IFF’s Response to MEITY on the Draft Data Protection Rules

tl;dr

The Digital Personal Data Protection Act, 2023 is to be operationalised by the Draft Digital Personal Data Protection Rules, 2025 that were put to public consultation ending on March 5, 2025. Our submission to MeitY is premised on a constitutional understanding of data protection highlighting key issues such as vagueness, violations of privacy rights and increasing executive control.

Background

The Digital Personal Data Protection Act, 2023 (“the Data Protection Act, 2023”) was enacted on August 11, 2023 following years of deliberation and several iterations. This version was rushed through parliament without any meaningful deliberation after earlier drafts were scrapped. Suffering from excessive vagueness it was reasoned at the time that these details would be operationalised by the delegated legislation in form of rules and regulations. As part of this, the Ministry of Electronics and Information Technology (“MeitY”) after about 18 months from its passage in parliament released the draft Digital Personal Data Protection Rules, 2025 (“Draft Data Protection Rules, 2025”) on January 3, 2025 for public consultation. Our submission to this consultation outlines the issues with the Draft Data Protection Rules, 2025 from a constitutional perspective. It focuses on data protection as an element within the fundamental right to privacy as per the Supreme Court’s decision in Justice (Retd.) K.S. Puttaswamy v. Union of India and Others. Justice (Retd.).

Failure to meet Constitutional Privacy Standards

Several provisions of the Draft Data Protection Rules, 2025 fail to comply with the Supreme Court’s ruling in the Puttaswamy judgment, which established clear benchmarks for any infringement to privacy and required a data protection law to be made as per a positive obligation of the state to protect it. For instance the statute, nor the rules conform to the proportionality test, and instead grant broad exemptions to government agencies regarding the protection and access to personal data. This results in undermining principles such as purpose limitation and data minimisation. Specifically, provisions such as Rule 22 by granting the Central Government unchecked authority to demand user data from Data Fiduciaries and intermediaries without any judicial oversight, transparency or safeguards creates a parallel framework for state surveillance without any checks and balances. We have presented a tabular view of the problems with Rule 22 for which we have called for a complete withdrawal.

Principle	Rule 22 under draft Rules	Best Practices
Judicial Oversight	No requirement for court approval before data access	A court order or independent review before disclosure
User Notification	No obligation to inform users when their data is accessed	Users must be informed unless exceptions apply (e.g., active criminal investigations)
Scope of Government Access	Broad and vague terms like “sovereignty, security of the state” without clear reference to Article 19(2).	Data access must be justified and proportionate under clear legal frameworks.
Ability to Challenge Requests	No mechanism for Data Fiduciaries to challenge government demands.	Companies and individuals can appeal against overbroad requests.
Transparency Requirements	No requirement to disclose number or nature of requests.	Governments must publish transparency reports on data requests.

Undermining RTI and Press Freedoms

The right to information, along with the right to privacy is a constitutionally protected right in India. The Data Protection Act, 2023 had already damaged the right to information, which is supposed to co-exist with the right to privacy, by amending the RTI Act. Specifically, the amended Section 8(1)(j) of the RTI Act, 2005 prevents the disclosure of any information that is related to any “personal information”. This upsets a balance, where it previously allowed withholding of personal information if it bore no relation to public activity or interest and thereby constituted an unwarranted invasion of privacy. This change again departs from the proportionality test referenced in Puttaswamy judgment, effectively allowing officials to refuse critical information simply by labeling it “personal.” Here, the deficiencies of the principal law have neither been addressed, nor mitigated by the Draft Data Protection Rules, 2025. Here, we have authored an extensive analysis on these changes and in addition to drawing attention to this in our submissions have joined a broader campaign to #SaveRTI.

