The Draft Digital Personal Data Protection (DPDP) Rules, 2025 mark a significant milestone in establishing a robust data protection framework in India. However, critical gaps within the rules could impede their effectiveness and expose individuals to privacy risks if left unaddressed. These deficiencies highlight the need for clear guidelines and oversight to safeguard individual rights and uphold public trust.
One key concern lies in Rule 8, which is linked to Section 8(7) of the DPDP Act 2023, which permits data retention if deemed “necessary for compliance with any law.” The lack of a precise definition for “necessary” leaves room for arbitrary interpretations. For instance, an e-commerce platform could exploit this ambiguity to indefinitely retain user purchase histories, repurposing them for targeted advertising without user consent. Such practices breach privacy principles and erode trust in digital ecosystems, as individuals lose control over their data.
Rule 14, addressing cross-border data transfers under Section 16, is another area of concern due to its lack of specific standards. Without clear guidelines, sensitive data transferred to countries with weak privacy laws could be exposed to unauthorized access or exploitation. For example, health data shared with a foreign processor might be sold to third parties or used for profiling, posing serious risks to individual privacy and security. This absence of clarity could also impede India’s alignment with global data protection frameworks, affecting international trade and cooperation.
The broad exemptions provided to state instrumentalities under Section 17(2)(b) Rules 5 and 15 also raise red flags. While these exemptions may be justified for public welfare purposes, the lack of oversight mechanisms increases the potential for misuse. For instance, a government agency could use data collected for welfare schemes to profile citizens for political campaigns, undermining trust in public institutions. Such practices would blur the lines between public service and data exploitation, raising ethical concerns about the use of state-collected data.
Lastly, Rule 4 linked to Sections 6(7) and 6(8), addressing the role of Consent Managers, fails to prevent conflicts of interest adequately. Consent Managers are tasked with managing, obtaining, and withdrawing user consent, a fiduciary responsibility requiring impartiality. However, the absence of safeguards could result in biased practices. For example, a Consent Manager with undisclosed financial ties to a social media platform might influence users into consenting to excessive data collection, compromising their rights and trust in the system.
Recommendations
To address these gaps, the DPDP Rules must incorporate explicit safeguards. Rule 8 in reference to Section 8(7) should include well-defined criteria for data retention, specifying lawful scenarios such as tax compliance, legal disputes, or regulatory requirements. Periodic audits should be mandated to ensure that retained data aligns with its intended purpose. For Rule 14 in pursuant to Section 16, clear cross- border data transfer standards should be established, including mandatory encryption, anonymization, and assessments of recipient countries’ data protection frameworks. A list of approved jurisdictions with adequate privacy safeguards should be maintained to ensure secure transfers.
For Rules 5 and 15 as outlined in Section 17(2)(b), robust oversight mechanisms must be introduced to monitor state data processing and prevent misuse. Independent audits and mandatory disclosures should ensure transparency and adherence to purpose-specific data usage.
Finally, Rule 4 in pursuant to Sections 6(7) and 6(8), should implement stringent conflict-of-interest checks for Consent Managers. Mandatory disclosures of financial ties, independent audits, and regulatory oversight are essential to uphold neutrality and transparency. These measures would ensure Consent Managers act impartially, prioritizing the rights and interests of users.
By addressing these deficiencies through detailed guidelines and robust oversight, the DPDP Rules, 2025, can create a balanced and enforceable framework that protects individual privacy, aligns with global best practices, and fosters trust in India’s digital economy. A comprehensive approach will ensure that the rules not only meet the stakeholders’ expectations but also establish India as a leader in data governance.
