Data ProtectionDPDP Rules, 2025SaveOurPrivacyStatement

Internet Freedom Foundation’s statement on the Draft Digital Personal Data Protection Rules, 2025

Read our statement on the Draft Digital Data Protection Rules, 2025.

Internet Freedom Foundation
Internet Freedom Foundation

04 January, 2025
4 min read

On 3 January 2025, the Ministry of Electronics and Information Technology (“MeitY”) released the long-awaited Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) for public consultation. This was sixteen and a half months after the Digital Personal Data Protection Act, 2023 (“DPDP Act”) was enacted on 11th August, 2023. 

At the outset, the consultation process is marred by a checkbox approach in which public comments have been invited to the legal rules in Hindi and English. This is also without an explanatory note translated into regional languages. In effect, this restricts public comment to the most privileged - technical experts, lawyers, trade associations and companies––rather than the public. Further, a lack of transparency is likely to ensue due to the comments received during the consultation process being held in a “fiduciary capacity”. This most likely implies that MeitY will not make the received comments publicly available, or offer the opportunity of counter-comments. This is counter-productive to an open and transparent consultation process. IFF appeals that to encourage citizens, industry, and civil society participation, an approach note must be published in multiple languages inviting broad, diverse comments from communities and movements such as those who work on the right to transparency and entitlements. 

Upon a preliminary reading of the DPDP Rules, we find that several provisions fail to meet the constitutional requirements outlined in the K.S. Puttaswamy judgment [(2018) 8 S.C.R. 1], which explicitly stated: “The matter shall be dealt with appropriately by the Union Government, with due regard to what has been set out in this judgment”. At the outset, the Internet Freedom Foundation (“IFF”) expresses concern about the DPDP Rules’s insufficient provisions with several points of contention. In a line, the DPDP Rules are ‘too little, too vague and too late’. For example, terms like “reasonable safeguards”, “appropriate measures”, or “necessary purposes” are used without adequate elaboration.

Apart from the issues with the consultation process, our preliminary concerns with the DPDP Rules, 2025 are as follows:

  1. Vagueness: For instance under Rule 5, in pursuance of Section 7(b) of the DPDP Act,  the Government has been allowed overbroad data processing powers in the context of the provision or issue of a subsidy, benefit, service, certificate, licence, or permit. Further, Rule 6 on reasonable security safeguards for preventing personal data breaches is vague and requires more specifics. 

  1. Over-reliance on discretionary powers: Significant discretionary authority is granted to the Union Government and Data Fiduciaries, such as determining exemptions [Rule 11], processing standards [Second Schedule], and data transfers [Rule 14]. The exemption allowing for data retention for compliance with the law [Rule 8] from the general obligation for purpose limitation is unclear and may be potentially misused. The DPDP Rules also propose that the Union Government can define the kind of data that Significant Data Fiduciaries will have to localise within India’s borders [Rule 12(4)]. This gives the Government a lot of power without clear criteria. 

 

  1. Weak Oversight and Accountability Mechanisms: The DPDP Rules do not establish strong enforcement or oversight mechanisms. While penalties may be levied, there is no explicit provision for independent audits or compliance monitoring. Here, the foundational deficiencies of the principal enactment viz. the DPDP Act bear repetition since it failed to create a regulatory framework through an independent Data Protection Authority. Hence, large parts of the implementation and enforcement will be administered by the Ministry of Electronics and Information Technology raising apprehension.

  1. Overbroad Exemptions for State Processing: The rules allow the State and its instrumentalities to process personal data for broad purposes, such as issuing subsidies, benefits, or services, under laws, policies, or public funds [Rule 5]. However, the lack of specificity regarding the scope and limits of such processing creates room for potential misuse. The language within them avoids the limitations that emerge from the Puttaswamy judgement on the principles of, “proportionality” and, “necessity” that are essential safeguards in any data protection regime.  

 

  1. A step towards universal, mandatory registration: The requirement for Verifiable Parental Consent (“VPC”) for children’s data is contestable on multiple levels[Rule 10]. There seems to be no internet-wide age gating and only individuals who identify themselves as children require VPC. Hence, if the Government requires age verification (rather than self-declarations) to check if a user is a minor, it may in future require every online user to verify their age through Government credentials. This holds the potential for mass surveillance with Government IDs linked to every user's online credentials. These provisions also violate principles of data minimization or retention limitations and risk over-collection and prolonged storage of personal data.

IFF is dismayed that after such a long wait the DPDP Rules have failed to meet the expectations of clear and detailed rules that would iron out the lacunae in the DPDP Act. However, the DPDP Rules seem to be continuing the trend of the DPDP Act of vagueness, extensive powers to the executive and insufficient data protection principles. If passed into law, these draft rules will serve power and profit rather than the people of India. 

We are committed to providing the digital rights community and the broader members of the public a detailed analysis that enables them to effectively participate and bring pressure on the Union Government to respect our fundamental right to privacy. Towards this IFF undertakes to collaborate with civil society groups, make its material and analysis freely available and also to organise briefing calls in the coming week. 

Public Participation Information: 

Link to the DPDP Rules: https://drive.google.com/file/d/1_qk5myygvN3iI79HSEpTU1kRR0wyDoUv/view?usp=sharing 

Link to the DPDP Rules Explanatory Note: https://drive.google.com/file/d/1m_c5GhEKos22voARjknN8Z1Pxf713Mek/view?usp=sharing 

Participation link through MyGov: https://www.mygov.in/ 

Last date for comments: 18th February, 2025

Donate Now

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Supreme Court issues notice in Sushant Singh's transfer petition challenging website blocking

Sushant Singh has sought transfer of his writ petition from the Bombay High Court to the Supreme Court, challenging Rules 8 and 16 of the IT Blocking Rules, 2009. On 02.05.2025, the Supreme Court issued notice and tagged it with SFLC’s pending petition raising similar issues.

6 min read

2
Section 44(3) and the Systematic Dismantling of the RTI Act: A Fact Check to Ashwini Vaishnaw

Section 3 has no relevance to the RTI amendment, and Mr. Ashwini Vaishnaw's response fails to address the core concern: Section 44(3) weakens citizens’ right to information and transparency in governance. IFF does a fact check. 

6 min read

3
Budget Session 2025: A Digital Rights Review

The Budget Session of Parliament, held from January 21 to April 4, 2025, included a recess from February 13 to March 10 for Standing Committee reviews. Key discussions covered various national issues, including digital rights and freedoms.

12 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!