Draft Digital Personal Data Protection Rules 2025: The Goal Remains Distant..?

Data Ownership and Consent

The DPDP Act 2023 defines individuals as 'Data Principal' and entities handling data as 'Data Fiduciaries.' It mandates that companies cannot use individuals' data without their consent. Rule 3 of the draft rules elaborates on the requirement of notice to be given by the companies to individuals . The notice should specify type of information being collected (name, address, mobile number, etc.) in a simple and understandable language. It should also disclose the purpose of data collection and the services for which the data is used.

Companies are prohibited from using the collected data for purposes not specified in the notice, and individuals/ Data Principal can withdraw their consent at any time. Once consent is withdrawn, companies can no longer use the data. Unlike the European Union's General Data Protection Regulation (GDPR) of 2018, the draft rules do not prescribe a specific format for the user notice. However, users are prohibited from concealing important information or filing false complaints to the Data Protection Board or other entities when providing information to establish their identity. Violations of provisions can incur fines of up to Rs. 10,000 under Section 15 of the DPDP Act 2023, which may deter individuals from filing complaints. This could also impact 'anonymous' activities like ethical hacking. Although there were calls for compensation to be awarded to both the government and the affected individuals for data breach, this has not been included in the draft rules.

Independent 'Consent Managers'

Section 6 of the DPDP Act 2023 mandates the provision of for an independent mechanism called ' 'Consent manager 'for individuals to review the information( data) they provide to companies and also to grant or withdraw consent to use data. The draft Rule 4 outlines the registration of such companies with the 'Data Protection Board' and the requirements for robust security systems to protect individuals' data. The consent managers must maintain such records for at least seven years and are expected to be highly trustworthy, prohibited from outsourcing their services.

Rule 6 elaborates on the security safeguards that companies must maintain, including encryption, access control, prevention of unauthorized access, data backups, and the maintenance of logs for each activity to prevent and detect data breaches. Rule 7 stipulates that companies must inform the Board and individuals of any data breaches in their systems within 72 hours, along with the causes and actions taken.

According to Rule 8, companies must delete an individual's data three years after it is no longer used on a platform, and such individual must be notified of 48 hours in advance. Rule 9 requires companies to publish the names and details of those responsible for addressing individuals' queries regarding their data on their websites and to record details of the communications with individuals.

'Verifiable Parental Consent' for Children and Disabled

Section 9 of the Act mandates enhanced protection for the data of children under 18 and persons with disabilities. It requires verifiable parental consent for the collection of their data (for social media accounts and for various online services). Rule 10 of the draft rules requires the parent to first prove their adulthood, which can be done through previously available information with the company, information from recognized identity cards, or token-based systems.

Draft Rule 10 presents several practical and technical challenges, instead of the current self-attestation by the child or parent, verifying the parent's adulthood would necessitate verifying the age of all data users, raising concerns.

Data Maximization vs. Minimization

The primary objective of data protection laws is data minimization, i.e., providing only the necessary minimal data for a required time period The European Union laws follows adopts such approach. However, there are concerns with government's data maximisation and centralization through Aadhaar, DigiLocker etc. with collection of expansive sensitive data of citizens. While the DPDP Act prohibits tracking of children or subjecting them with target advertisements, recommendations based on search patterns, Rule 11 of the draft rules exempts healthcare professionals, educational institutions, child care institutions under the provisions mentioned in the fourth schedule. The definition of 'educational institutions' is unclear, leaving ambiguity as to whether it includes private and online coaching centers.

There can't be any dispute regarding the need for paramount consideration and protection of children from the ill effects of cyber world, several provisions in the data protection rules would be impossible to implement. The complexities of obtaining and verifying consent from millions of digitally illiterate parents could hinder children's access to online learning systems.

Data Protection Board: Independence in Question

Rules 16 to 20 and schedules 5 and 6 of the total 22 rules and seven schedules in the draft DPDP 2025 rules deal with the creation of Data Protection Board, a body constituting members directly appointed by the Government . The board has the authority to hear user complaints and impose penalties. The chairperson is to be appointed through a search-cum-selection committee. The question remains as to how independent these appointees will be from government influence.

