Digital rights experts have flagged several gaps in the draft Digital Personal Data Protection Rules, 2025, released by the Union Ministry of Electronics and Information Technology on January 3.
They say that the rules, which aim to operationalise the Digital Personal Data Protection Act, 2023, passed by Parliament in August 2023, will struggle to follow the rule requiring parental consent to process children’s data given a lack of clarity. They also warned that the draft rules give too much power to the government. Moreover, there are significant gaps in the rules that could increase compliance costs for companies and harm users’ interests.
The act lays down guidelines for how the digital personal data of individuals should be processed by the state and by private entities.
Overview of the rules
The draft rules clarify how organisations processing personal data should handle that data, notify individuals of breaches of their data and ensure consent for data collection.
These organisations – which the act calls data fiduciaries – must provide clear notices to users that are easy to understand, explaining why they are collecting data and how it will be used. These notices must explain types of data being collected. Moreover, for users, withdrawing consent for their data to be used should be as simple as granting it.
When handling children’s data, most organisations must get permission from a parent or guardian. The identity of the parents can be confirmed using official identity documents.
If personal data is leaked or accessed without permission, organisations must quickly inform both the users affected and the Data Protection Board about the incident. A detailed report must follow within 72 hours. However, experts say that while the timeline ensures transparency, it may also overburden regulatory systems with having to explain even minor breaches.
The rules require organisations to follow basic security practices like encryption (encoding data to protect it), data masking (which refers to hiding sensitive information) and conducting regular checks or audits for misuse. They must also keep records of who accesses the data for at least one year. However, the rules do not specify the exact technical standards these measures should meet, experts say.
The government retains the power to blacklist certain countries from receiving Indian personal data. This could create challenges for businesses relying on global data flows.
Large organisations, classified as “significant data fiduciaries”, have additional obligations. They must conduct annual audits, data protection impact assessments and ensure that their algorithms do not pose risks to users.
E-commerce platforms, online gaming companies and social media firms with large Indian user bases must store user data for three years.
The Data Protection Board will oversee rule enforcement and grievance redressal under the act. While the rules for appointing and operating the board will take effect immediately, other compliance requirements will be implemented gradually.
The Union government has invited comments from the public on the rules till February 18.
How to obtain parental consent?
Legal experts to whom Scroll spoke flagged the lack of clarity in the rules about how permission would be obtained from parents for processing their children’s data by data fiduciaries. This lack of clarity could create heavy compliance burdens for online service providers, they warned. It may also make it harder for minors to access online services and could lead to widespread online surveillance, they cautioned.
The rule that lays out the parental consent requirement for data fiduciaries has three aspects, said Kamesh Shekar, Senior Programme Manager – Privacy, Data Governance at The Dialogue, a technology policy think tank. These are determining whether someone is under 18 years, identifying and verifying who their parent is, followed by getting the parent’s consent to process the child’s data.
However, the rules do not elaborate on how each of these tasks is to be carried out. “The rules provide clarity only on verification of the parent,” he said. “But they are silent on identifying children and taking consent from the parent as to the child’s data.”
It is difficult in digital spaces to determine if the user is a minor and whether the person giving consent for the data to be processed is the actual parent, Shekar noted.
“The rule uses the term ‘verifiable consent’ which means that tomorrow, a data fiduciary must demonstrate that consent has been taken from the parent as per the procedures laid out,” he said. Shekar asked how such permission could be demonstrated in the absence of clarity about the procedures to be followed.
Karthika Rajmohan, Associate Policy Counsel at the Internet Freedom Foundation, a digital rights organisation, agreed that it will not be easy for online service providers to identify whether a user is a child.
“Will internet users have to self-identify as a child?” she asked. “Will the government come out with an internet-wide age verification mechanism? Or will it leave it up to companies to determine age verification mechanisms to put in place?”
The parental consent requirement for minors would ultimately lead to access to most online content being severely restricted for children, said technologist and public policy researcher Prateek Waghre. “You can only verify if an online user is a minor if you verify the age of every online user,” he said. “This can lead to age-gating of the internet.”
The language of the rules and its illustrations indicate a reliance on children and parents self-declaring their identity and age or other personal details without verification, he said. “The limitation to that is that individuals may lie,” he said.
On the other hand, if the ages of all internet users are verified by collecting identity documents, it would lead to a massive data-collection regime, said tech and media lawyer and partner at the law firm Trilegal, Nikhil Narendran. He warned that this could lead to a system of mass surveillance.
Narendran also flagged the accessibility problem that this could cause. “How will a large section of the digitally illiterate population, which is unable to provide consent on their own behalf, be able to provide consent on behalf of their children?” he asked.
He characterised the challenges as “a civil rights issue, a privacy issue, an accessibility issue, a cost issue and a corporate compliance issue”.
Excess government power
Experts also expressed concerns about broad exemptions for state agencies from the safeguards for processing personal data. They warned that this could result in government organisations using data without proper control or oversight.
Narendran also pointed out that the government has expanded its power to demand data from companies and prevent companies from revealing such data disclosures. “This is a major civil rights issue,” he said.
Rajmohan agreed, highlighting the absence of meaningful restraints on the government. “The government can call for data for reasons that are vague, such as ‘sovereignty and integrity of India’ and ‘security of the state’,” she said. “This raises concerns of misuse because there are no checks and balances and no review mechanisms for this power.”
Waghre quipped that the main purpose of the rules is to facilitate the processing of personal data by the government, rather than protecting it. “The rules seemingly have provisions to justify data collection by governments in exercise of their executive power,” he said. “This can validate data hoarding that union and state governments may undertake.”
Government control over data processing also extends to the composition of the Data Protection Board prescribed under the rules. The Board is responsible for investigating data breaches, enforcing penalties for violations of the act and issuing directions related to personal data protection. The board to search for and select members is to be composed of representatives of the Union government along with others it chooses.
This calls its independence into question, said Shekar.
Rajmohan agreed. “This would result in a board that may not be balanced or independent,” she said.
Lack of clarity
There are other crucial areas on which the rules were expected to shed light but do not, experts said.
One of these is the manner in which data fiduciaries must give notice seeking consent for the use of an individual’s personal data, said Rajmohan. “There are not enough details on the manner in which the notice is to be given,” she said. “The rules leave it to the companies to determine how to do so.”
In a country with a low data literacy rate like India, companies tend to ask for consent in a manner that individuals may not even be aware of what they are consenting to, she said.
Shekar said the rules for data fiduciaries lacked clear measures on data protections. “The rules prescribe ‘encryption, obfuscation or masking’ as data security measures,” he said. “The government should define what it means by the terms, since these terms could mean different things in different contexts.”
He suggested a flexible set of guidelines for these measures, allowing different data fiduciaries to follow varying standards based on their size.
Shekar wondered how the rules apply to emerging technologies such as artificial intelligence. “Consent doesn’t work within an AI ecosystem in all scenarios,” he said. He pointed out that the rules granted an exemption from the act for the processing of personal data for research, archiving and statistical purposes.
“AI work is mostly statistical,” he said. “Will that be exempted? There is no clarity on what these purposes exactly mean.”
Such a lack of clarity will lead to real-world harm for online service providers and users, said Rajmohan. “If small companies are not clear about how to do compliance, it becomes a huge cost and burden for them,” she said. “On the other hand, big companies may use the grey areas as a way to engage in practices that don’t necessarily protect user privacy and are against user interest.”
This is because “if you give wriggle room without being clear, you leave room for non-privacy-abiding practices to creep in”, she said.
