The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on November 14. The rules aim to give citizens control over their data, allow them to check for misuse, and protect their privacy in the online space, especially with increasing data breaches and privacy violations. The rules are expected to help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means. Individuals under the rules get power to revoke their consent at any time they wish through consent managers.
One of the fundamental aspects of the DPDP Act is its emphasis on compliance requirements for data fiduciaries (companies) must handle personal data. This includes establishing clear mechanisms for obtaining user consent, ensuring transparency in data processing, implementing stringent security measures, and managing data breaches effectively. Moreover, the DPDP Act emphasises the alignment of data protection initiatives with the individual rights of data subjects, particularly important for vulnerable groups, such as children and persons with disabilities. The DPDP states that apps and platforms that serve children must obtain verifiable parental consent and avoid harmful data practices.
While the rules speak of its significance aimed at enhancing data privacy and security, several concerns are also flagged such as the extent of government discretion in enforcement when AI presents unique challenges for data protection, such as algorithmic bias, lack of transparency and the potential for misuse. Critics also argue that it might pose challenges, particularly for smaller organisations that might lack the resources or expertise required to meet stringent compliance standards. This disparity could inadvertently empower larger entities while marginalising smaller counterparts, potentially stifling innovation.
Another significant concern is the ambiguity present in definitions within the rules. Terms such as “sensitive personal data” or “data processing” may lack uniform interpretation, complicating compliance efforts. Moreover, the potential compliance burdens could deter startups and small businesses from entering the market, limiting competition.
One of the concerns is that the DPDP Act amends the Right to Information Act, 2005 by modifying Section 8(1)(j). This change raises concerns regarding transparency and the accountability of public officials. Under the original RTI provision, personal information could be disclosed if it was in the public interest and could not be withheld from parliamentary scrutiny. These safeguards played a critical role in exposing corruption, enabling active investigations into wrongdoing among public servants. However, the amended clause now states that “personal data” cannot be disclosed without clear specifications, leading to potential interpretations that may shield corrupt activities under the veil of privacy. RTI activists are raising alarms regarding the implications of the term “personal data” as it could hinder investigations into essential areas such as beneficiary lists for social programs, records of public servant transfers, postings, and disciplinary actions.
As India’s digital landscape continues to evolve, stakeholders must remain vigilant and responsive to the dual objectives of innovation and privacy. The rules present both challenges and opportunities that require collective commitment to a balanced approach that safeguards individual rights while also nurturing innovation.
