Rulemaking for Data Protection: Implementing India’s Digital Personal Data Protection Act, 2023

-Malavika Raghavan*

Abstract

India’s Digital Personal Data Protection Act, 2023 delegates over 40 powers to the Central Government to flesh out its detail. A torrent of rules, regulations and notifications on data protection lie ahead. This blog invites more attention to such powers, by framing them based on a granular review of the Act’s provisions. Based on the review, some priorities and sequencing are recommended to guide future rule-making. The blog also discusses the potential for legal challenges, considering basic principles of constitutional and administrative review. In doing so, it calls for more conversation about delegated powers and their exercise. They will be critical to shaping the next phase of the development of Indian data protection law.

1. Introduction: A “framework” legislation for data protection

India’s Digital Personal Data Protection Act, 2023 (DPDPA) received presidential assent and was published on 11 August 2023, ending a long and uncertain legislative process. Despite its enactment, the Act will only come into force when the Central Government releases notifications to bring it (or parts of it) into effect. This is the first of many notifications required by the DPDPA, which relies heavily on delegating powers to the Central Government to flesh out operational and substantive details. Indeed, the terms “as may be prescribed” or “by notification” appear over 35 times in the Act’s 44 sections—taking the idea of a “framework” legislation to the extreme.

A torrent of rules, regulations and notifications on data protection lie ahead. Media reports before the results of the Indian 18th General Election suggested that rule-making under the DPDPA would be a priority in the first 100 days of the new government. The reality of a coalition government that emerged after the election has raised questions about the extent of continuity with the plans of the previous administration. In any event, implementing the terms of the DPDPA will be a key area for technology governance in the coming years.

As we look ahead, this blog undertakes a granular consideration of delegated powers under the DPDPA. The first part of this blog (in section 2) is descriptive, and seeks to frame and categorise the types of powers delegated by the DPDPA to the Central Government. Given the extensive scheme of delegation, the blog recommends the priorities and sequencing that should be adopted by the Central Government (in section 3) to enable an orderly, phased implementation of the Act. The extensive delegation also raises concerns and the potential for legal challenges to the DPDPA in light of basic principles of administrative law (as discussed in section 4). In doing so, this blog calls for more attention to delegated powers and their exercise under the DPDPA. They will be critical to shaping the development of data protection law in India.

2. Delegation of Powers to the Central Government under the DPDPA

The DPDPA delegates the power to make rules (under section 40 (2)) and issue other notifications (under several provisions) to the Central Government. Some of these delegations are common choices in recent Indian legislation-making, but nevertheless, the wide range of actions expected of the Central Government invites us to consider these more deeply.

The Act delegates powers to make rules to flesh out 25 different provisions, together with a 26th residuary power to make rules for “any other matter”. Separately, powers to make 11 types of notifications are also delegated to the Central Government, together with 4 “miscellaneous” powers (in Chapter IX), some of which are coercive. The table below provides a snapshot of these powers that are detailed in the next section.

Overview powers delegated to the Central Government under the Digital Personal Data Protection Act, 2023:

In what follows, these two broad categories of powers are analysed in more detail.  

2.1 Powers to make rules 

The Legislature has made an interesting choice in the DPDPA to delegate rule-making powers solely to the Central Government. In the previous data protection legislation introduced by the Government to Parliament in December 2019 (and withdrawn in 2022), legislative powers were also delegated to the Data Protection Authority of India, the statutory regulatory authority created under that Bill. The DPDPA does not delegate any rule-making powers to the Data Protection Board of India (the DPB, created under s. 18).

Globally, data protection laws in many countries delegate rule-making functions to the regulatory bodies tasked with overseeing the data protection regime. This is for practical reasons, such as their stronger understanding of the regulated space based on day-to-day supervision responsibilities, and their ability to iterate rules based on their regulatory and enforcement experience. Vesting rule-making powers to regulatory bodies also enhances the legislative design and the effectiveness of data protection law by giving regulators more “teeth”. Since data protection laws like the DPDPA apply horizontally (i.e. to both state and private sector), ensuring regulators make the rules further enables their independence from the state, which can improve the overall effectiveness of the legal regime.

In light of this, the delegation of rule-making powers solely to the Central Government is a curious choice, especially given the language in the Act (in s. 28(1)) that the DPB will function as an “independent body”. Practically, the question of how Central Government officials will manage the burden of rulemaking, and coordinate with the DPB to draw in its experience of enforcement, will be an interesting challenge to watch.

