Expressing concern over the insufficient provisions of Digital Personal Data Protection Rules, 2025 (DPDP Rules) with several points of contention, the Internet Freedom Foundation (IFF) says the DPDP Rules are 'too little, too vague and too late'. Last week, the Union ministry of electronics and information technology (MeitY) released the long-awaited DPDP Rules.
"Upon a preliminary reading of the DPDP Rules, we find that several provisions fail to meet the constitutional requirements outlined in the KS Puttaswamy judgment, which explicitly stated that 'the matter shall be dealt with appropriately by the Union government, with due regard to what has been set out in this judgment'. At the outset, we express concern about the DPDP Rule's insufficient provisions with several points of contention. In a line, the DPDP Rules are 'too little, too vague and too late'. For example, terms like 'reasonable safeguards', 'appropriate measures', or 'necessary purposes' are used without adequate elaboration,"
IFF says in a statement.
Apart from the issues with the consultation process, IFF expressed preliminary concerns over five issues in the DPDP Rules. IFF'sf concerns include vagueness, over-reliance on discretionary powers, weak oversight and accountability mechanisms, overbroad exemptions for State processing and a step towards universal and mandatory registrations.
1. Vagueness: For instance, under Rule 5, in pursuance of Section 7(b) of the DPDP Act, the government has been allowed over-broad data processing powers in the context of the provision or issue of a subsidy benefit, service, certificate, licence, or permit. Further, Rule 6 on reasonable security safeguards for preventing personal data breaches is vague and requires more specifics.
2. Over-reliance on Discretionary Powers: Significant discretionary authority is granted to the Union government and data fiduciaries, such as determining exemptions (Rule 11), processing standards (Second Schedule), and data transfers (Rule 14). The exemption allowing for data retention for compliance with the law (Rule 8) from the general obligation for purpose limitation is unclear and may be potentially misused. The DPDP Rules also propose that the Union government can define the kind of data that significant data fiduciaries will have to localise within India's borders (Rule 12(4)). This gives the government a lot of power without clear criteria.
3. Weak Oversight and Accountability Mechanisms: The DPDP Rules do not establish strong enforcement or oversight mechanisms. While penalties may be levied, there is no explicit provision for independent audits or compliance monitoring. Here, the foundational deficiencies of the principal enactment, viz., the DPDP Act, bear repetition since it failed to create a regulatory framework through an independent data protection authority. Hence, large parts of the implementation and enforcement will be administered by the MeitY raising apprehension.
4. Overbroad Exemptions for State Processing: The rules allow the State and its instrumentalities to process personal data for broad purposes, such as issuing subsidies, benefits, or services under laws, policies, or public funds (Rule 5). However, the lack of specificity regarding the scope and limits of such processing creates room for potential misuse. The language within them avoids the limitations that emerge from the Puttaswamy judgement on the principles of, 'proportionality' and, 'necessity' that are essential safeguards in any data protection regime.
5. A Step Towards Universal, Mandatory Registration: The requirement for verifiable parental consent (VPC) for children's data is contestable on multiple levels (Rule 10). There seems to be no internet-wide age gating and only individuals who identify themselves as children require VPC. Hence, if the government requires age verification (rather than self-declarations) to check if a user is a minor, it may in future, require every online user to verify their age through government credentials. This holds the potential for mass surveillance with government IDs linked to every user's online credentials. These provisions also violate principles of data minimisation or retention limitations and risk over-collection and prolonged storage of personal data.
IFF says it is dismayed that, after such a long wait, the DPDP Rules have failed to meet the expectations of clear and detailed rules that would iron out the lacunae in the DPDP Act. "However, the DPDP Rules seem to be continuing the trend of the DPDP Act of vagueness, extensive powers to the executive and insufficient data protection principles. If passed into law, these draft rules will serve power and profit rather than the people of India."