slotbet Explained: India’s Draft Digital Personal Data Protection Rules, 2025
India’s Draft Digital Personal Data Protection Rules, 2025 India’s Draft Digital Personal Data Protection Rules, 2025
On 3 January 2025, the Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection (DPDP) Rules, 2025 for public consultation. These rules, which came sixteen months after the Digital Personal Data Protection Act, 2023 (DPDP Act), outline a regulatory framework for processing digital personal data in India.
The DPDP Rules are a step forward in India’s data protection landscape, but experts are divided over its vagueness, potential overreach, and inadequate safeguards. “The initial draft of the Rules as having taken a significant step towards enhancing privacy and data protection in our jurisdiction,” says Pinky Anand, a senior lawyer and former Additional Solicitor General at the Supreme Court of India. She adds that “We (India) are a bit late to the party with other jurisdictions having well-established legal regimes governing privacy and data protection.”
India passed the DPDP Act in August 2023, with the goal to protect personal data in the digital world. The Act aims to balance individual rights to privacy with the legitimate interests of businesses and the government. The DPDP Rules provide the procedures and obligations necessary for implementing the Act.
However, the draft rules, like the Act, have drawn criticism for their lack of clarity and transparency. Advocacy groups and industry experts argue that the government’s opaque consultation process undermines public participation.
Technology And Privacy In The Context Of Constitutional Morality Vague By Intention?“This is an intentional form of flexibility that the government has provided itself because it wants to apply the law as and when as it feels fit. Usually there are clearer principles that are present in law because the government then is limited by ambit of the legal authority created by it, but here the government does not want to be limited, and it wants to then fill in those details through these rules,” explains Apar Gupta, lawyer and founder of the Internet Freedom Foundation.
Other legal experts point out that overly prescriptive rules would hinder business operations. “Overly prescriptive language hinders companies from making risk-based decisions. The rules should have a certain degree of flexibility, allowing companies to decide what works best in what circumstances,” says Nehaa Chaudhari, a partner at Ikigai Law.
The draft rules outline the responsibilities of data fiduciaries (entities handling personal data), establish compliance requirements, and specify penalties for violations. Other key provisions include Consent and Data Processing, Obligations of Data Fiduciaries, Parental Consent for Minors and more.
On one hand, the data fiduciaries must obtain clear, informed consent from individuals (referred to as data principals) before processing their data. Consent must be freely given, specific to the purpose of processing and is revocable at any time.
However, consent may not be required for certain "deemed necessary purposes," such as government benefits, public health, or legal obligations. Critics argue that this provision is too broad and could lead to misuse. “Rule 22 is extremely broad based since it allows the government (or any state instrumentality) to prohibit data fiduciaries from informing the individuals whose personal data is sought on grounds on “sovereignty and integrity of India” or “security of state”. It will undermine consumer data privacy, especially considering the lack of safeguards in the rules,” says Supreme Court lawyer Vrinda Bhandari.
Obligations Of Data FiduciariesData fiduciaries are required to implement “reasonable safeguards” to protect data from breaches. This includes measures like encryption, access controls, and regular audits. Significant data fiduciaries (SDF)—entities handling large volumes of sensitive personal data—face stricter obligations, including mandatory data audits and risk assessments. However, SDFs have not yet been defined by the government.
Cross-Border Data TransfersThe rules allow cross-border data transfers to countries approved by the government, provided they meet prescribed safeguards. The government can impose conditions or prohibit transfers in cases deemed contrary to India’s interests. This provision aligns with concerns over data sovereignty but poses challenges for multinational businesses.
Data Retention And MinimisationData fiduciaries must retain personal data only as long as necessary for the purpose for which it was collected. They must also minimise the amount of data collected and processed.
Parental Consent For MinorsFor individuals under 18, data processing requires parental consent. This provision, while aimed at protecting minors, could lead to extensive age verification mechanisms, potentially infringing on privacy.
Penalties and ComplianceNon-compliance with the DPDP Rules could result in fines ranging from ₹50 crore to ₹250 crore, depending on the severity of the violation. This is defined in the DP Act.
While on paper these rules appear to be progressive, experts have flagged some concerns.
Right To Information UnderminedThe DPDP Act amends the RTI Act and exempts disclosure of any information, which related to personal information. This was previously allowed under section 8 (1)(j) of the RTI Act, if the disclosure served a public interest. Bhandari points out that the Act, “ignores the fact that personal information can have important public interest or be related to public activity (e.g. details of judges’ assets or names of wilful defaulters).”
She adds, “Section 8(1)(j) of the RTI Act had struck a delicate balance between transparency in public interest and privacy and that has been undermined with the Act.”
Government Exempt From RulesAs per the rules, the government is exempt and it can ask for personal data from a fiduciary for legal reasons. The person whose data is being handed over does not need to be informed. “The government has made itself exempt. The data protection board also happens to be a government body so in so many ways it is the government determining through its ministerial function what data is protected under what circumstances and how it applies it to the private sector which enables to pick winners and losers in this world in which personal and digital data is an engine of growth for companies. And also at the same time, it's exempted itself and granted itself power to gather more information,” Gupta points out.
Weak Oversight Mechanisms?The DPDP Act and Rules place enforcement authority in the hands of the central government rather than an independent regulator. This has raised concerns about conflicts of interest and a lack of accountability. Gupta points out that the DP Board will essentially have no office and possibly very little authority. “This is basically a board which will be composed by people on deputation; it won't have adequate staff to examine any breaches. The point is not that: what happens if the rules are broken, the point is that if the rules are broken, who do you go and complain to and what is the ability of that body to provide you any form of remedy and here I think there's a big question mark which emerges,” he says.
In October 1947, when Sheikh Abdullah came to power in Kashmir valley, ‘Naya Kashmir’ was the name by which his project of modernising the former princely state became known. Some of its main provisions like the agrarian land reforms were successfully acted upon. It set apart the National Conference as a progressive force in the subcontinent and distinguished it from its politically and socially more conservative rival, the Muslim Conference. The main goals of the Naya Kashmir manifesto were ‘the organisation of agriculture on a more modern and rational footing and the provision for the peasant of a higher standard of living’ The basic principles were to be the ‘abolition of landlordism’, the provision of the ‘land to the tiller’ and cooperative association in the production and sale of crops. In its peasant charter it declared that ‘ All land which at present belongs to the landlords will revert to the peasant and the peasants would be made ‘completely debt free’.
Congress national president Mallikarjun Kharge had a brief health scare during an election rally in the Kathua district of Jammu and Kashmir on Sunday. While delivering a speech in Jasrota ahead of the third phase of elections, Kharge felt dizzy and had to stop his address.
Anand, too, points out that “an independent oversight body must be considered as a necessary agency for effective implementation of the letter and spirit of the Law.”
big777win Transparency Issues In ConsultationMeitY’s decision to treat public comments as confidential has drawn criticism for undermining transparency. Advocacy groups have called for making comments publicly accessible to encourage meaningful deliberation.slotbet