The 26 rule-making powers under the DPDPA can be categorised into four broad areas.

    1.     Rules on the grounds for processing personal data: The main way to legally process personal data under the DPDPA is to obtain individuals’ prior consent before doing so. Powers are delegated to the Central Government to make rules to prescribe how data fiduciaries (i.e. persons and entities who seek to process personal data) must give notice of data collection and obtain consent from individuals (under s. 5 and s. 6).

Personal data can also be processed non-consensually under the DPDPA for certain “legitimate uses”. Rules need to be made to prescribe the legitimate uses for which the State can non-consensually process personal data (under section 7(b)). Time limits for which personal data that was previously collected (with consent) can be re-used for additional legitimate uses (under s. 8(8)) are also to be prescribed in the rules. Finally, rules must prescribe the standards to be followed by research bodies who are exempted from the application of the DPDPA (s. 17(2)(b)).

    2.     Rules on new legal obligations and compliance: The DPDPA introduces new obligations for entities processing personal data. Powers are delegated to the Central Government to make rules on how data fiduciaries can comply with these new obligations. This includes rules on how to provide data breach notifications (under s. 8(6)), obtain verifiable consent from a parent or lawful guardian of a child or person with a disability (under s. 9), and publish information about Data Protection Officers appointed by data fiduciaries (under s. 8(9)). Rules are also needed to lay out the process for Data Protection Impact Assessments, and other measures to be undertaken by a sub-category of data fiduciaries called “Significant Data Fiduciaries” (under s. 10, as discussed further below).

    3.     Rules to prescribe the manner of exercise of new rights for individuals: Rules will be required to prescribe how citizens can exercise their new right to access information on the manner in which their personal data is being processed by data fiduciaries (under s. 11), their right to correction and erasure of personal data (under s. 12(3)), their right to nominate others to exercise rights upon their death or incapacity (under s. 14(1)) and time limits for grievance redress (under s. 13(2)).

    4.     Rules on the procedure and operation of the Data Protection Board of India and the Appellate Tribunal: The DPDPA creates a statutory body and appellate authority to enforce its provisions. The operationalisation of these bodies is conditional on Central Government notifications. Rules need to prescribe the procedures for the functioning of these bodies, such as appointment of officials (s. 19(2), 20(1), 24) and other internal procedures (s. 23, 28 and 29(8)).

A residuary power to make rules for “any other matter” is also delegated to the Central Government under section 40(2)(z).

2.2 Other powers: Notifications and “miscellaneous” powers

Apart from rule-making, the Central Government also receives powers to make at least 11 types of notifications and exercise 4 broader “miscellaneous” powers under the DPDPA. Many of these powers have an “architectural” quality, as their exercise will provide the detail required to cement the boundaries of the law and to whom it will apply. At a high-level, they can be grouped into three categories: (i) powers to notify commencement, application and restrictions (ii) powers to exempt and (iii) broader powers.

  1.      Powers to notify commencement, application and restrictions: The DPDPA delegates powers to the Central Government to make notifications that determine how and when different aspects of the Act will take effect, as detailed below.

●      Notifying Commencement: The Central Government will have to notify the dates on which different provisions of the Act will come into force (as per s. 1(2)). This is a major change from the Government’s prior data protection bill which included detailed transitional provisions and timelines within its text. This is also the norm for other global data protection laws. The current DPDPA provides no visibility of whether there will be a phased implementation of its provisions and, if so, their sequence.

●      Notifying Significant Data Fiduciaries: The Central Government has the discretion to notify a data fiduciary or class of data fiduciaries as Significant Data Fiduciaries (s. 10). This is to be based on factors as set out in section 10. Once notified, these entities will have additional obligations such as appointing Data Protection Officers, undertaking Data Protection Impact Assessments (DPIAs) and periodic audits.

●      Notifying Cross-border data restrictions: The Central Government has the discretion to notify countries or territories outside India to which cross-border transfers of personal data are restricted (under s. 16(1))

●      Notifying commencement and operation of the DPB: The Central Government has the discretion to notify the date from which the DPB comes to life (under s. 18(1)), and the place of its headquarters (under s. 18 (3)). Critically, it also controls the institutional design as it has the power to specify the DPB’s composition. The Central Government has the power to notify the number of members of the DPB (section 19(1) and (3)). This is once again a departure from the previous Bill (that set out the composition of the statutory authority) and data protection laws in many countries.

  2.      Powers to exempt: Four types of exemption powers have been delegated to the government to exempt certain entities from certain provisions of the DPDPA.

