On 13 November 2025, the Government of India released the Digital Personal Data Protection Rules, 2025 (“DPDP Rules, 2025”) and began a staggered rollout of the Digital Personal Data Protection Act, 2023 (“DPDP Act, 2023”). The Government also formally set up the Data Protection Board of India (DPB).
Only Sections 18–26 of the DPDP Act—those dealing with the creation and functioning of the DPB—take effect immediately. The crucial parts of the law that protect your personal data (Sections 3–17) will only begin 18 months from now, leaving citizens without meaningful privacy protections during this long gap.
The DPDP Rules follow the same pattern. Only the rules dealing with definitions and the DPB (Rules 1, 2, and 17–21) are active today.
Rules dealing with consent, notices, State access to data, security measures, user rights, cross-border data transfer and exemptions (Rules 3, 5–16, and 22–23) will be enforced after 18 months.
Rule 4, which governs consent managers, will apply after one year.
Table of Contents
A Process Lacking Transparency
The making of these Rules has been criticised for being largely closed and non-transparent. Civil society groups—including the Internet Freedom Foundation (IFF)—submitted detailed feedback on earlier drafts, pointing out issues with definitions, lack of oversight, and weak protections for users’ rights. Unfortunately, very few of these recommendations appear in the final notified Rules
Instead of strengthening user protection, the final Rules give more flexibility to large data-processing companies and more power to the State—while leaving ordinary users with fewer safeguards and less clarity.
Delays and Gaps: What the Rules Fail to Deliver
1. Rights Delayed by 18 Months
By postponing the implementation of key protections, the Government leaves a large gap where citizens have limited remedies, but data-collecting systems can continue to expand. IFF had urged the Government to avoid such long delays.
2. Notices Still Not Transparent :
- Although Rule 3 requires clear and plain-language notices, 2
- it still does not require companies to share who exactly they share your data with,
- how long they keep it, or,
- what safeguards exist for cross-border data transfers by the data fiduciaries.
3. Long Data Retention: A Step Toward Surveillance
- Rule 8(3) forces companies to store personal data, traffic logs, and processing records for at least one year. Significant Data Fiduciaries must store them for three years.
- Such long-term data logging goes against global privacy standards and increases the risk of profiling and long-term tracking.
4. Treating Government Applications as “User Accounts”
Rule 5 allows the government to treat applications for welfare schemes, licences, certificates or subsidies as creating “user accounts.” Combined with other rules on “techno-legal measures”, this could lead to more centralised government databases and stronger digital tracking, without proper safeguards or limits.
5. An Oversight Body That Isn’t Independent
The DPB is meant to be India’s main data protection authority. However, the Rules give the Central Government full control over appointments, terms, and removal of the Board members.
This raises concerns that the DPB may not act independently, especially when regulating government agencies.
Rule 23: The Biggest Red Flag
Rule 23 gives the government sweeping powers to demand personal data from any entity—telecom companies, platforms, apps—without needing user consent. The government can justify these demands with broad terms such as:
- national security,
- sovereignty,
- or “any function under any law.”
Worse:
- there is no requirement for judicial oversight,
- no necessity test,
- and companies are not allowed to inform users about government data demands.
This creates the possibility of secret, unchecked, large-scale data access, and moves India closer to a surveillance-oriented model—not a Confidential privacy rights-based one.
The Rules Fall Short of Constitutional Guarantees
- IFF had urged the Government to create Rules that reflect India’s constitutional values—especially the right to privacy recognised in K.S. Puttaswamy v. Union of India.
- However, the final Rules:
- widen government exemptions,
- weaken user rights,
- encourage long-term data storage, and
- give control of the data protection regulator to the executive.
- These choices make the overall framework less protective and more vulnerable to misuse.
Key Recommendations and suggestions Going Forward
1. Restore Balance Between Privacy and Transparency
India needs amendments to:
- strengthen the Right to information Act instead of weakening it,
- protect journalism and academic research,
- and prevent privacy from being misused to block public interest information.
2. Create a Truly Independent Data Protection Board
The DPB must be restructured so that it can act as a genuine watchdog—autonomous, transparent, and accountable.
3. Fix State Exemptions and Limit Surveillance Powers
- Rule 23 should be withdrawn or rewritten.
- Government access to data should be tied to strict, narrow grounds and must be overseen independently.
- India needs comprehensive surveillance law reform to protect citizens from unchecked monitoring.
4. Not a Serious to Competitor to Europe General Data protection Rules India DPDP Act 2023 Has Needed much more Technical Implementation Comparing to Eu GDPR while companies are now Leads the Technical Advancements a head more than DPDP Act 2023
Conclusion
The DPDP Rules, 2025 mark an important moment in India’s data protection journey, but they fall short of ensuring a strong, rights-based privacy framework. By prioritising government power and ease for large organisations over the rights of individuals, the Rules risk undermining the spirit of the DPDP Act itself.
The Internet Freedom Foundation remains committed to helping shape a framework that protects privacy, dignity, and democratic values. With 18 months before the full law comes into effect, the Government still has time to correct course and uphold the constitutional right to privacy.
Click to Read the Deep Drive Analysis of the Digital personal Data Protection Act 2023 By Cyber Law advocate V.Jothiramalingam
Download The New Digital Personal Data Protection Rules 2025
Download Digital personal Data Protection Act 2023
