As India races forward with its ambitious digital transformation, the government’s enactment of the Digital Personal Data Protection Act, 2023 and the subsequent publication of the operational framework in the draft Digital Personal Data Protection Rules, 2025 signal an important step in safeguarding citizens’ privacy. In digital ecosystems, privacy is not merely a legal issue — it is the cornerstone of a democratic society. Strengthening India’s data protection framework is not just about compliance, it is about preserving the trust between citizens and the digital institutions that serve them. While the current framework is robust in intent, it needs fine-tuning to effectively balance innovation with individual rights.
At its heart, the Act is designed to empower every Indian with control over his or her personal information. It mandates that data must be processed only with free, specific, informed, and unambiguous consent. Yet, as the draft rules roll out in staggered phases, concerns abound vague terminology and unclear timelines might leave citizens exposed. For the framework to be effective, clarity is essential, especially regarding when specific rules come into force and how data fiduciaries should operationalise their obligations. Although staggered implementation is practical, industry observers stress that rules related to data processing practices and the rights of data principals should have a clearly defined deadline. This would give businesses, regulators, and consumers alike the legal certainty needed to transition to the new regime without confusion or haphazard compliance measures.
Another key area is the role of consent managers. Defined in the Act as the single point of contact for individuals to manage their digital consent, the draft rules fall short when it comes to explaining what this role should entail. There must be an explicit definition of the responsibilities and the liabilities of consent managers. Should consumers be forced to channel their privacy rights through intermediaries, or should they be empowered to deal directly with data fiduciaries? Clarifying this relationship is essential to avoid conflicts of interest, as the same entity might be tasked both with facilitating consent and managing data processing operations.
Transparency also emerges as a recurrent theme. However, there is a need for a standardised notice format that data fiduciaries must provide to data principals. Such a format would outline, in plain language, the specifics of how personal data is processed, the purpose of such processing, and the rights available to individuals. Imagine receiving a one-page document when you sign up for an online service that clearly explains how your data will be used — no legalese, just clear, accessible information. This simple change could transform the digital landscape by ensuring
that citizens are not left in the dark about how their sensitive information is handled.
Cybersecurity is yet another area that demands urgent attention. With data breaches making headlines worldwide, the concept of reasonable security safeguards needs to be defined on a par with international standards. We propose that the rules should explicitly reference best practices and technical standards, ideally subject to annual third-party audits and certifications. By doing so, India would not only bolster its defences against cyberattacks but also instil public confidence in the safety of digital transactions. For the citizen, knowing that his or her personal data is guarded as per industry-recognised protocols would be a significant reassurance in today’s increasingly interconnected world.
Beyond these operational issues, a broader and more forward-looking concern involves the rise of Artificial Intelligence. AI-powered tools and algorithms are transforming industries, yet they also pose new privacy risks — from opaque surveillance techniques to biased decision-making systems. Notably, the current rules remain largely silent on how AI impacts data protection. It is high time that the regulatory framework explicitly addresses algorithmic accountability. This means establishing a right to explanation for decisions driven by AI and ensuring that automated processes do not trample on the rights of data principals. Such measures would align India with global best practices and position the country as a leader in ethical AI governance.
The use of personal data by the State also requires careful calibration. While the Act permits the government to process data under certain circumstances, any such exception must be accompanied by stringent ‘no-harm’ conditions. In other words, even when data is processed by State entities for public purposes — whether to deliver benefits, services, or to enforce the law — it must be done in a way that minimises any potential harm to individual privacy. Oversight mechanisms, including judicial review, should be robust enough to hold State agencies accountable. This is crucial not only for protecting civil liberties but also for sustaining public trust in the digital governance framework.
Critically, we must ensure that vulnerable groups are adequately protected. For instance, while the draft rules include provisions for children and persons with disabilities, further clarifications are needed on these categories. Parents or guardians are currently positioned as the data principals for minors and individuals with disabilities, but this raises questions about autonomy and potential overreach. The regulatory framework must be calibrated in a way that respects the rights of these individuals while acknowledging the role of caregivers, ensuring that the digital footprint of society’s most vulnerable members is not exploited.
Further, there is a need for accountability and continuous improvement. Rather than seeing the Digital Personal Data Protection Act and its accompanying rules as static legislation, they should be seen as living instruments, ones that must evolve in response to emerging challenges. Annual transparency assessments, periodic audits, and clearly defined redressal mechanisms are not merely bureaucratic exercises, they are essential tools for ensuring that data protection remains dynamic and responsive to technological advancements and societal needs.
While the Digital Personal Data Protection Act, 2023 and the corresponding draft rules represent commendable progress, the road ahead is paved with challenges. For these laws to serve their true purpose, it is imperative that the recommendations put forth by stakeholders be taken seriously. By tightening timelines, clarifying the roles of consent managers, standardising notices, fortifying cybersecurity protocols, and explicitly addressing the implications of AI, India can forge a data protection regime that is both robust and forward-looking.
Prabhat Mishra and Nupur Chowdhury are with the Centre for the Study of Law and Governance, Jawaharlal Nehru University