●      Exempting entities processing children’s data: The Government can exempt certain entities that process children’s data from the legal requirements and restrictions that apply when they process children’s personal data (under s. 9(5));

●      Exempting state agencies from the DPDPA: The Government has the power to exempt instrumentalities of the State from all the provisions of the DPDPA, in their entirety (under s. 17(2)(a)),

●      The “start-up” or “innovation” exemption: The Government has the power to exempt certain data fiduciaries, or classes of data fiduciaries (including startups) from complying with certain provisions of the DPDPA (under s. 17(3)). These are provisions that impose key obligations on data fiduciaries to mandate prior consent before processing personal data, observe obligations of data accuracy, data retention and erasure, obligations to give effect to individuals rights to access information about their personal data and additional obligations if they are significant data fiduciaries.

●      General exemption power: A further general power of exemption for use within 5 years of the Act’s commencement is given to the Government, under which they can exempt any data fiduciary or classes of data fiduciaries from any provision of the DPDPA for any specified time period (under s. 17(5)).

Powers of exemption are used in many legislations, generally where laws engage with changeable or dynamic areas where the Legislature cannot foresee how the social context will develop following the passage of the legislation. However, such powers generally must be guided by a clearly articulated legislative policy (captured in the text of the Act) and guidelines for the exercise of the power by the delegate for them to be considered valid, and not excessive delegations of power.

  3.      Four broader powers: Four remaining “miscellaneous” powers are listed in Chapter IX of the DPDPA. They are broad administrative powers, two of which are of a coercive nature.

●      Power to call for information: S. 36 confers on the Central Government the power to issue directions requiring the DPB, any data fiduciary or other intermediary to “furnish such information as it may call for”. The provision is brief without any standards or safeguards to guide its exercise. Powers to call for information are recognised to be coercive, and generally conferred to support broader powers of investigation and inquiry that are subject to safeguards. This was the case in the Government’s previous data protection bill, which conferred this power on the regulatory authority (the DPA) rather than Central Government. It was accompanied by safeguards requiring notice in writing of the reasons for such requests, the designation of the officer who may seek such information, time periods and forms to be adhered to (see s. 52 of the PDP Bill).  No safeguards or broader context for such power is seen in s. 36 of the  DPDPA.

●      Power to issue directions to block access to information: This power (under s. 37) is provided to the Central Government to block access to the public of information in the public interest upon the reference of the Board. The Government may do so by issuing directions to any Central government agency or any “intermediary” – as defined under a different law, the Information Technology Act 2000 (the IT Act). This is a surprising provision, as these powers do not seem to relate to the broader thrust of data protection law. It also legislates in an area where there is existing Indian law. A legal framework already exists for blocking orders under Section 69A of the IT Act and related IT (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. Powers to issue blocking orders were also introduced under Rule 15 & 16 of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

Two further powers grant the Central Government (i) power to amend the schedule containing the monetary penalties that can be levied for breaches of the DPDPA (under s. 42(1)) and (ii) the power to remove difficulties through orders to overcome difficulties when implementing the DPDPA (under s. 43(1)). These are common powers delegated in most statutes to enable the Administration to operationalise the law.

3. An embarrassment of riches: Prioritising the sequence of rulemaking

The wealth of powers delegated to Central Government officials also imposes pressure on them to create durable, consistent subordinate instruments. The DPDPA does not benefit from transitional provisions with clear statutory milestones that are used in most data protection laws, and other Indian legislation. The previous data protection Bill (introduced by the Government in 2019 into Parliament) had included detailed transitional provisions with time limits for implementing various aspects of the law through delegated legislation (discussed in prior analysis). Transitional arrangements and phased implementation are common given the wide ambit of data protection laws, and the need for regulatory bodies to bring legal certainty and improve compliance with their laws.

It, therefore, falls to the Central Government, specifically the Ministry of Electronics and Information Technology (MeitY), which will be controlling the implementation of the DPDPA, to prioritise certain areas of rule-making. A structured and considered approach to rulemaking is more likely to build legitimacy of the law and compliance with such rules. 

Rule-makers should prioritise and release rules in a consultative and phased manner: Based on the foregoing analysis, a natural prioritisation for rule-making emerges. This is informed by what is necessary to translate statutory law to operational reality, and the objectives of the Act as set out in its preamble i.e. to recognise the right of individuals to protect their personal data, and ensure such personal data is processed for lawful purposes.

