Answer

Introduction

India’s push for a modern data protection regime began with Justice B.N. Srikrishna Committee, promising strong safeguards after privacy became a fundamental right. Yet the Digital Personal Data Protection Rules, 2025 raise fresh concerns, making the debate on strengthening the framework more urgent than ever.

Major Concerns Arising from the DPDP Rules, 2025

• Excessive Delay & Staggered Rollout: Most key protections are postponed to 2027, undermining urgency despite eight years since privacy was declared a fundamental right.
  Eg: The Rules give tech giants 12–18 months to comply, despite prior knowledge of the framework.
• Dilution of Right to Information (RTI): Public Information Officers can now refuse disclosure of almost any personal data, shrinking transparency.
  Eg: Only information “already mandated by other laws” must be disclosed, an extremely thin category, reversing RTI reforms of the last 20 years.
• Weak Institutional Independence: The Data Protection Board of India (DPBI) operates under MeitY, making oversight of Big Tech conflict-ridden.
  Eg: The same ministry courting investments from Google/Amazon/Meta will also investigate misuse of citizens’ data by them.
• Wide Exemptions for Government Agencies: The Rules do not curb the broad government exemptions granted under the parent Act, enabling unchecked State data access.
  Eg: Agencies can continue processing personal data without rigorous safeguards in “national interest” or “public order”.
• Poor Consultation & Lack of Transparency: Draft rules saw limited revision despite delayed consultation and final notification coinciding with state election results.
  Eg: Minimal changes made between January draft and November final indicate superficial stakeholder engagement.

Reforms Needed to Strengthen the Data Protection Framework

• Time-Bound Implementation of Protections: Core safeguards must be operationalised immediately, not pushed to 2027.
  Eg: Mandatory breach notifications and data minimisation norms should have a 3–6 month rollout window.
• Strengthen Independence of the DPBI: The Board should be autonomous, accountable to Parliament, not a ministry.
  Eg: Models like the UK’s ICO or EU’s EDPB show that independent regulators boost enforcement credibility.
• Restore and Clarify RTI Safeguards: Amendments must balance privacy with transparency rather than blanket-denying personal information.
  Eg: Allow disclosure of public-interest-related personal data (e.g., beneficiaries of welfare schemes) with safeguards.
• Narrow Government Exemptions: Exemptions must be specific, reviewable, and proportionate, with independent oversight.
  Eg: Require a judicial or parliamentary review committee to approve blanket data-processing exemptions for agencies.
• Strengthen Industry Compliance & Accountability: The Rules should include stricter audits, penalties, and compulsory transparency reports for Big Tech.
  Eg: Annual “data protection impact assessments” and independent audits similar to the EU GDPR regime.

Conclusion

The Digital Personal Data Protection Rules, 2025 mark progress in form but not in substance. Unless India strengthens oversight, restores transparency, and limits sweeping exemptions, the promise of the Srikrishna Committee and the constitutional right to privacy will remain unfulfilled, leaving citizens exposed in an increasingly digital state.

DOWNLOAD PDF