The powers and constitution of Data Protection Board is another area of concern. It cannot consider cases which government agencies (e.g., the Aadhaar Authority) tend to operate in violation of the provisions of the Act and rules. Many important aspects of the Act and Rules are left to be "decided later by the government," which allows the government to issue executive orders at its convenience.

Government Surveillance ?

The much-criticised aspect of the DPDP Act 2023- the principle that 'this doesn't apply to the government'- is heavily reinforced by several provisions in the draft rules. Rule 5 grants State and its instrumentalities the authority to process individuals' data without obtaining fresh consent for legally providing subsidies, benefits, services, certificates, licenses, etc. It also allows to retain indefinitely. However, the absence of a definition for 'State Instrumentality' and lack of clarity as to the 'necessary information' being collected (the "Proportionality" principle ) makes the exemption highly controversial.

Rule 22 of the draft rules, crafted for Section 36 of the Act, presents a frightening picture of state surveillance. It allows the central government to collect any information included in the seventh schedule from companies, and curiously prohibits companies from disclosing the data collected by the government to the concerned individuals.

The seventh schedule contains three categories upholding overarching powers of the government . The first, as usual, pertains to the country's sovereignty, integrity, and security. The second category is information that aids in the enforcement of or compliance with existing laws. The third provision is for carrying out an assessment to notify any Data Fiduciary or class of Fiduciaries as a Significant Data Fiduciary.

The governments all over the world, often make draconian laws introducing vague and ambiguous terms that are open to misinterpretation. We have the examples of IT and Telegraph Acts and rules permitting arbitrary state interventions. The arbitrary provisions compelling journalists to reveal their sources (media organizations are also data fiduciaries) have been earlier criticized by the Editors Guild and media organisations.

Govt. Data Access: No Safeguards for Users

The inclusion of this third category- which allows the Central Government to declare a Data Fiduciary as a 'Significant Data Fiduciary' and demand information from Data Fiduciaries or intermediaries without informing the Data Principal- raises serious constitutional concerns.

As per section 10 of the Act, 'Significant Data Fiduciaries' are likely to include platforms such as Facebook, YouTube, X (formerly Twitter), and Instagram—entities that handle vast amounts of data, with the specific threshold to be determined later by the central government, as was done in the case of the IT Rules 2021.

However, the government's authority to request personal data without informing the individual and without any mechanism to challenge this transfer creates a situation where citizens remain unaware of how their data is collected or interpreted by the State. This lack of transparency fosters a chilling effect, enabling unchecked data collection that could facilitate censorship, politically motivated or arbitrary surveillance, detention, and imprisonment—all without due process. Such provisions directly undermine Fundamental Rights. If this is the case, what, then, is the true purpose of the law?

Your Voice Matters. Participate in the Consultation !

Apar Gupta, a digital rights advocate, points out that while the Telecom Act and other laws have established procedures, including written orders, for interception and the seizure of digital devices (as part of criminal investigations), Rule 22 bypasses all such procedure. He explains, citing past experiences in India, that the complex provisions, like the one in the IT Rules 2021 regarding end-to-end encryption (which has yet to be implemented ?), are likely intended to threaten and control large platforms when needed.

Discussions on the draft Rules are active, as the deadline for public feedback has been extended to March 5, 2025. The public can submit their feedback on MeitY's official website (https://www.meity.gov.in/data-protection-framework). Currently, the discussions are largely focused on the practical challenges faced by companies on the commercial side. However, the more critical discussions regarding the fundamental rights of citizens are not being adequately addressed.

Unfortunately, past experiences offer little hope for a course correction from the government. Whether it was the Shreya Singhal case, Justice Puttaswamy case, or the recent striking down of the fact-checking provisions in the IT Rules, the Supreme Court has repeatedly intervened to safeguard fundamental rights. However, for meaningful changes to occur, citizens should pro-actively respond and give feedbacks.

The author  is the president of the Democratic Alliance for Knowledge Freedom (DAKF), views are personal )