A first order of priority should be the release of the rules and notifications that are pre-conditions for compliance and operation of the DPDPA, namely:

●      notifications setting out the commencement and transitional arrangements for the Act (under s. 1(2));

●      rules on the grounds for data processing, in particular the manner of providing notice and obtaining consent for data processing (under s. 5), detail on additional legitimate uses (in s. 7(b)) and re-use of data (in s. 8(8);

●      rules on the manner in which individuals can exercise their rights (under Chapter III), and on key obligations for data fiduciaries, such as the manner of notifying breaches (in s. 8(6), and 

●      rules and notifications to aid the set-up of the DPB.

A second order of priority should be accorded to other powers, especially as authorities learn from the early waves of implementation. This includes notifications of Significant Data Fiduciaries (under s. 10) and related requirements, the exercise of powers to exempt (though doubtless there will be much clamour and lobbying to effect these up-front), and cross-border data flow restrictions if any.

Approaching rulemaking with a clear, phased implementation plan that is well communicated will be critical to the operationalisation of the DPDPA. Countries as diverse as Singapore, Jamaica, Saudi Arabia and Turkey that have recently adopted or amended their data protection laws have used transitional arrangements and phased implementation strategies. MeitY should borrow from the experience of other data protection and privacy authorities to provide a roadmap for implementation, including through forums like the Global Privacy Assembly (that convenes over 130 data protection authorities) where MeitY is already an observer.

4. Future legal challenges from extensive delegation of powers

The foregoing review also prompts questions about the legal validity of the delegations under the DPDPA. The touchstone in assessments of the validity of the Legislature’s delegation of powers is the doctrine of excessive delegation.  The landmark case here is In re Delhi Laws Act[1] which provided an early and definitive articulation of the legal position under the doctrine—that the Legislature cannot abdicate its legislative function through delegation, but must fulfil this essential legislative function by laying down the legislative policy clearly in the delegating Act. The Legislature must also provide standards and guidance for the delegate to follow when exercising its delegated powers and failing to do so can result in the legislation being invalidated for excessive delegation.[2] Along with the breadth of the discretion being delegated, the existence of procedural safeguards accompanying the delegation is also crucial to determining the permissibility of the delegation. This helps to guard against the arbitrary exercise of the delegated powers by the delegate.

Questions around the validity of certain delegations: Some of the provisions of the DPDPA outlined in this blog stand out for the broad terms in which they undertake delegation, as well as the parsimony of standards and safeguards they articulate. These include the powers of exemption found in section 17 and the coercive powers in section 36 of the DPDPA.

Section 17(2)(a) delegates power to the Central Government to exempt itself and any state instrumentality from the provisions of the Act in its entirety. This provision raises serious concerns given the sweeping reasons for which such delegated powers can be exercised, which include “...the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these…”.

Aside from the extremely broad nature of this delegation, no clear policy and standards framing the manner of the exercise of power are provided, such as the need to weigh the necessity or proportionality of notifying such exemptions. No procedural safeguards or oversight standards are mandated. This is disappointing given that these issues were documented in the 2018 report of the Committee of Experts on Data Protection set up by the Government, which set out detailed recommendations on the approach to crafting exemptions for state bodies from data protection law in India.[3] Such materials could be looked to for guidance in any future parliamentary or judicial actions that review these provisions.

Similar concerns arise with respect to powers under section 17(3) that exempt data fiduciaries from several obligations of the DPDPA. No sense of the policy guiding this exemption is clear in the provision other than to note that the government can do so having regard to the “volume and nature of personal data processed”. The provision mentions “start ups” as being eligible for such an exemption, without articulating the reasons for this or the reasons why they are specifically mentioned. Section 17(5) is another blanket power granted to the Central Government to exempt any data fiduciary from its provisions in the first 5 years of the operation of the DPDPA.

Concerns also arise from the coercive powers to call for information (in s. 36) to the Central Government which is generally granted in the context of investigation and inquiry. This is strange because inquiries are carried out by the DPB in the DPDPA (see s. 27). For such inquiries, the DPB can already call for information using its powers and procedures (see s. 28). Therefore the delegation of this additional power to the Central Government without any clear guidance on standards or safeguards is hard to understand.

