DPDP Rules Draw 6,915 Inputs, Spark Clarity Concerns
New Delhi: The Draft Digital Personal Data Protection Rules, 2025, released by the Ministry of Electronics and Information Technology (MeitY) on January 3, 2025, to operationalise the Digital Personal Data Protection Act, 2023 (DPDP Act), have elicited 6,915 responses from citizens and stakeholders during the public consultation period ending February 18, 2025.
Designed to provide detailed guidelines for implementing the DPDP Act, which was passed in August 2023 to regulate digital personal data processing while balancing individual privacy rights with lawful data use, the draft rules have sparked debate over their ambiguities, compliance challenges, and potential to dilute the act’s privacy protections. Key controversies include vague standards for data processing, government influence over the Data Protection Board of India (DPBI), unclear parental consent mechanisms, and insufficient clarity on cross-border data transfers. These concerns, raised amidst India’s broader cybersecurity initiatives, highlight the challenges of translating the DPDP Act’s framework into actionable regulations.
The DPDP Act, enacted in 2023, establishes India’s first comprehensive data protection framework, emphasising individuals’ rights to control their personal data and imposing accountability on data fiduciaries—entities processing personal data—for breaches. It mandates consent for such processing, outlines exemptions for state functions, and sets up the DPBI to enforce compliance. The Draft Rules, 2025, aim to provide operational details for the act’s provisions, such as consent notices, data breach notifications, and the DPBI’s functioning. Unlike the act, which sets broad principles, the rules specify procedural requirements, such as itemised consent notices, a 72-hour breach notification timeline, and verification processes for children’s data. However, stakeholders argue that these rules introduce ambiguities not present in the act, creating uncertainty for businesses and potentially weakening privacy safeguards.
A primary point of contention is the rules’ lack of clear standards for data anonymisation and research exemptions. The DPDP Act allows exemptions for research but does not detail anonymisation criteria, leaving it to the rules to clarify. The draft rules, however, fail to define these standards, which could result in inconsistent application and potential misuse. This contrasts with the act’s broader intent to protect data principals—individuals whose data is processed—through clear privacy obligations. The absence of specific anonymisation guidelines in the rules risks undermining the act’s goal of ensuring robust data protection, recognised as a fundamental right in the 2017 Puttaswamy judgment.
The autonomy of the DPBI, established under the DPDP Act to oversee compliance and handle complaints, is another area of concern. While the act envisions the DPBI as an independent regulator, the draft rules grant the government significant control over its member appointments and operations, raising fears of compromised independence. The Internet Freedom Foundation has criticised this as a departure from the act’s intent, noting that the rules’ vague complaint-handling procedures could allow arbitrary state interventions. This issue is particularly significant given India’s cybersecurity framework, which includes the National Critical Information Infrastructure Protection Centre (NCIIPC) under Section 70A of the IT Act, 2000, and the Indian Computer Emergency Response Team (CERT-In) under Section 70B, both tasked with protecting critical infrastructure and responding to cyber incidents.
The rules’ approach to verifying parental consent for children’s data processing introduces practical challenges not fully addressed in the DPDP Act. The act requires verifiable consent but leaves implementation details to the rules. The draft rules mandate identity and age verification using self-declared information or government-issued IDs, but their lack of specific methods has drawn criticism for imposing compliance burdens, especially on smaller businesses. Exemptions for healthcare and educational institutions, intended to ease compliance, lack clear conditions, unlike the act’s broader exemptions for state and judicial functions. This ambiguity could lead to “consent fatigue” among parents, reducing protections for minors, a concern not explicitly raised in the act’s framework.
Cross-border data transfers are another point of divergence. The DPDP Act adopts a blacklist approach, restricting such transfers to specific countries, but the draft rules require data fiduciaries to meet unspecified criteria, creating uncertainty. The rules also expand the government’s authority to compel data sharing under broadly defined circumstances, raising surveillance concerns not as prominent in the act’s provisions. This contrasts with the act’s focus on restricting transfers to protect privacy, aligning with India’s cybersecurity efforts through the National Cyber Coordination Centre (NCCC) and CERT-In’s threat-monitoring roles.
Consent notices under the rules require data fiduciaries to provide itemised details of data collected and its purpose, a stricter requirement than the act’s general mandate for informed consent. The rules’ insistence on “independent” notices may force businesses to revise existing privacy policies, a challenge not explicitly outlined in the act. Similarly, while the act requires reasonable security measures, the rules’ generic mandates for encryption and access controls lack the specificity of the Information Technology (Reasonable Security Practices and Procedures) Rules, 2011, which referenced standards like ISO/IEC 27001. The rules’ uniform application across all data fiduciaries, regardless of data volume, adds compliance burdens not detailed in the act.
The government’s cybersecurity initiatives provide context for the development of these rules. Programmes like Cyber Security Awareness Month, Safer Internet Day, and the CyberShakti initiative, launched in October 2024 to train women in cybersecurity, complement the rules’ security requirements. The Information Security Education and Awareness (ISEA) programme, with 3,637 workshops reaching over 8.2 lakh participants, and resources on platforms like www.staysafeonline.in and www.csk.gov.in, promotes cyber hygiene. The Cyber Swachhta Kendra, operated by CERT-In, offers tools to combat malicious programs, while CERT-In issues advisories on emerging threats. However, the rules’ 72-hour breach notification requirement, while aligning with the act’s accountability provisions, lacks detailed guidance, creating implementation challenges not addressed in the act.
The phased implementation of the rules, with DPBI provisions taking effect immediately upon finalisation while others remain unscheduled, introduces uncertainty not present in the act’s broader framework. The 6,915 consultation inputs reflect significant stakeholder engagement, with critics like the Internet Freedom Foundation calling the rules “too vague” and delayed, given the 16-month gap since the act’s passage. As MeitY reviews feedback, the controversies underscore the challenge of translating the DPDP Act’s principles into clear, enforceable regulations that balance privacy, compliance, and India’s digital economy goals.
– global bihari bureau