Expansion of Government Control and Reduced Accountability

A law does not enforce by itself and requires an authority or a regulatory body to take charge. Here, the Data Protection Board was in press interactions stated by MeitY to serve as an, “independent authority” overseeing compliance principally through its quasi-judicial powers to impose fines for, “data breaches”. Its powers, while do not include the power to make regulations, do include the ability to summon individuals, examine evidence, and imposing penalties. These powers we foresee will be exercised with compromise and in a partisan manner given its structure and staffing. Rule 16 of the Draft Data Protection Rules, 2025 Rules centralises its appointments, functioning, and decision-making within the executive branch, raising serious concerns about political influence and lack of autonomy. Since the Data Protection Board is controlled by the executive, this creates risks of bias in adjudication when the state itself is the biggest data fiduciary and processor. We are highlighting some of the problems with this in the table below, greater detail on which is contained within our submissions:

Principle	Best Practices in Administrative Law	Draft Rules
Independence of Regulatory Bodies	Regulatory bodies must be free from government control, with transparent and independent selection processes.	Government-controlled appointments and funding, risking political influence.
Judicial Oversight & Review	Decisions must be subject to review by higher courts or legislative oversight.	No structured appeals process beyond internal government mechanisms.
Multi-Stakeholder Representation	The appointment process should include representatives from judiciary, civil society, and industry to ensure balance.	Search-cum-Selection Committee only includes government officials and experts handpicked by the executive.
Transparency and Accountability	Regulatory bodies must publish annual reports, transparency records, and disclose decision-making criteria.	No mandated transparency requirements or independent reporting obligations.
Protection Against Arbitrary Removal	Members should have fixed terms and removal only through judicial inquiry.	The government retains discretion to dismiss members, creating risks of political interference.

Vague and Arbitrary Definitions Allow Misuse

The Draft Data Protection Rules, 2025 suffer from significant vagueness creating the possibility for, “pick and choose” enforcement. Poorly defined terms and a lack of clarity on key provisions enable state overreach, opaque corporate practices and inconsistent application. For instance, several critical terms remain vague or entirely undefined, including:

"Instrumentalities of the State" – Failure to specify which government-controlled entities are exempt from strict privacy norms, granting excessive discretionary power.
"Emergent Situation" – Without a legal or operational definition, this term could justify limitless state access to data without accountability.
"Research, Archiving, or Statistical Purposes" – The absence of specific standards allows both – prohibitions on researchers and transparency activists as well as exemptions for companies from seeking user consent by misusing it and labelling commercial work as “research”.
"Significant Data Fiduciary (“SDF”)" – The criteria for classifying an entity as an SDF remain unclear, particularly regarding the measurement of data "volume" or "sensitivity."

The lack of specificity falls short of acceptable legal standards and best practices as set out in the table below for which we have provided further details in our submissions:

Issue	Draft Rules	Best Practices (GDPR, UK DPA, OECD Guidelines)
Clarity of Definitions	Vague terms like "instrumentality of the state" and "emergent situation" allow for broad interpretation.	Clear definitions for key terms, ensuring precision and preventing abuse.
Legal Certainty	Ambiguous rules lead to inconsistent enforcement and compliance difficulties.	Well-defined obligations for businesses and the state, reducing uncertainty.
Government Access to Data	State agencies can invoke "national security" without an independent review.	Strict necessity and proportionality tests for government data access.
User Consent & Rights	No clear scope for user challenge if data is collected under exemptions.	Users have enforceable rights, including appeal mechanisms against data misuse.
Data Processing for Research & Statistical Purposes	No limits on how long or how broadly data can be collected under "research" exemptions.	Restrictions on secondary data use, ensuring user protection.

A data protection law that does not protect Indians

The Draft Data Protection Rules, 2025 provided another opportunity for the MeitY to ensure the protection of the privacy of ordinary Indians. While unsurprising, it is indeed disappointing they end up tightening a digital leash while having poorly thought and designed provisions. They mark a continuous failure to comply and meet the constitutional thresholds as set by the Supreme Court on the right to privacy. Through our recommendations, we call for substantial changes to the Draft Data Protection Rules, 2025 in their current form for being poorly considered and increasing the trends towards digital authoritarianism.

Important documents

Digital Personal Data Protection Act, 2023 [Link]
Draft Digital Personal Data Protection Rules, 2025 [Link]
Our submissions to MeitY on the draft Rules [Link]