Media Nama: National: Thursday, 6th March 2025.
The Draft Data Protection Rules, 2025 weaken privacy rights, expand government surveillance, undermine RTI, and lack accountability, failing to meet constitutional standards for data protection in India.
The Digital Personal Data
Protection Act, 2023 is to be operationalised by the Draft Digital Personal
Data Protection Rules, 2025 that were put to public consultation ending on
March 5, 2025. Our submission to MeitY is premised on a constitutional understanding
of data protection highlighting key issues such as vagueness, violations of
privacy rights and increasing executive control.
Background
The Digital Personal Data Protection Act, 2023 (“the Data Protection Act, 2023”) was enacted on August 11, 2023 following years of deliberation and several iterations. This version was rushed through parliament without any meaningful deliberation after earlier drafts were scrapped. Suffering from excessive vagueness it was reasoned at the time that these details would be operationalised by the delegated legislation in form of rules and regulations. As part of this, the Ministry of Electronics and Information Technology (“MeitY”) after about 18 months from its passage in parliament released the draft Digital Personal Data Protection Rules, 2025 (“Draft Data Protection Rules, 2025”) on January 3, 2025 for public consultation. Our submission to this consultation outlines the issues with the Draft Data Protection Rules, 2025 from a constitutional perspective. It focuses on data protection as an element within the fundamental right to privacy as per the Supreme Court’s decision in Justice (Retd.) K.S. Puttaswamy v. Union of India and Others. Justice (Retd.).
Failure to meet Constitutional Privacy Standards
Several provisions of the Draft Data Protection Rules, 2025 fail to comply with the Supreme Court’s ruling in the Puttaswamy judgment, which established clear benchmarks for any infringement to privacy and required a data protection law to be made as per a positive obligation of the state to protect it. For instance the statute, nor the rules conform to the proportionality test, and instead grant broad exemptions to government agencies regarding the protection and access to personal data. This results in undermining principles such as purpose limitation and data minimisation. Specifically, provisions such as Rule 22 by granting the Central Government unchecked authority to demand user data from Data Fiduciaries and intermediaries without any judicial oversight, transparency or safeguards creates a parallel framework for state surveillance without any checks and balances. We have presented a tabular view of the problems with Rule 22 for which we have called for a complete withdrawal.
Undermining RTI and Press
Freedoms
The right to information, along with the right to privacy is a constitutionally protected right in India. The Data Protection Act, 2023 had already damaged the right to information, which is supposed to co-exist with the right to privacy, by amending the RTI Act. Specifically, the amended Section 8(1)(j) of the RTI Act, 2005 prevents the disclosure of any information that is related to any “personal information”. This upsets a balance, where it previously allowed withholding of personal information if it bore no relation to public activity or interest and thereby constituted an unwarranted invasion of privacy. This change again departs from the proportionality test referenced in Puttaswamy judgment, effectively allowing officials to refuse critical information simply by labeling it “personal.” Here, the deficiencies of the principal law have neither been addressed, nor mitigated by the Draft Data Protection Rules, 2025. Here, we have authored an extensive analysis on these changes and in addition to drawing attention to this in our submissions have joined a broader campaign to #SaveRTI.
Expansion of Government Control and Reduced Accountability
A law does not enforce by itself and requires an authority or a regulatory body to take charge. Here, the Data Protection Board was in press interactions stated by MeitY to serve as an, “independent authority” overseeing compliance principally through its quasi-judicial powers to impose fines for, “data breaches”. Its powers, while do not include the power to make regulations, do include the ability to summon individuals, examine evidence, and imposing penalties. These powers we foresee will be exercised with compromise and in a partisan manner given its structure and staffing. Rule 16 of the Draft Data Protection Rules, 2025 Rules centralises its appointments, functioning, and decision-making within the executive branch, raising serious concerns about political influence and lack of autonomy. Since the Data Protection Board is controlled by the executive, this creates risks of bias in adjudication when the state itself is the biggest data fiduciary and processor. We are highlighting some of the problems with this in the table below, greater detail on which is contained within our submissions:
Vague and Arbitrary
Definitions Allow Misuse
The Draft Data Protection Rules, 2025 suffer from significant vagueness creating the possibility for, “pick and choose” enforcement. Poorly defined terms and a lack of clarity on key provisions enable state overreach, opaque corporate practices and inconsistent application. For instance, several critical terms remain vague or entirely undefined, including:
A data protection law that
does not protect Indians
The Draft Data Protection Rules, 2025 provided another opportunity for the MeitY to ensure the protection of the privacy of ordinary Indians. While unsurprising, it is indeed disappointing they end up tightening a digital leash while having poorly thought and designed provisions. They mark a continuous failure to comply and meet the constitutional thresholds as set by the Supreme Court on the right to privacy. Through our recommendations, we call for substantial changes to the Draft Data Protection Rules, 2025 in their current form for being poorly considered and increasing the trends towards digital authoritarianism.
