Rule 23 of the Digital Personal Data Protection Rules, 2025, allows the central government to request personal information from any data fiduciary or intermediary for the “sovereignty and integrity of India” or “security of the state”. Any government-authorised official can issue such notices and set deadlines for compliance. This rule will take effect 18 months from now.
Though there aren’t any significant changes when compared with the previous draft, the rules have additionally clarified that they adopt the definition of “intermediary” from the Information Technology Act, 2000, which covers social media platforms, messaging services, cloud providers, e-commerce sites, and other digital services.
These finalised DPDP Rules implement the Digital Personal Data Protection Act, 2023. Under Section 36 of the Act, the Central Government can ask the Data Protection Board and any Data Fiduciary or any intermediary to provide information as needed for the above-mentioned purposes. However, the Rules omit key details required to make this process more transparent, without compromising the same purpose for which the Act and the Rules were created.
Government’s Silent Access to Personal Data
The DPDP rules also exempt the government from notifying users if their personal data has been requested or accessed under official orders. It allows the government or its agencies to demand a person’s data whenever they believe the information is necessary for “sovereignty and integrity of India or security of the State.”
If the government considers the disclosure harmful to India’s sovereignty or security, it can pass an order requiring the data fiduciary to withhold the information from the affected data principal and from anyone else, unless an authorised official approves informing the concerned user.
Under Rule 15, the cross-border data sharing is very limited, including with foreign governments. These are permissible only if the conditions defined by the government are met, and that too only to those foreign states and foreign governments that it explicitly allows.
What are we missing?
- The government also does not define the parameters for determining the specified time period within which data fiduciaries must comply with data requests.
- While these finalised Rules specify the purposes and the authorised personnel who may seek information on the government’s behalf, they do not outline a mechanism to notify Data Fiduciaries or other entities of these requests.
- The Rules do not specify the required data security measures that the government, or its agencies, must follow to prevent data breaches, unauthorised access, including data transfers, when handling data received from Data Fiduciaries.
- The government does not specify how long it will retain the information provided or how long it will utilise it.
- There isn’t a specified appellate mechanism to challenge arbitrary government…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
