In August 2024, India observed the sixth anniversary of the K.S. Puttaswamy judgment, which established privacy as a fundamental right.
But the Internet Freedom Foundation criticised the Draft Digital Data Protection Rules, 2025.
Note: In the case of Justice K.S. Puttaswamy (Retd.) and Anr. vs Union of India and Ors. The Supreme Court held that the Right to Privacy is a fundamental right protected under Article 21 and Part III of the Indian Constitution.
In 2023, India notified the Digital Personal Data Protection (DPDP) Act, 2023.
This law fulfills the mandate of the Supreme Court’s landmark Puttaswamy judgment (2017), ensuring data protection rights for Indian citizens.
Data refers to any form of information, fact(s), concept(s), opinion(s), or instruction(s) that can be communicated, interpreted, and processed by humans or automated systems. Personal Data pertains to data that relates to an identifiable individual (Data Principal). It includes any information that makes an individual identifiable, either directly or indirectly.
Processing is defined as any operation on digital personal data, including collection, storage, indexing, sharing, use, disclosure, dissemination, and erasure. Such processing must serve a lawful purpose, with consent from the Data Principal. It must also align with the conditions laid down by the Act.
This Act applies to the processing of digital personal data within India in digital form or data subsequently digitized. It also has extraterritorial applicability if the processing is related to offering goods or services to Data Principals in India. However, it does not cover personal data processed by individuals for domestic purposes or data made publicly available by the Data Principal or required by law.
Personal data can only be processed after obtaining clear, informed, and unambiguous consent from the Data Principal. The consent must be free, specific and given through a clear affirmative action. Individuals can withdraw consent at any time. However, consent is not required for certain purposes such as state benefits, security, medical emergencies or employment.
Data Principals have several rights, including the right to:
Breaching these duties may attract penalties.
The Data Fiduciary must:
Government entities are exempt from some obligations, such as data retention and erasure rights.
This Act permits the transfer of personal data outside India subject to restrictions that are imposed by government. Such transfers must comply with the regulations specified by the government in notifications.
Certain provisions of the Act do not apply in specific cases, such as:
These exemptions are defined under Section 17 of the Act.
The Data Protection Board of India (Board) will be established by the Central Government (CG) under Chapter V of the Act. It will comprise a Chairperson and other members. The Board will exercise powers as outlined in Sections 27 and 28 of the Act, including:
The Board will have the powers of a civil court with original jurisdiction to handle complaints and matters related to the Act. No other civil court can entertain suits or proceedings concerning matters the Board is empowered to adjudicate under Section 39.
As per Section 29, any appeal against the Board’s decisions can be filed with the Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT), established under the Telecom Regulatory Authority of India Act, 1997 (TRAI Act). The appeal must be filed within 60 days from the date of receiving the Board’s decision. Plus, orders passed by TDSAT are appealable to the Hon’ble Supreme Court under Section 18 of the TRAI Act.
The Schedule to the Act specifies the penalties for various breaches and offences. For example:
These penalties will be imposed by the Board after conducting an inquiry under Section 33.
The Ministry of Electronics and Information Technology ("MeitY") published the Draft Digital Personal Data Protection Rules, 2025 ("Draft Rules") for public consultation on 3 January 2025.
Notice for Consent
To ensure informed consent from a Data Principal, a Data Fiduciary must provide a clear and standalone notice outlining:
A Consent Manager, defined under the DPDP Act, is registered with the Data Protection Board and acts as a central point for Data Principals to:
Data Fiduciaries and Consent Managers must publish the process on their website or app for Data Principals to access their data or request deletion.
Data Fiduciaries are required to implement adequate security measures to protect personal data, including:
Contracts between Data Fiduciaries and Data Processors must ensure security measures to prevent data breaches.
In case of a data breach, Data Fiduciaries must:
Certain entities, such as e-commerce platforms, online gaming intermediaries, and social media platforms with significant user bases in India, must delete personal data within a specified period, typically three years after a user’s last interaction, unless the user actively maintains their account.
