Our Terms & Conditions | Our Privacy Policy
Opinion | DPDP Draft Ignores Government Initiatives, Fails To Promote Competition
Last Updated:January 11, 2025, 16:57 IST
Monitoring cross-border data flows and enforcing strict penalties for non-compliance are necessary to maintain sovereignty and protect national interests
The Digital Personal Data Protection (DPDP) draft of 2025 marks a significant milestone in India’s journey towards establishing a robust data privacy and protection framework. (Representative image)
The Digital Personal Data Protection (DPDP) draft of 2025 marks a significant milestone in India’s journey towards establishing a robust data privacy and protection framework. However, the draft misses the wood for the trees and fails to anticipate that static regulations cannot control, manage, or even monitor digital entities. Data is like water, and it has to be priced, accessed, and utilised correctly if a country wants to maintain its economic and entrepreneurial freedom. If we try to capture data in regulations that are outdated, we will fall into the trap that Western powers have created to make us their digital slaves.
Policymakers need to be aware of the objectives of the DPDP Act, which are not only to offer protection on paper but also to safeguard the entrepreneurial and economic freedom of digital entities in the country. We lost the manufacturing battles because of globalisation and are now set to lose the data wars to Slavic devotion to an outmoded way of thinking about policies.
In an era where digital data governs almost every aspect of personal and professional life, the Draft must address the dual objectives of safeguarding individual privacy and enabling the responsible use of data for innovation and governance. The Draft addresses one of the most pressing challenges in today’s data-driven world by ensuring that individuals (data principals) retain control over their data through clear and enforceable consent mechanisms. Consent must be freely given, specific, informed, and unambiguous, with data fiduciaries obligated to present consent requests in comprehensible language.
Furthermore, individuals are empowered to withdraw their consent at any time, with seamless mechanisms in place. Special protections are also extended to minors and individuals unable to provide independent consent, ensuring their data is processed only with verifiable consent from their guardians. This would have been enough if we had not been faced with a scenario where platforms that control the data have already devised ways to bypass this in various ways. Hence, the Draft, which is written by an independent private legal entity, has to be questioned regarding its intentions and purposes.
Policymakers need to adopt a platform-based approach to address platforms and understand that weaning these platforms away from free data will not be easy. Their lobbying will easily delay and thus defeat the very purpose of this Draft.
The DPDP Draft prioritises personal data protection through stringent security and procedural safeguards. Data fiduciaries are accountable for securely handling data, employing encryption, masking, or tokenization to mitigate risks of unauthorised access or breaches. Notifications to affected individuals and the Data Protection Board, in the event of a data breach are mandated, ensuring timely redressal.
The Draft also enforces data retention minimalism, requiring that personal data be retained only as long as necessary to fulfill its specified purpose, reducing risks of misuse or over-retention. These are all norms that responsible organisations should do on their own, but they do not; hence, there is a need to codify them in law, but the codification of this will not help.
In addition to consent and security, the Draft needs to define the rights of individuals over their data and its format in an open-source manner, ensuring it is portable across platforms. How will users be able to port their data from one e-commerce platform to another? Will the platform allow this, or will it hoard the data, preventing the entry of new players? This is the most crucial question, which has again not been answered in the draft of the DPDP Act. The Centre for Innovation in Public Policy has been advocating for individual data sovereignty, and this Act is the perfect opportunity to define it. If the individual establishes ownership, rather than the platform, the location is automatically defined as the natural boundaries of the country.
Allowing data to flow between monopolistic platforms and new entrants is critical for fostering competition, innovation, and economic inclusivity. Monopolistic platforms often create walled gardens of data, restricting the ability of smaller competitors to innovate or compete. By enabling data portability and open ecosystems, the DPDP Draft can help break down these silos. It is essential to remind MeitY that another part of the government, the Ministry of Commerce and Industry, is trying very hard to address this, yet the Draft does not even address this issue from a data perspective.
Access to user data is essential for startups and SMEs to develop new products and services, ensuring a dynamic and competitive digital economy. For example, the European Union’s General Data Protection Regulation (GDPR) has implemented similar data portability principles, requiring platforms to allow individuals to transfer their data between providers. This has empowered smaller European tech firms to challenge established players by creating innovative services using accessible data.
Moreover, data portability prevents market dominance by large platforms. It allows consumers to move their data freely, reducing lock-in effects and enhancing user choice. This drives platforms to compete based on service quality rather than their control of user data. In Europe, GDPR’s data portability provisions have encouraged consumer empowerment, enabling better competition among platforms such as fintech apps and cloud service providers.
Open data sharing further drives economic growth by enabling collaboration across industries. By fostering trust through privacy protections, smaller firms can access data securely, opening up opportunities for partnerships and innovation. For instance, Europe’s Digital Markets Act (DMA) complements GDPR by regulating gatekeeper platforms, ensuring fair access to essential data for new entrants. This regulatory synergy has created a fertile ground for European SMEs and startups to flourish alongside tech giants.
DPDP talks extensively about the right to file grievances in misuse or unauthorised access cases. However, it does not say that platforms must integrate these rights into their operations by developing user-friendly portals for accessing and storing data in interoperable formats to facilitate portability. Transparency and communication with users are critical, requiring platforms to notify users of any changes in data processing policies and provide mechanisms for dynamic consent management.
The DPDP Draft holds immense potential to democratise entrepreneurship by redefining data ownership and ensuring equitable access to data. The Act can prevent platforms from exerting monopolistic control over user data by establishing that individuals own their data while platforms act as custodians. Encouraging open data ecosystems allows entrepreneurs to share securely and access data, fostering innovation and competition.
The portability provisions empower businesses to access user data with consent, enabling new entrants to offer competitive services and disrupt traditional monopolistic models. Transparent data marketplaces ensure fair transactions, decentralising control and allowing smaller businesses to compete effectively. These transparent data marketplaces have been put in place by the RBI in the account aggregator space, so it is not as if the regulation for technology does not exist for it. Unfortunately, the DPDP Act has not learned anything from the success or failure of the account aggregator marketplace and has not applied it in the Act. It is as if the RBI and the MeitY exist on two different planets and will not communicate.
The DPDP Act can prohibit monopolistic control of user data by large foreign-owned platforms, and the DPDP Draft can work towards ensuring equitable participation of domestic players in the digital economy. Supporting small and medium enterprises (SMEs) with equal access to data is a crucial step towards a more competitive and inclusive economic landscape.
As India continues to refine its digital governance strategies, the concept of data sovereignty must be fully integrated into the DPDP framework. Clear ownership definitions are essential to affirm individuals as the rightful owners of their data, with fiduciaries acting strictly within the bounds of agreed-upon rights. Localising critical data within India’s borders ensures compliance with Indian laws, while jurisdictional clarity mandates that disputes involving Indian citizens’ data are adjudicated under Indian legal frameworks. Monitoring cross-border data flows and enforcing strict penalties for non-compliance are necessary to maintain sovereignty and protect national interests.
K Yatish Rajawat is a public policy researcher and works at the Gurgaon-based think and do tank Centre for Innovation in Public Policy (CIPP). Views expressed in the above piece are personal and solely that of the author. They do not necessarily reflect News18’s views.
News opinion Opinion | DPDP Draft Ignores Government Initiatives, Fails To Promote Competition
Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.
Comments are closed.