BLOG



Draft Digital Data Protection Rules and Authoritarianism

Context:

The Draft Digital Data Protection Rules, 2025, and their parent legislation, the Digital Personal Data Protection Act, 2023, have been scrutinized for their vagueness, executive dominance, and lack of transparency. These rules are seen as a reflection of the broader issues of authoritarian control over digital governance and inadequate privacy safeguards.

Key Issues in the Draft Rules

1. Vagueness and Lack of Standards:

  • The rules are deliberately vague, with terms like "clear and plain language" in Rule 3 (Consent Notices) left undefined. This poses challenges in ensuring that users, especially those from linguistically diverse and less literate demographics, can truly understand consent forms.
  • Critical areas such as data categories (e.g., financial or health data) and data breach notification timelines are undefined, creating risks for users in emergencies.

2. Transparency Deficit:

  • The consultation process is restrictive, with public feedback only allowed through the MyGov platform and submissions kept confidential. This controlled approach limits broader participation and public discourse, resembling a corporate consultation model rather than an inclusive public one.

3. Executive Dominance:

  • The Data Protection Board (DPB), a body meant to safeguard user rights, is heavily influenced by the Union Government:
    • Its members are selected by a Cabinet Secretary-led committee, compromising independence.
    • Service conditions are tied to central government employment, undermining autonomy.
  • This aligns with the trend of centralized control, echoing concerns raised by social activists that the Act acts as a "digital leash" to reinforce state authority.

4. Limited Accountability:

  • Rule 5 exempts data processing for subsidies from consent requirements, removing accountability for potential misuse in government welfare schemes, such as Aadhaar-based subsidies.
  • The government retains unchecked power under Rule 22 to requisition information without clear safeguards or oversight, raising concerns about potential abuse.

5. Delay and Inadequacy:

  • Sixteen months after the Act’s passage, the rules remain under consultation, with vague provisions and limited scope. This delay exacerbates uncertainty for users, organizations, and community groups seeking clarity on their rights and responsibilities.

Structural Flaws in the Framework

1.   Absence of an Independent Regulator:

o    Recommendations from the 2006 Planning Commission consultation paper on ensuring autonomy in regulatory bodies have been ignored. The lack of independence in the DPB raises concerns about its effectiveness in adjudicating cases against powerful entities like the UIDAI.

2.   Broad Discretion to the Government:

o    Frequent use of the phrase “as may be prescribed” in the Act and Rules grants sweeping discretion to the executive, sidelining legislative intent and judicial oversight.

3.   Contradiction with Privacy Rights:

o    Despite the K.S. Puttaswamy judgment (2017) affirming privacy as a fundamental right, the current framework compromises privacy by failing to institute strong checks and balances on state power.

Implications

1.   Erosion of Trust:

o    The combination of vague rules, centralized authority, and a lack of transparency undermines public trust in digital governance.

2.   Risk of Abuse:

o    Broad discretionary powers without adequate safeguards could lead to misuse, surveillance, and erosion of user rights.

3.   Weakened User Protections:

o    The absence of clear timelines for breach notifications and inadequate mechanisms for addressing user grievances leave citizens vulnerable.

4.   Challenges for Organizations:

o    Ambiguity in compliance requirements creates uncertainty for businesses, hindering the development of a robust data protection ecosystem.

Way Forward

1.   Strengthening Independence:

o    The Data Protection Board must be restructured as an autonomous body, with transparent and merit-based selection processes.

2.   Clarity in Rules:

o    The rules should define key terms, establish clear standards for consent, and specify timelines for breach notifications.

3.   Inclusive Consultation:

o    Ensure broader public participation in the rulemaking process by making submissions open and transparent.

4.   Judicial and Parliamentary Oversight:

o    Introduce mechanisms to subject government actions under the Act and Rules to oversight by independent judicial and parliamentary bodies.

5.   Safeguards Against Overreach:

o    Rules must incorporate strict limitations and checks on the government’s powers under provisions like Rule 22 to requisition information.

Conclusion

The Draft Digital Data Protection Rules, 2025, exemplify a framework where executive overreach undermines transparency, accountability, and user rights. If left unaddressed, this approach risks turning the promise of privacy as a fundamental right into a hollow ideal. A stronger commitment to democratic principles, institutional autonomy, and user-centric governance is essential to create a balanced and effective digital data protection regime in India.

 

Comments on “Draft Digital Data Protection Rules and Authoritarianism

Leave a Reply

Your email address will not be published. Required fields are marked *




request a Proposal

© 2026 Copyright Bright Career Maker - All Rights Reserved