India's DPDP Rules: Balancing Privacy and Global Interoperability
India's proposed Digital Personal Data Protection (DPDP) rules are designed to protect citizens' data. However, some provisions might unintentionally harm the very users and digital economy they are meant to safeguard.
The Internet Society has submitted comments urging that these rules align with global best practices to ensure strong privacy protections while promoting growth and maintaining an open, global Internet.
Two key areas raise concerns:
- Mandatory "Verifiable Parental Consent": While it is crucial to protect children, current methods can lead to invasive data collection, potentially preventing minors from accessing essential online resources such as health and educational support. These approaches may also limit the safe spaces online where young people can privately explore complex questions about themselves and the world around them. Instead, we should prioritize robust privacy protections for all users and invest in privacy-preserving technologies.
- Mandated Data Localization: Requiring data to be stored within India may increase costs, hinder innovation—particularly for startups—reduce Internet performance for users, and limit the cross-border data flows that are essential for securing data.
We recommend protecting data, regardless of where it is stored or how it is transmitted, using globally recognized privacy principles and robust security measures such as encryption. India should avoid inflexible localization mandates and complicated age authentication requirements, as they often create more issues than they resolve.
Let's create a framework that builds trust, empowers users, and fosters a connected digital future for India.