Introduction
The much awaited draft Digital Personal Data Protection Rules 2025 (“DPDP Rules”) have been finally released for public consultation by the Ministry of Electronics and Information Technology (“MEITY”). There are several issues lawyers and activists are flagging on the implementation and clarity of specific rules read with the Digital Personal Data Protection Act 2023 (“DPDPA 2023”). One such issue relates to the implication of the DPDP Rules on data principals who are persons with disabilities (“PwDs”). This article flags vital challenges emerging out of the Rules and gives suggestions to improve them for efficient implementation of data protection principles for PwDs.
What does the Act say?
Section 2(j) DPDPA 2023 identified the definition of disabled data principal by including their lawful guardian, acting on their behalf. Based on this, Section 9(1) mandated data fiduciaries to obtain “verifiable consent” of the lawful guardian of a PwD before processing their data. Both the sections also club consent requirements for children with PwDs. The juxtaposition of consent requirements of children with PwDs in both the sections tainted the relative autonomy of the latter, who have a varying level of agency depending upon the type of disability and built environment they are in.
Moreover, there has been a lack of reasonable classification between those PwDs who might need a lawful guardian and those who might not. At one level, it imposes a straightjacket formula for every disabled data principle, on the other, it creates double whammy for already vulnerable groups such as disabled women and old-age persons. This gives upperhand to lawful guardians to unilaterally impose their will, thus violating “autonomy, dignity and privacy” of PwDs under section 13(5) of the Rights of Persons with Disabilities 2016 (“RPwDA 2016”).
Although section 38 of DPDPA gives the overriding power over other laws, Section 2(j) and 9(1) themselves go against the very spirit of the DPDPA by diluting the autonomy of disabled data principals. Section 6 clearly states that the consent of the Data Principal shall be “free, specific, informed, unconditional and unambiguous with a clear affirmative action.” Therefore, this practical paradox was created, which was expected to be sufficiently narrowed down in the DPDP Rules.
How the Rules Fare?
Rule 10(2) and (3) of the draft DPDP Rules 2025 cover the requirements for obtaining verifiable consent of disabled data principals. The Rules have still not put consent requirements of children and PwDs under different provisions. However, it should be noted that the Rules have narrowed down some of the broad propositions laid down in the Act. The rules have defined PwDs unlike the Act, which although resonates with the definition under RPwDA 2016, has an added qualification that covers those PwDs who are “unable to take legally binding decisions” despite being provided adequate and appropriate support. It narrows down the scope of imposing conditions for disabled data principals having enough agency to independently give verifiable consent. Similarly, Rule 10 has also limited the scope of guardianship to those individuals who may not be able to take legally binding decisions. The wordings in the Rules are pari materia to Section 14 of the RPwDA 2016, albeit without specifically mentioning it. While it may signal a shift towards limited guardianship, it would have been better to explicitly mention the same. The concept of limited guardianship focuses on the support-based decision making model as against perpetual guardianship which entirely substitutes decision making to the lawful guardian on behalf of PwD. This means that data fiduciaries and consent managers should design a technological solution that will assist PwDs in giving consent for data sharing and not substitute it to their lawful guardians.
Moreover, the Rules could have defined/illustrated “legally binding decisions” and included an inclusive list of circumstances in which a person may not be able to take such decisions specific to the digital domain. For instance, persons with less than 40% disability are often capable of independently providing verifiable consent. Such an exercise would have not only given autonomy to disabled data principles but also allow data fiduciaries to come up with inclusive technological solutions to address the problems arising out of those circumstances, especially in cases of sensitive personal data in core sectors (health, education, transportation etc). It can be well argued that the list cannot be exhaustive due to varying nature of disabilities and situations but still, even a non-exhaustive framework would serve as valuable guidance for every digital stakeholder in adopting an integrative approach for PwDs.
Finally, it was unnecessary to include the National Trust Act, 1999 (“NTA 1999”) to either define PwDs or expound the law applicable to guardianship. The addition of this obsolete law can make obtaining consent more complicated for data fiduciaries and disabled data principals alike due to the wide scope of interpretation. Section 14(2) of the RPwDA has already clarified that guardianship under any law is a limited guardianship. Moreover, it was not necessary to add definition under National Trust Act as the definition under RPwDA is already all encompassing to include disabilities covered under NTA 1999.
There are other ancillary issues such as no liability for lawful guardians in case of violating PwD rights, ambiguity around the term ‘infirmity of body’ under Section 14(2) of the DPDPA, and the absence of a standardized accessible format for privacy notices or consent forms. In order to make the data protection law to be truly inclusive of the needs of PwDs, the Ministry must make positive efforts to deal with such regulatory gaps. Therefore, the rules should avoid adding more complexities and focus on guiding data fiduciaries for eventual success of the law in the longer run.
Sources
https://www.mdpi.com/2075-471X/6/3/10
https://www.pacta.in/digital-data-protection-consent-protocols-for-disability.pdf
https://pacta.in/Disability_Bulletin_Law_-_Practice_Series_4.pdf
This post has been authored by Nayan Chandra Mishra, a fourth-year law student at Dr. Ram Manohar Lohiya National Law University, Lucknow.
CITE AS: Nayan Chandra Mishra ‘Bridging Regulatory Gaps for PwDs in Data Protection Rules 2025’ (The Contemporary Law Forum, 25 January 2025) <https://tclf.in/2025/02/02/bridging-regulatory-gaps-for-pwds-in-data-protection-rules-2025/>date of access