Digital Personal Data Protection Rules, 2025 – Issues, Concerns & Way Forward

Digital Personal Data Protection Rules, 2025 – Issues, Concerns & Way Forward

What the Article Talks About ?

The editorial critiques the Digital Personal Data Protection (DPDP) Rules, 2025, arguing that they fail to strengthen the privacy protections envisioned by the DPDP Act, 2023.
Instead, they delay key safeguards, weaken the RTI Act, and retain weak accountability mechanisms, leaving citizens vulnerable to both state surveillance and Big Tech data practices.

Background:

• Privacy declared a fundamental right in K.S. Puttaswamy (2017).
• Multiple drafts of data protection law circulated (2018, 2019, 2022), but the final DPDP Act, 2023 adopted a significantly simplified structure.
• The DPDP Rules, 2025 notified on 14 November 2025 finalize operational details — but are seen as inadequate.

Key Concerns Highlighted:

Delay in Implementing User Protections:

• Most substantive protections and obligations on data fiduciaries delayed until 2027.
• Yet, the weakening of RTI starts immediately, creating an imbalance between privacy and transparency.

Dilution of the Right to Information:

• Public Information Officers can now deny any personal information beyond what other laws mandate for publication.
• This undermines Section 8(1)(j) of RTI and decades of transparency gains.

Weak and Non-Independent Regulator (DPBI):

• The Data Protection Board of India is under the Ministry of Electronics and IT (MeitY).
• Conflict of interest:

• • MeitY promotes major tech investors +
  • MeitY supervises the Board that must investigate these very companies.

Lack of Consultation & Transparency:

• Three-month consultation already delayed.
• Final rules released on election-results day → questions on timing & transparency.
• Minimal changes from draft to final form.

Industry-Friendly Timelines:

• 12–18 months compliance time even for Big Tech, despite their long awareness of obligations.
• Rules appear to prioritize ease of doing business for large digital firms over citizens’ privacy.

Continued Citizen Vulnerability:

• Limited checks on State access to personal data.
• Citizens remain “open books” to government agencies and companies, with weak accountability.

 

Key Issues Identified :

1. Institutional independence deficit – regulator under executive control.
2. Opacity and poor legislative process – lack of parliamentary scrutiny, abrupt timelines.
3. RTI vs Privacy conflict – privacy used to curtail transparency instead of balancing rights.
4. Surveillance risks – broad government exemptions remain.
5. Citizen rights under-defined – consent, grievance redress, data breach notifications all weak.
6. Corporate leniency – long compliance windows, minimal obligations.

Steps Taken :

Though limited, the framework includes:

• Recognition of key rights: consent, data purpose limitation, data minimization, right to correction/erasure.
• Inclusion of significant data fiduciary obligations (risk assessments etc.).
• Penalties for data breaches.
• Protection of children’s data (though diluted from earlier drafts).
• Some clarity on cross-border data transfers.

Way Forward:

Strengthen Regulatory Independence:

• Convert DPBI into an autonomous statutory body (like TRAI/SEBI).
• Ensure appointment transparency and fixed tenures.

Revisit RTI Amendments:

• Restore Section 8 protections in line with Supreme Court jurisprudence.
• Develop a clear Privacy–Transparency balancing test.

Tighten Government Exemptions:

• Narrow, proportionate, and judicially-reviewable exceptions for national security.
• Mandatory audit trails for government access to data.

Accelerate Implementation

• Early enforcement of core data rights and fiduciary obligations.
• Shorter compliance timelines for Big Tech & large processors.

Introduce Stronger Data Subject Rights

• Right to explanation in automated decision-making.
• Mandatory breach notification to users.
• Portability of data (as initially proposed in older drafts).

Robust Public Consultation Process

• Multi-stakeholder engagement: civil society, academia, industry, state departments.
• Publish consultation reports for transparency.

Build Public Trust & Awareness

• Citizen-centric grievance mechanisms.
• Digital literacy campaigns on data rights and safety.

Conclusion:

The DPDP Rules, 2025, instead of strengthening India’s data protection regime, have delayed protections, watered down transparency, and left the regulatory framework under executive control.
Unless the government ensures independent oversight, balanced privacy-transparency norms, and timely implementation, the promise of privacy as a fundamental right will remain largely unfulfilled — keeping citizens exposed to both state surveillance and corporate data exploitation.