Digital Personal Data Protection (DPDP) Rules, 2025 – Privacy, Governance, and RTI Implications
Table of Contents
Source: The Hindu, PIB
Relevance: GS Paper II – Government Policies & Interventions; Prelims (Digital Governance, DPDP Act 2023)
Key Concepts for Prelims and Mains:
For Prelims:
Digital Personal Data Protection Act, 2023 (DPDP Act), Digital Personal Data Protection Rules, 2025, Data Fiduciary, Data Principal, Consent Manager, Data Protection Board of India (DPBI), Informed consent, Right to erasure, Right to correction, Digital nominee, Data Protection Officer (DPO), Amendment to Section 8(1)(j) of RTI Act, 2005 – public interest exception removed
For Mains:
- Right to Privacy vs Right to Information
- India’s data protection model vs GDPR-type regimes
- Citizen-centric features of DPDP Rules
Why in News?
- The Digital Personal Data Protection (DPDP) Rules, 2025 were notified on November 14, 2025.
- This notification:
- Helps in the formation of the Data Protection Board of India (DPBI).
- Operationalises key parts of the DPDP Act, 2023, India’s general data protection law.
- Simultaneously enforces the controversial amendment to the Right to Information (RTI) Act, 2005 regarding “personal information”.
- While the Act was passed in August 2023, the Rules were released in draft form in January 2025 and finalised now after public consultation.
Background
(a) Privacy as a Fundamental Right
- In Justice K.S. Puttaswamy (2017), the Supreme Court held privacy to be a fundamental right under Article 21.
- This necessitated a comprehensive data protection law to regulate both state and private sector data processing.
(b) Long gestation of Data Protection Law
- 2017–2023: Multiple drafts (Srikrishna Committee draft 2018, subsequent government drafts) with changing contours.
- 2023: DPDP Act passed – more simplified, but also more state-friendly and with wider exemptions for government processing.
(c) Government’s Stated Rationale
- To safeguard citizens’ rights over their personal data.
- To operationalise the DPDP Act in line with India’s commitment to a robust digital data protection framework.
- To balance regulation and innovation, ensuring India’s digital economy and startup ecosystem continue to thrive.
- To address unauthorised commercial use of data, digital harms, and personal data breaches.
What are the Digital Personal Data Protection (DPDP) Act & Rules?
DPDP Act, 2023
- India’s equivalent of GDPR-like data protection law.
- Defines:
- Data Principal – the individual whose data is processed.
- Data Fiduciary – entity (company/authority) that decides purpose and means of processing.
- Provides:
- Consent requirements.
- Rights to erasure, correction.
- Duties of Data Fiduciaries.
- Penalties for non-compliance.
- Establishment of the Data Protection Board of India (DPBI).
DPDP Rules, 2025
- These operationalise the Act.
- Lay down procedures for:
- Consent, grievance redressal, breach reporting.
- Digital functioning of DPBI.
- Compliance timelines.
- Graded obligations for Data Fiduciaries, especially Significant Data Fiduciaries (SDFs).
- Practical implementation of features like digital nominee and Consent Manager.
Key Features of the DPDP Rules, 2025
(A) Citizen-Centric & Rights-Based
- Rules “place citizens at the heart of the data protection framework.”
- Data Fiduciaries must provide clear and accessible information on:
- What data is collected
- For what purpose
- How it will be stored / processed
- Citizens are empowered with:
- Right to demand data erasure
- Right to correction / modification
- Right to grievance redressal via user-friendly mechanisms
- Right to appoint digital nominees to manage their accounts after death or incapacity
(B) Informed Consent & Control
- Provisions for informed consent and easy withdrawal enhance trust in digital platforms.
- Data principals can manage permissions centrally (with help of Consent Managers).
(C) Protection of Children
- Targeted advertising and certain forms of data collection for children are restricted.
- The Rules carve out a limited exemption for parents to track their children’s location, in the interest of safety.
When Do the DPDP Rules Apply?
- The Rules were notified on 14 November 2025, but most provisions will apply after 12–18 months.
- Immediate effect: Formation of the Data Protection Board and the RTI amendment.
- Later (2026–27): Consent system, erasure rights, DPOs, audits, breach reporting and all major compliance requirements.
Digital-First Approach & Institutional Framework
(A) Digital-by-Design Philosophy
- Rules “embrace a digital by design philosophy”:
- Consent mechanisms,
- Grievance redressal, and
- Functioning of the Data Protection Board are all envisaged as “born digital”.
- The DPBI will:
- Function as a digital office.
- Use an online platform & app for complaints.
- Allow citizens to get their complaints adjudicated without physical presence.
(B) Data Protection Board – Powers & Functioning
- DPBI will oversee:
- Complaints,
- Data breaches, and
- Non-compliance.