For children's data processing, Data Fiduciaries must ensure that consent is given by the parent or legal guardian, who must be identifiable. However, healthcare providers and educational institutions may be exempt from certain obligations under specific conditions when processing children's data.
Entities identified as Significant Data Fiduciaries based on data processing volume or sensitivity must conduct annual DPIAs to assess potential risks associated with their data processing activities.
Data Fiduciaries processing data within India or offering goods/services to Data Principals outside India must comply with Central Government regulations regarding the transfer of personal data to foreign states or entities.
The Draft Digital Personal Data Protection (DPDP) Rules 2025, is a crucial milestone in operationalizing the DPDP Act 2023. But they fall short on key aspects that demand greater clarity and precision. Stakeholders like civil society, industry and academia have raised concerns about the lack of detailed guidelines in it. These guidelines are critical for implementing India’s first comprehensive data privacy law effectively.
The draft Data Protection Rules have sparked concerns about executive overreach. Ideally, rulemaking should balance administrative flexibility with legislative intent, but the draft Rules reflect the Digital Personal Data Protection Act, 2023’s overarching tilt toward state dominance. Critics describe the Act as a “product of subversion of the democratic process,” with provisions that prioritize state control over constitutional objectives.
The draft Rules build on a foundation of deliberate ambiguity.
Rule 22 of the draft Rules empowers the government to requisition information without safeguards or limitations, granting it unchecked authority. This provision heightens concerns about state overreach in the absence of adequate transparency or accountability measures.
The draft rules emphasize users’ rights to access, correct, update and erase their personal data. However, they fail to provide practical procedures or mechanisms for users to exercise these rights.
Children under 18 are vulnerable to data misuse, and the DPDP Act rightly mandates verifiable parental consent for processing their data. However, the draft rules fail to define robust mechanisms for:
The lack of operational clarity leaves room for loopholes in safeguarding children’s privacy.
The DPB’s role is restricted to adjudicating data breaches, leaving little scope for meaningful interventions in cases of state overreach or corporate misconduct. For example, Rule 5 exempts data processing for subsidies from consent requirements, creating accountability gaps. Complaints involving powerful entities like UIDAI, responsible for Aadhaar, risk being neglected, raising doubts about the Board’s ability to safeguard citizen rights.
CONCERNS IN A NUTSHELLThe Draft Rules propose stringent security measures, including encryption, access control, data recovery and processor compliance. While promoting robust data protection, they could burden smaller businesses, such as local Kirana stores, with disproportionate requirements. A risk-based, industry best practice approach would be more practical. Regarding data breach notifications, businesses must report all breaches immediately, including comprehensive details, which is often unfeasible. Without thresholds, customers may face "breach fatigue." A more practical approach could involve materiality thresholds and reasonable timeframes for reporting. The rules also mandate parental consent for processing children’s data but lack clarity on age verification and parental responsibility. Similarly, the guidelines for processing data of individuals with disabilities are unclear, particularly regarding guardian verification. The annual requirement for Data Protection Impact Assessments (DPIA) is unnecessary and burdensome, as DPIAs should be conducted when risks arise, not on a fixed schedule. Lastly, the rules lack clarity on cross-border data transfers, raising concerns about potential data localisation, which could disrupt industries reliant on global data flows. |
The failure to establish an independent regulatory authority further undermines the data protection framework.
The draft rules require substantial revisions to ensure they meet the expectations of a comprehensive privacy framework. The government must:
By addressing these gaps, India can ensure that its data protection framework is not only robust and forward-looking but also inclusive and user-centric, setting a global benchmark for privacy legislation.
To prevent ambiguities and inconsistencies in applying the Act, the government must prioritize the following steps:
The Draft Digital Data Protection Rules, 2025 draft rules are a foundational document for India's data privacy ecosystem. But their rushed and incomplete nature could hinder their objectives.
A well-rounded approach that prioritizes operational clarity, stakeholder input and transparency is critical for ensuring the success of this transformative law. Only then India can set an example as a global leader in safeguarding digital rights.
© 2025 iasgyan. All right reserved