Context :- Following strong objections from disability rights activists, the Electronics & IT Ministry has amended the Digital Personal Data Protection (DPDP) Rules, 2025, separating persons with disabilities (PwDs) from provisions that previously clubbed them with children regarding guardian-based consent.
Digital Personal Data Protection (DPDP) Rules, 2025.
Legislative Context and Genesis :
- Notification: The Government of India has notified the DPDP Rules, 2025, marking the full operationalization of the DPDP Act, 2023.
- Constitutional Basis: This framework actualizes the Fundamental Right to Privacy, reaffirmed by the Supreme Court in the landmark K.S. Puttaswamy judgment (2017).
- Design Philosophy: The rules adhere to the SARAL (Simple, Accessible, Rational, and Actionable) principle, utilizing plain language and illustrations to ensure ease of compliance.
Implementation Roadmap
- The rules follow a phased timeline to allow stakeholders to adapt:
- Immediate Effect:
- Establishment of the Data Protection Board of India (DPBI), headquartered in New Delhi.
- Enforcement of amendments to the Right to Information (RTI) Act, 2005, restricting the disclosure of “personal information.”
Deferred Provisions (12–18 Months):
- Implementation of informed consent requirements and purpose limitation norms.
- Mandatory appointment of Data Protection Officers (DPOs).
- Rollout of the Consent Manager Framework (November 2026).
- Full compliance for large technology firms is targeted for May 2027.
Regulatory Classifications and Obligations
- Data Principals vs. Fiduciaries: Clearly defines rights (consent, correction, erasure) for citizens (Principals) and obligations (security, lawful processing) for entities (Fiduciaries).
- Significant Data Fiduciaries (SDFs):
- Criteria: Classification based on data volume, sensitivity, and impact on national sovereignty, security, and democracy.
- Target: Major global and domestic tech conglomerates (e.g., Meta, Google) will likely fall under this category.
- Enhanced Obligations: Mandatory Data Protection Impact Assessments (DPIA) and verifiable parental consent for processing children’s data.
Operational Mandates
Data Localization:
- Introduces conditional localization, where the government will specify categories of personal data restricted from cross-border transfer.
- Specifics are to be determined by a government-appointed committee.
Protection of Minors:
- Firms must adopt mechanisms for verifiable parental consent.
- Strict prohibition on behavioral tracking and targeted advertising directed at children.
Breach Protocols:
- Notification: Fiduciaries must inform impacted users “without delay,” detailing the breach nature, consequences, and mitigation steps.
- Penalties: The DPBI is empowered to impose penalties up to ₹250 crore for failure to prevent data breaches.
Critical Appraisal and Concerns
- Transparency Dilution: The amendment to the RTI Act removes the “public interest override” for personal information, potentially shielding public officials from scrutiny.
- State Exemptions: Broad exemptions granted to “State and its instrumentalities” raise concerns regarding unchecked data collection and surveillance (Internet Freedom Foundation).
Structural Limitations:
- DPBI Capacity: A four-member board may be insufficient for a nation with high digital density.
- Ambiguity: Lack of prescribed models for parental consent creates compliance uncertainty.
- Economic Impact: Data localization and compliance costs may burden startups and friction in digital trade relations.
