Follow TNM's WhatsApp channel for news updates and story links.
The Ministry of Electronics and Information Technology on Thursday, November 14, notified the Digital Personal Data Protection Rules, 2025, bringing into force the Digital Personal Data Protection Act passed in 2023. The Rules set out how personal data must be collected, processed and protected by government bodies and private entities. With the notification, the amendment to the Right to Information Act also came into effect.
While the legislation is positioned as India’s first framework to safeguard individual privacy and ensure informed consent, several critics and RTI activists have raised concerns about transparency and the weakening of the Right To Information Act. It bars the disclosure of personal information about public officials even when such disclosure may advance public interest.
Section 44(3) of the 2023 Act imposes a blanket restriction on releasing “personal information” without defining what the term covers. Section 8(1)(j) states, “Information which relates to personal information and the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information.”
A key provision, Rule 23 of the DPDP Rules, allows the Union government to request personal information from any data fiduciary or intermediary for reasons such as the “sovereignty and integrity of India” or “security of the state”. Any authorised official may issue such notices and fix deadlines for compliance. This rule mirrors Section 36 of the Act, which also empowers the Union government to obtain information from the Data Protection Board, data fiduciaries or intermediaries.
Although the Rules say that “intermediary” is defined under the Information Technology Act, 2000, they do not introduce safeguards to ensure transparency around these data requests, nor do they specify how fiduciaries will be notified or what timeline they must follow. This omission extends to reporting of data breaches as well.
The Rules do not prescribe any data security standards the government must follow while accessing or storing information obtained from data fiduciaries. They also do not state how long such data may be retained or the purposes for which it may ultimately be used. Government agencies are further exempted from informing users if their data has been accessed under official orders, and officials may prohibit disclosure of such requests to the affected individuals.
The absence of data minimisation requirements, appellate mechanisms to challenge government demands and clear definitions for broad terms like “sovereignty and integrity of India” has heightened concerns about unchecked surveillance and the possibility of restricting speech and dissent.
Cross-border data sharing under Rule 15 is narrowly permitted and only with foreign states or governments explicitly allowed by the Union government. The Rules also refrain from specifying retention limits for government-ordered data storage.
For private entities, the DPDP Rules outline how organisations must notify individuals, seek consent and process personal data. Data fiduciaries must issue clear, accessible notices listing the types of data being collected and the purposes for which it will be used. Withdrawing consent must be as simple as granting it. Handling the data of minors requires parental or guardian approval verified through official identification. In cases of data breaches, organisations must promptly alert affected users and the Data Protection Board, followed by a detailed report within 72 hours.
Entities must implement security measures such as encryption, data masking and audits, and maintain access logs for at least a year. Significant data fiduciaries must also conduct annual audits, prepare data protection impact assessments and ensure that their algorithms do not pose risks. Platforms like e-commerce companies, gaming firms and social media services with large user bases must store user data for three years.
The Data Protection Board, newly established under the Rules, will oversee enforcement and grievance redressal. Board-related provisions take effect immediately, while most compliance requirements will roll out over the next 18 months.
The law has been in limbo since 2023 and has faced constant criticism for undermining privacy rather than protecting it. An earlier draft had included an exemption for journalistic work, which is common in privacy laws around the world, but this provision was later removed. Experts say this will make it harder for journalists to identify people involved in wrongdoing or even mention their official roles without risking action.
Since journalists would need express permission from individuals, and with fines going up to Rs 500 crore for each violation, the law is expected to hinder investigative reporting and free speech. Activists have also pointed out that the broad definition of “data fiduciary” could include journalists themselves, forcing them to comply with obligations they are not equipped to meet.
In a statement, the Internet Freedom Foundation said that the Rules “do not address key structural concerns repeatedly raised by civil society” and that large processing entities “gain greater discretion and benefit from opacity”. It further stated, “The DPDP Act, 2023 and its implementing DPDP Rules, 2025, instead of protecting citizens’ data rights, have created new barriers to transparency and individual freedoms.”
On Rule 23, the organisation warned that it grants “unchecked power” to the state to demand personal data without consent, using vague justifications such as national security. It stated that this could enable surveillance, over-collection of data and privacy violations, without judicial oversight or a necessity test. It also noted that data fiduciaries are barred from informing users about such demands, eliminating transparency around government access to personal data.
The IFF reiterated its call for restoring balance between privacy and transparency, reinstating exemptions for journalistic work, ensuring independent oversight, narrowing state surveillance powers and reforming intelligence laws. It said it remains ready to assist in developing a data protection framework that protects citizens’ rights and aligns with constitutional and international obligations.