Technology has deeply permeated human life, creating widespread dependency. India, a leading hub for technology users and providers, is home to an estimated 462 million social media users and 751.5 million internet users as of 2024. These figures highlight the urgent need for robust legal frameworks to protect data and privacy. Despite the constitutional recognition of the right to privacy as fundamental, its journey to acknowledgment in India has been challenging.

A major issue is the lack of digital literacy. Many Indians remain illiterate, engaging with technology without understanding its implications. Even digitally literate individuals often lack awareness of critical data protection nuances, leaving them vulnerable to breaches and misuse. These challenges necessitate a comprehensive legal mechanism to safeguard individual rights, regulate entities misusing data, and empower citizens with digital rights awareness.

The Digital Personal Data Protection Act, 2023 (DPDP), aims to regulate and protect digital data collection in India. Enacted under the Union List of the Constitution, it seeks to establish control over digital and digitised data. In January 2025, the Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules to restructure the data protection framework. While promising, several components of these rules require a reassessment to ensure effective implementation.

The DPDP Act defines ‘State’ broadly, including all entities under Article 12 of the Constitution. This broad scope enables larger organisations to exploit the exemptions that are meant for legitimate use. A narrower definition limited to entities performing sovereign functions could prevent misuse. Moreover, the Act does not impose sufficient restrictions on data collection, storage, or sharing practices by the State, nor does it outline liabilities for government agencies in case of breaches. This creates an imbalance where private entities face accountability, while public institutions often evade scrutiny. A set of clear guidelines to ensure State accountability is critical to maintaining trust and protecting privacy.

The draft rules inadequately define the roles and responsibilities of Significant Data Fiduciaries (SDFs) that handle large-scale data processing. A lack of standardised formats for data collection notices could lead to vague or misleading consent practices. Additionally, the absence of a designated authority to monitor compliance weakens accountability.

Consent management is another crucial issue. While consent is foundational, the rules fail to address alternative mechanisms for individuals who withdraw or refuse consent. They also do not specify how data collected with prior consent should be treated after its withdrawal. With AI increasingly influencing consent processes, ensuring human consent becomes essential and non-negotiable. Clear guidelines on data retention post-withdrawal and transparency about opting-out consequences are also necessary to prevent exploitation.

The role of Consent Managers – designed to manage data principals’ consent – remains unclear. The absence of qualifications, responsibilities, and expertise requirements creates confusion, especially in potential overlaps with data fiduciaries. This ambiguity undermines the enforcement mechanisms and accountability in cases of breaches.

Data sharing and ethical concerns

The draft rules permit data sharing without consent under broad exemptions like public order or national security. However, these terms lack clear definitions, leaving them open to misuse. Transparent criteria for such exceptions are vital to avoid the undermining of privacy rights the Act seeks to protect.

Similarly, cross-border data transfer provisions are ambiguous. The Central Government can designate trusted jurisdictions for data sharing but lacks clear parameters for such decisions. This uncertainty disrupts international operations and collaborations. Establishing mechanisms for adequacy decisions and guidelines for cross-border data flows is necessary to ensure accountability and smoother exchanges.

Public-private collaborations also raise transparency concerns. Citizens must know who processes their data and the liability-sharing arrangements between public and private entities. Transparency is essential to ensure informed consent and protect the rights of data principals.

The draft DPDP Rules fall short of addressing critical gaps in India’s data protection framework, diluting the intent of the parent Act. Standardised notice formats, robust consent provisions, and clear roles for Consent Managers are essential reforms. Narrowing the definition of State and imposing strict accountability on public institutions can prevent misuse. Transparent criteria for data sharing exemptions and cross-border transfers are equally crucial to balancing global data flows with individual privacy.

To build trust, accountability, and robust data protection, these reforms are vital. Citizens’ vigilance and participation will also be key to shaping a framework that upholds privacy and data security. Without these measures, the DPDP Rules risk being a missed opportunity in India’s data governance journey.

(The writers teach at the School of Law, Governance and Public Policy, Chanakya University)