such vague language has been used to render the state’s actions hard to challenge, and this case may be no different.
Rule 22 also does not have any safeguards for when the government requests information, which grants it broad and unfettered power without clear limitations, exceptions or oversight. This provision bypasses the safeguards established by the Supreme Court in PUCL v. Union of India (1997), which held that intercepting communications violates the constitutional right to life and personal liberty unless done through a legally established procedure.
The judgment mandated specific safeguards, including oversight by a review committee and a requirement for requests to detail the intended use of the information. Rule 22 undermines these protections, allowing government authorities unchecked access to personal data.
The other, bigger problem with Rule 22 is that it does not have a requirement for an independent review mechanism to check the legitimacy or necessity of the government’s demands for data to ensure that they are reasonable, justified or proportionate.
This leaves room for arbitrary use. In fact, without proper oversight, the rule has the potential to enable covert surveillance programs that bypass checks and balances and can lead to excessive data collection and the monitoring of ordinary citizens by the government.
Finally, there is no mechanism to challenge such requests, and data fiduciaries and intermediaries may not have an effective way to challenge such data requests from the government, potentially resulting in a surveillance state without public awareness or recourse.
We have often seen how overbroad directions for censorship have been made and required to be kept confidential under Section 69 of the IT Act, 2000. Such an opaque framework has prevented social media users from challenging the takedown of their content before court and is at the heart of the judicial challenge in the Karnataka high court where X has challenged the Union government.
The lack of transparency and the over-collection of data allows for the broad, unchecked use of data and for its potential misuse by prosecuting agencies.
For example, in the case of FIRs where police often lack the information needed to identify suspects, the data collected by the government could be wrongfully used to implicate individuals. This eliminates the need for the police to seek out information, as they already have access to it through the government’s data collection, which could be used to target individuals unjustly.
What does this mean for our privacy?
The A.P. Shah Report stressed on the need for a transparent process that includes the disclosure of surveillance to those who have been placed under it. Access to information under Section 95 of the BNSS is subject to judicial oversight, as a court order must be issued before accessing information.
In a similar vein, the guidelines issued by the Supreme Court in PUCL v. Union of India included oversight by a review committee and required interception requests to specify the intended use of the information.
However, Rule 22 appears to sidestep these safeguards entirely and bypass established protections by granting the state unfettered power under the vague grounds of the sovereignty and integrity of the nation.
Also read: Why the Personal Data Protection Bill Won’t Stop Data Proliferation in Digital India
Complicating matters is the fact that the broad definition of a data fiduciary means it could apply to anyone, including journalists. For journalists acting as data fiduciaries, Rule 22 has profound implications, particularly in terms of their ability to safeguard sensitive information, such as the identities of sources.
This raises serious questions about the future of privacy in India. As it stands, Rule 22 opens the door for unchecked government surveillance, with minimal accountability or transparency.
A first step toward correcting this would be to introduce clear, transparent processes, including a requirement for companies to inform individuals when their data is being requested by the state.
Such requests must also conform with the standards laid down in the K.S. Puttaswamy judgment, which held that while the right to privacy is not absolute, any state intrusion must meet a three-fold requirement. This includes legality, which necessitates the existence of a law authorising the intrusion; a legitimate state aim to justify the need for such intrusion; and proportionality, ensuring a rational connection between the law’s objectives and the means adopted, thereby preventing disproportionate impacts on individual rights.
Additionally, the process should allow for a clear appeal mechanism and be subject to independent oversight.
At any rate, the provision as it stands now does not bode well for privacy in India.
Rubayya Tasneem and Injila Muslim Zaidi are fellows at the Internet Freedom Foundation.