Too little, much later: on the Digital Personal Data Protection Rules, 2025

Context & The Gist

The article addresses the recent notification of the Digital Personal Data Protection Rules, 2025, following the passage of the Digital Personal Data Protection Act, 2023. It critiques the Rules for delaying key privacy protections until 2027, while immediately implementing provisions that weaken the Right to Information (RTI) Act, thereby undermining transparency and accountability. This raises concerns about the balance between data protection and citizens’ right to access information.

Key Arguments & Nuances

• Dilution of RTI Act: The Rules authorize Public Information Officers (PIOs) to deny personal information requests beyond what is already legally mandated for publication, significantly restricting access to information and hindering accountability.
• Delayed Implementation of Protections: Crucial data protection safeguards are postponed to 2027, offering limited immediate relief to citizens.
• Weak Institutional Framework: The Data Protection Board of India (DPBI) operates under the Ministry of Electronics and Information Technology (MeitY), raising concerns about its independence and potential conflicts of interest, particularly given the government’s efforts to attract investment from large tech companies.
• Lack of Good Faith: The extended consultation period and the timing of the Rules’ release (during election results) suggest a lack of genuine commitment to transparency and citizen engagement.
• Favorable Conditions for Big Tech: The Rules provide a lengthy compliance timeline for technology companies, minimizing disruption to their operations.

UPSC Syllabus Relevance

• GS Paper II: Governance – Issues relating to development and management of Social Sector/Services relating to Health, Education, Personal Data Protection and related issues.
• GS Paper II: Polity – Constitutional provisions relating to Fundamental Rights (Right to Privacy) and the role of statutory bodies.
• GS Paper III: Science and Technology – Developments in the field of Information Technology and its impact on Indian economy and society.

Prelims Data Bank

• Right to Privacy: Declared a fundamental right by the Supreme Court in K.S. Puttaswamy v. Union of India (2017).
• Digital Personal Data Protection Act, 2023: Enacted to provide a framework for the protection of digital personal data.
• Right to Information Act, 2005: Provides citizens the right to access information held by public authorities.
• Data Protection Board of India (DPBI): The regulatory body established under the DPDP Act, 2023.

Mains Critical Analysis

The Digital Personal Data Protection Rules, 2025, present a complex interplay of governance, privacy, and transparency. A PESTLE analysis reveals:

• Political: The Rules reflect a prioritization of economic interests (attracting foreign investment) over citizen rights, particularly the right to information.
• Economic: The extended compliance timeline benefits large technology companies, potentially hindering the growth of domestic data protection industries.
• Social: The dilution of the RTI Act erodes public trust and accountability, impacting citizen participation in governance.
• Technological: The Rules acknowledge the evolving digital landscape but lack a robust framework for addressing emerging data protection challenges.
• Legal: The Rules’ interpretation and implementation will be crucial in determining their effectiveness and consistency with the parent Act and constitutional principles.
• Environmental: (Not directly applicable in this context).

A key critical gap is the lack of genuine independence for the DPBI, which compromises its ability to effectively regulate data protection practices. The immediate implementation of provisions weakening the RTI Act, coupled with the delayed implementation of privacy protections, raises serious concerns about the government’s commitment to both transparency and data security.

Value Addition

• Justice Srikrishna Committee (2018): Recommended a comprehensive data protection framework for India, which formed the basis for the initial draft of the DPDP Bill.
• K.S. Puttaswamy v. Union of India (2017): Landmark Supreme Court judgment declaring privacy a fundamental right under Article 21 of the Constitution.
• European Union’s GDPR: A globally recognized data protection standard that emphasizes user consent and data minimization.
• Quote: “Transparency is to government what eyes are to a man.” – Louis Brandeis

The Way Forward

• Immediate Measure: Review and amend the Rules to restore the original intent of the RTI Act and ensure citizens’ access to personal information held by public authorities.
• Long-term Reform: Establish a truly independent DPBI with adequate resources and powers to effectively enforce data protection regulations. Strengthen the institutional mechanisms for citizen engagement and oversight of data protection practices.