India notified the Digital Personal Data Protection Rules, 2025 last week, two years after the passage of the Act on data protection. On the surface, the rules tick many boxes expected of a modern data protection framework. These include clearer notices regarding data usage and storage, mandatory disclosure of breaches, parental consent for those under 18 years of age, obligations for grievance redressal, and the provision to set up a digital Data Protection Board. Additionally, companies — data fiduciaries — now face greater accountability, including stricter audits for significant data fiduciaries, enhanced obligations for sensitive sectors, such as healthcare and finance, and fines of up to 250 crore rupees for lapses.
There is, however, serious concern with embedded anomalies. Industry bodies like NASSCOM and IAMAI have warned that strict certification and compliance requirements, such as conducting annual data protection impact assessments and audits, could create barriers for start-ups and micro, small and medium enterprises. Among the most contested elements is Rule 23, which grants the government the power to demand personal data from any data fiduciary without the consent of the citizen. The reasons cited are expansive: national security, sovereignty, integrity of India, public order, or “any function of law”. That last phrase is as sweeping as it is vague. What is worse, the rules also impose a gag. If the government seeks an individual’s data under these exemptions, the company holding that data is barred from informing the citizen. Concurrently, Section 44(3) of the DPDP Act amends the Right to Information Act to prohibit the disclosure of almost all personal information. In essence, citizens are being told less while the State is entitled to know more. Do the rules then seek to invert the compact between State and citizen, ironically in the name of protecting the latter’s privacy? The structure of the Data Protection Board itself is also disquieting. It has been set up with four members appointed entirely by the Central government. Consequently, it is shorn of the structural autonomy expected of supervisory authorities under global standards. Citizens are being told that the law enhances their control over data, but the only part of the Rules that takes effect immediately is the one that tightens the State’s authority and restricts transparency. The provisions that ensure core rights will apply only after 18 months. India’s digital future deserves sturdier scaffolding than discriminatory powers and delayed public rights.
