The rise of the internet has led to the emergence of a new breed of robber barons. Large corporations have been able to trawl information from every facet of digital lives, very rarely with informed consent. Governments across the world have tried to put in place a legal framework to stop the devious practices that data repositories employ to soak up information about people and then mash it to obtain insights into consumer behaviour and personal choices. In August 2023, Parliament passed the Digital Personal Data Protection Act that set out the broad principles that data fiduciaries — entities that glean and store information provided by their customers — would need to abide by while processing personal data. The government has now put out the draft rules that will underlie the legislation and has sought public feedback on the provisions. Data fiduciaries will have to seek informed consent from individuals who are prepared to share personal data in order to make a digital purchase, access a social media account, or play an online game. The notice seeking consent will have to be worded simply. It must include an itemised list of the personal data and clearly state the purpose for processing the information. Verifiable consent must be obtained from a parent before it can process any data relating to a child. Experts have already voiced concern that the rules are ambiguous and have no explicit mechanism to ensure that the consent is sourced from the parent. The rules also emphasise that the individual should be able to withdraw consent just as easily as it is given. However, the trouble is that the data fiduciaries are being permitted to retain data for up to three years from the last interaction or the date from which the rules come into effect, whichever is later. Most people would like their information to be scrubbed sooner. The one good aspect of the rules is that the data provider must send out a notice 48 hours in advance alerting the individual that it intends to erase his/her personal data from its servers.

There are two other big worries: what happens in the case of a data breach, and what restrictions exist on cross-border processing of information? The draft rules say detailed information about every data breach must be provided in 72 hours of that event. The concern is that the rules do not provide for a credible enforcement mechanism to ensure compliance. It is also not clear which countries will be permitted to access personal data of Indian consumers. A government-appointed committee is supposed to draw up a list of nations that will be allowed to gain access to these records.