Reference Article: Editorial | The Hindu – Too little, much later: on the Digital Personal Data Protection Rules, 2025
UPSC Relevance:
– GS Paper II: Governance, Transparency, and Accountability
– GS Paper III: Cybersecurity, Privacy, and Digital Governance
Eight years after the Supreme Court’s landmark Puttaswamy judgment (2017) recognised privacy as a fundamental right, India’s data protection regime continues to struggle between ambition and execution. The Digital Personal Data Protection Rules, 2025, notified on November 14, 2025, mark the latest stage in this long journey. However, instead of fortifying privacy, the Rules largely delay core protections, weaken transparency, and consolidate governmental control over citizens’ data.
Key Features and Issues
- The 2025 Rules operationalise the Digital Personal Data Protection Act, 2023, but push most user protections to 2027, effectively postponing accountability for both state and private entities.
- The Rules immediately dilute the Right to Information (RTI) Act, 2005, allowing public information officers to deny any personal information except what is mandated for publication by other laws — a major setback to transparency and citizen oversight.
- The Rules provide 12–18 months of compliance time for major tech firms such as Google, Meta, and Amazon, despite their long-standing familiarity with global privacy standards, signalling regulatory leniency.
- Institutional independence is compromised as the Data Protection Board of India (DPBI), the supposed watchdog, will function under the Ministry of Electronics and Information Technology (MeitY). This creates a conflict of interest, since MeitY also promotes the same tech firms it is meant to regulate.
- Civil society’s concerns over opaque drafting processes persist — the final Rules were released with minimal public consultation, coinciding with the distraction of Bihar election results.
Implications for Privacy and Governance
- The government and private corporations retain broad powers to collect, process, and share citizens’ data, undermining the core purpose of privacy protection.
- By creating a weak oversight mechanism, the Rules risk institutionalising state surveillance under the veneer of regulation.
- The amendment to the RTI Act reverses years of progress in transparency and accountability, making it harder for citizens to scrutinise public institutions.
- The absence of an independent appellate mechanism or clear redress pathways for citizens limits recourse against data misuse or breaches.
- Digital asymmetry between citizens and corporations is further entrenched — individuals remain data subjects, while Big Tech and the state remain data sovereigns.
Concerns in Policy Design
- The Rules suffer from a lack of clarity on enforcement, data minimisation principles, and cross-border data transfer safeguards.
- The delayed implementation of privacy norms erodes public trust, signalling that privacy protection is secondary to ease of doing business.
- The “consent fatigue” model, which assumes that clicking “agree” amounts to informed consent, remains unaddressed.
- The law’s focus on compliance formalities rather than structural accountability means systemic privacy risks will persist for years.
Way Forward
- Institutional Independence: The DPBI should be made a statutory independent authority, similar to global regulators like the EU’s European Data Protection Board.
- Restoration of Transparency: The RTI Act must be reinstated to its original spirit, ensuring that privacy is not weaponised to restrict public access to information.
- Implementation Timelines: Privacy protections should be front-loaded, not deferred. Immediate enforcement of data rights can drive compliance and accountability.
- Public Awareness: Citizens must be educated about their data rights, grievance redressal mechanisms, and the importance of informed consent.
- Global Alignment: India should align with GDPR principles on purpose limitation, data minimisation, and portability to ensure credibility in global data governance.
Conclusion
The Digital Personal Data Protection Rules, 2025, represent a missed opportunity to institutionalise privacy in India’s digital architecture. Instead of empowering citizens, the framework reinforces state dominance, weakens transparency, and defers accountability. Eight years after privacy became a constitutional right, Indians still live in a system where their data remains exposed to both state scrutiny and corporate exploitation. A robust, transparent, and independent data protection regime is imperative to transform privacy from a promise on paper to a practice in reality.
UPSC Practice Question:
India’s Digital Personal Data Protection Rules, 2025, defer privacy protections and weaken transparency. Critically examine the challenges they pose to constitutional rights and data governance.