The Draft Data Protection Rules, 2025 weaken privacy rights, expand government surveillance, undermine RTI, and lack accountability, failing to meet constitutional standards for data protection in India.
Background
The Digital Personal Data Protection Act, 2023 (“the Data Protection Act, 2023”) was enacted on August 11, 2023 following years of deliberation and several iterations. This version was rushed through parliament without any meaningful deliberation after earlier drafts were scrapped. Suffering from excessive vagueness it was reasoned at the time that these details would be operationalised by the delegated legislation in form of rules and regulations. As part of this, the Ministry of Electronics and Information Technology (“MeitY”) after about 18 months from its passage in parliament released the draft Digital Personal Data Protection Rules, 2025 (“Draft Data Protection Rules, 2025”) on January 3, 2025 for public consultation. Our submission to this consultation outlines the issues with the Draft Data Protection Rules, 2025 from a constitutional perspective. It focuses on data protection as an element within the fundamental right to privacy as per the Supreme Court’s decision in Justice (Retd.) K.S. Puttaswamy v. Union of India and Others. Justice (Retd.).
Failure to meet Constitutional Privacy Standards
Several provisions of the Draft Data Protection Rules, 2025 fail to comply with the Supreme Court’s ruling in the Puttaswamy judgment, which established clear benchmarks for any infringement to privacy and required a data protection law to be made as per a positive obligation of the state to protect it. For instance the statute, nor the rules conform to the proportionality test, and instead grant broad exemptions to government agencies regarding the protection and access to personal data. This results in undermining principles such as purpose limitation and data minimisation. Specifically, provisions such as Rule 22 by granting the Central Government unchecked authority to demand user data from Data Fiduciaries and intermediaries without any judicial oversight, transparency or safeguards creates a parallel framework for state surveillance without any checks and balances. We have presented a tabular view of the problems with Rule 22 for which we have called for a complete withdrawal.
The right to information, along with the right to privacy is a constitutionally protected right in India. The Data Protection Act, 2023 had already damaged the right to information, which is supposed to co-exist with the right to privacy, by amending the RTI Act. Specifically, the amended Section 8(1)(j) of the RTI Act, 2005 prevents the disclosure of any information that is related to any “personal information”. This upsets a balance, where it previously allowed withholding of personal information if it bore no relation to public activity or interest and thereby constituted an unwarranted invasion of privacy. This change again departs from the proportionality test referenced in Puttaswamy judgment, effectively allowing officials to refuse critical information simply by labeling it “personal.” Here, the deficiencies of the principal law have neither been addressed, nor mitigated by the Draft Data Protection Rules, 2025. Here, we have authored an extensive analysis on these changes and in addition to drawing attention to this in our submissions have joined a broader campaign to #SaveRTI.
Expansion of Government Control and Reduced Accountability
A law does not enforce by itself and requires an authority or a regulatory body to take charge. Here, the Data Protection Board was in press interactions stated by MeitY to serve as an, “independent authority” overseeing compliance principally through its quasi-judicial powers to impose fines for, “data breaches”. Its powers, while do not include the power to make regulations, do include the ability to summon individuals, examine evidence, and imposing penalties. These powers we foresee will be exercised with compromise and in a partisan manner given its structure and staffing. Rule 16 of the Draft Data Protection Rules, 2025 Rules centralises its appointments, functioning, and decision-making within the executive branch, raising serious concerns about political influence and lack of autonomy. Since the Data Protection Board is controlled by the executive, this creates risks of bias in adjudication when the state itself is the biggest data fiduciary and processor. We are highlighting some of the problems with this in the table below, greater detail on which is contained within our submissions:
The Draft Data Protection Rules, 2025 suffer from significant vagueness creating the possibility for, “pick and choose” enforcement. Poorly defined terms and a lack of clarity on key provisions enable state overreach, opaque corporate practices and inconsistent application. For instance, several critical terms remain vague or entirely undefined, including:
- "Instrumentalities of the State": Failure to specify which government-controlled entities are exempt from strict privacy norms, granting excessive discretionary power.
- "Emergent Situation": Without a legal or operational definition, this term could justify limitless state access to data without accountability.
- "Research, Archiving, or Statistical Purposes": The absence of specific standards allows both prohibitions on researchers and transparency activists as well as exemptions for companies from seeking user consent by misusing it and labelling commercial work as “research”.
- "Significant Data Fiduciary (“SDF”)": The criteria for classifying an entity as an SDF remain unclear, particularly regarding the measurement of data "volume" or "sensitivity."
The Draft Data Protection Rules, 2025 provided another opportunity for the MeitY to ensure the protection of the privacy of ordinary Indians. While unsurprising, it is indeed disappointing they end up tightening a digital leash while having poorly thought and designed provisions. They mark a continuous failure to comply and meet the constitutional thresholds as set by the Supreme Court on the right to privacy. Through our recommendations, we call for substantial changes to the Draft Data Protection Rules, 2025 in their current form for being poorly considered and increasing the trends towards digital authoritarianism.
.JPG)
.JPG)