Finally, the general rule when considering delegations is that the Courts can look beyond the specific provision to the broader Act, its preamble, objects and reasons, and border context to construe legislative policy. In the context of the DPDPA, it is not clear how such broad and unlimited powers serve the objectives of data protection or enabling lawful data processing. Of course, given the general reticence of the Courts to strike down provisions of plenary legislation on the basis of excessive delegation alone, these grounds may likely support and be interlinked with broader substantive challenges to these provisions in the DPDPA. Such challenges could arise on the grounds of arbitrariness (given the absence of safeguards against arbitrary state action) or of falling foul of the test of proportionality (for e.g. the infringements to privacy rights from blanket exemptions from the DPDPA). While these matters are beyond the scope of the present analysis, they are ripe for further consideration.

Controls over the exercise of delegated powers under the DPDPA: The release of rules and notifications by the Central Government are themselves executive actions that will be subject to judicial control. Different standards of judicial control apply to delegated legislative acts and administrative acts, and the first step in determining the legal validity of an order is often the classification of its “nature” and the type of power used to create it. Broadly, this distinction has been articulated in cases including Cynamide India [4] as follows: legislative acts involve the creation of general rules of conduct (i.e. that do not pertain to specific cases and parties), and operate in the future. Administrative acts involve issuing specific directions to apply general rules to particular cases.

While the majority of the powers delegated in the DPDPA appear to be of a legislative nature relating to prescribing rules, etc., several administrative and adjudicative powers have also been conferred. The Central Government may make notifications that are classified as administrative actions, for e.g. when it makes notifications to establish the DPB or notifies exemptions to a specific data fiduciary at its discretion (rather than a general class of entities), or issues directions to block access to information.

Any new legislation passed in India, in particular one that enables such a range of legislative and administrative actions, attracts the spectre of judicial review. Legislative acts under the DPDPA will need to ensure they do not fall foul of the doctrine of ultra vires, which assesses whether the powers exercised by the delegate conform to the terms of its parent statute. Delegated powers must also be exercised reasonably and not suffer from manifest arbitrariness.[5] Meanwhile, administrative acts, while generally subject to a more limited judicial control, are also scrutinised to ensure they are in accordance with principles of natural justice (such as providing all parties a right to a hearing). Failing this, they can be invalidated.

The judicial control of legislative and administrative action in India is a vast area of jurisprudence that often blurs the boundaries of standards of constitutional review and administrative review. This has been noted by scholars like Vakil, who argue this has led to a “constitutionalised administrative law” in the country.[6] As rulemaking proceeds under the DPDPA, legal challenges will likely arise on constitutional and administrative law grounds around the appropriate exercise of delegated power.

5. Conclusion

This blog aimed to invite more attention to the next phase of law-making around data protection in India, which will take place through delegated legislation. The analysis of the provisions delegating powers highlighted some immediate concerns. The first pressing concern is the need for some scheme of prioritisation and sequencing of future notifications. The Government needs to put in place transitional arrangements and communicate a clear, phased approach to passing delegated legislation and implementation. This blog offered some priorities for the Government for rulemaking (in section 3) to enable a more orderly, consultative approach.

Rushed or ad-hoc rulemaking can create uncertainty, affect the legitimacy of legislation and lead to legal challenges in court. If the cacophony of cases that followed the release of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 is anything to go by, powers of rule-making can often be a victim to their own success. This blog, therefore, revisited some basic principles of administrative law (in section 4) that should guide the delegation of powers and can form the basis for legal challenges to the DPDPA or rules passed under it. All this invites more analysis and continued attention to the evolution of data governance law in India. Exciting times lie ahead for legal scholarship on these matters—and action in the courts!

[1] In re Delhi Laws Act, AIR 1951 SC 332

[2] Jain and Jain (n 1) pp. 63 - 68. 

[3] Government of India, ‘A Free and Fair Digital Economy - Protecting Privacy, Empowering Indians, Committee of Experts under the  Chairmanship of Justice B.N. Srikrishna’ (Ministry of Electronics and Information Technology 2018) Available at <https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf> pp. 122 - 135

[4] Union of India v. Cynamide India Ltd., (1987) 2 SCC 720

[5] See further, tracing milestones in the development of manifest arbitrariness in Indian constitutional law, Association for Democratic Reform v Union of India, 2024 INSC 113, para 182 - 198.

[6] Vakil R, ‘Constitutionalizing Administrative Law in the Indian Supreme Court: Natural Justice and Fundamental Rights’ (2018) 16 International Journal of Constitutional Law 475

*Malavika Raghavan is a lawyer with a background in policy-facing research on technology and inclusion. She is currently a doctoral researcher at the LSE Law School. Her research examines the consequences of welfare digitalisation for administrative law frameworks governing public officials’ exercise of power, drawing on India’s experience with the Aadhaar-linked direct benefit transfer system.