Updates

Joint submission on the Digital Personal Data Protection Rules, 2025 by Article 21 Trust and Rethink Aadhaar

The Ministry of Electronics and Information Technology had invited comments on the Draft Digital Personal Data Protection Rules, 2025. The Rules were framed and put in public domain almost 1.5 years after the Digital Personal Data Protection Act, 2023 was passed by Parliament. The drafting of the Rules take the operationalisation of the Act one step closer, but the Rules leave much to be desired. 

Presented below is a summary of the main concerns with the Rules and corresponding recommendations. Full submission can be found here.

1. Government intends to further delay the implementation of the Act by empowering itself to notify different provisions of the Rules at different times, without any outer limit. We recommend operationalising all provisions of rules within one year.

2. The requirement of notice for data collected prior to the commencement of the Act is vague and provides too much discretion to data fiduciaries. We recommend that notice for data collected prior to commencement of the Act be provided within one year.

3. Central Government has reserved with itself wide powers to notify any database held with the state or any of its instrumentality for sharing across state entities. This could potentially databases containing sensitive personal data like biometric data. We recommend laying down strict parameters for notifying such databases only to the extent necessary.

4. Vague language dilutes the mandate for the data fiduciaries to intimate data principals for any data breach. We recommend specifying a deadline of 72 hours after detection of breach for intimating the data principals.

5. No expiry date has been prescribed for data being held by the state, after the purpose is no longer being served. We recommend two years as the deadline for all data fiduciaries, including state. 

6. While trying to prevent the profiling of children, the Rules enable profiling of adults in the name of verifying that a person claiming to consent on behalf of a child is indeed an adult. This amounts to requiring KYC of internet users, which is disproportionate to the problem sought to be remedied. We recommend amending the Rule to comply with the Act.

7. Rules provide no timeline for responding to requests from data principals to exercise their rights or to their grievances. We recommend that all such requests and grievances be addressed within one month from data of receipt.

8. No exemption is provided for journalistic work. We recommend providing exemptions for journalistic purposes. 

9. The search-cum-selection committee for appointment of members of the Data Protection Board is executive-heavy. We recommend the committee to consist of Chief Justice of India / sitting SC judgment nominated by him, Cabinet Secretary and an independent expert. 

10. Going expressly against the very principle of data protection, the government enables itself to call for any information from any data fiduciary or intermediary. We recommend that such information should not contain any personal data through which an individual can be identified.