- While imposing penalties, the Board must consider:
- Nature and gravity of default,
- Efforts made to mitigate its impact,
- Whether the Data Fiduciary cooperated or provided voluntary undertakings.
- If a voluntary undertaking is accepted by the Board, the proceedings may be dropped – balancing enforcement with regulatory flexibility.
RTI Amendment: Changes, Issues & Controversy
(A) What has been amended?
- Section 8(1)(j) of the RTI Act, 2005 earlier said:
- Personal information need not be disclosed unless public interest justifies disclosure.
- DPDP Act removed this “public interest” carve-out.
- After notification of the Rules (Nov 14, 2025), the government has brought this amendment into force.
(B) Why controversial?
- Public information officers (PIOs) can now decline any personal information outright, even if public interest is strong.
- Activist concerns:
- Could block social audits (e.g. access to muster rolls, ration records, work logs).
- May be used to shield corruption and wrongdoing by invoking “personal information.”
- Overturns transparency gains made through RTI over the last two decades.
Significance of the Rules
(A) For Privacy
- Operationalise the fundamental right to privacy in the digital realm.
- Give citizens real tools to control their data: consent, erasure, grievance mechanisms.
(B) For Digital Economy
- Provide legal certainty to firms.
- Supports India’s ambition of becoming a global digital and AI hub.
(C) For Governance
- Digital DPBI and digital workflows support:
- Speed,
- Transparency, and
- Ease of Living / Ease of Doing Business.
- Can create trust architecture around digital public infrastructure like UPI, DigiLocker, etc.
Challenges & Criticisms
(A) Institutional Independence
- DPBI will function as a subordinate office of MeitY → possible conflict of interest:
- MeitY courts investment from Big Tech
- And also supervises the body supposed to investigate their data mishandling.
(B) Delay in Implementation of Protections
- While over two years have passed since the Act, the Rules give firms up to 18 more months to comply.
- Many key citizen protections will be effective only near 2027, while RTI dilution is immediate.
(C) RTI Dilution & Transparency Deficit
- Removal of the public interest override from RTI is seen as a major blow to accountability.
- Transparency groups fear:
- Less ability to scrutinise misuse of funds, ghost beneficiaries, leakages in welfare schemes.
(D) Scope of Government Exemptions
- Government agencies enjoy broad latitude under DPDP Act for data processing.
- Critics say this could enable:
- Mass surveillance,
- Profiling,
- Weak accountability of the State.
(E) Operational & Compliance Issues
- Many smaller firms may struggle with:
- Building consent architecture,
- Upgrading security systems,
- Arranging impact assessments.
- DPBI’s capacity (staff, tech expertise, enforcement powers) is still uncertain.
Measures / Way Forward
(1) Strengthen DPBI Independence
- Place DPBI outside MeitY, with statutory autonomy and transparent appointment process.
(2) Restore Public Interest Safeguard under RTI
- Reintroduce “public interest” override in Section 8(1)(j).
- Ensure data protection law doesn’t become an excuse to block transparency.
(3) Narrow Government Exemptions
- Clearly define terms like “sovereignty”, “security of the State”, “public order”.
- Add parliamentary or judicial oversight for large-scale state data processing.
(4) Fast-Track Core Privacy Protections
- Roll out:
- Consent dashboards,
- Erasure mechanisms,
- Breach notifications,
earlier than 2027, at least for big platforms.
(5) Clarify Cross-Border Data Transfer Rules
- Publish clear guidelines / whitelists for data transfers.
- Ensure adequacy and reciprocity in data protection with other jurisdictions.
(6) Build Capacity & Awareness
- Invest in technical, legal capacity of DPBI.
- Launch multilingual campaigns to educate citizens on:
- Their rights,
- Use of Consent Managers,
- How to file complaints.
(7) Privacy-by-Design in Public Platforms
- Make privacy a default principle in all new government digital services.
UPSC MCQ
Right to Privacy is protected as an intrinsic part of Right to Life and Personal Liberty. Which of the following in the Constitution of India correctly and appropriately imply the above statement? (2018)
(a) Article 14 and the provisions under the 42ndAmendment to the Constitution.
(b) Article 17 and the Directive Principles of State Policy in Part IV.
(c) Article 21 and the freedoms guaranteed in Part III.
(d) Article 24 and the provisions under the 44thAmendment to the Constitution.
Ans: (c)
CARE MCQ
With reference to the DPDP Rules, 2025, consider the following statements:
- The Rules provide citizens with the right to erasure of their personal data.
- Citizens may appoint digital nominees to manage their personal data after death or incapacity.
- Consent withdrawal mechanisms must be as easy as giving consent.
Which of the statements given above is/are correct?
(a) 1 and 2 only
(b) 1 and 3 only
(c) 2 and 3 only
(d) 1, 2 and 3
Answer: (d) 1, 2 and 3
All three statements are correct.