By – Aditya Vikram Sen
Abstract
The acknowledgement of Privacy as a fundamental right in Justice K.S. Puttaswamy v. Union of India facilitated legislative measures such as the Digital Personal Data Protection Act, 2023, and the Draft Digital Personal Data Protection Rules, 2025. While the Act seeks to provide a foundational basis for the protection of personal data, the Draft Rules seek to implement and operationalise these safeguards. This article seeks to argue that the Rules indicate regulatory vagueness, lack adequate protections against exploitation by state entities, and possess an inadequately developed framework for cross-border data transfers that disregards critical standards set forth by international jurisprudence, including the Schrems II ruling.
Introduction:
In 2017, the Supreme Court of India in Justice K.S. Puttaswamy v. Union of India, entrenched the right to privacy as a fundamental constitutional right, extending its applicability to the digital domain. The judgment envisaged an eventual future wherein a comprehensive legislative framework would safeguard “informational privacy.” The Digital Personal Data Protection Act, 2023, was intended to actualise this objective by outlining comprehensive standards to govern personal data usage in India. To ensure that these principles do not remain abstract, the Draft Digital Data Protection Rules, 2025, lay down the enforcement mechanism, building upon the legislative foundation. The Act, as India’s founding data protection legislation, intends to govern the processing of digital personal data while balancing individuals’ right to privacy with the legitimate utilisation of such data. It sets operational duties for data processors, special protection of minors, and provides for the establishment of a grievance redressal agency known as the Data Protection Board of India, thereby signifying a vital development in India’s digital governance structure. Although the rules represent a significant advancement, there exist areas of regulatory ambiguity and executive overreach that, if unaddressed, could undermine the principles they are intended to protect.
Vagueness in Operational Guidelines
Rule 8(2) mandates data processors (any person who processes personal data on behalf of a data fiduciary) to issue a 48-hour notification before data deletion, although it fails to specify the mode of communication, be it via email, SMS, or in-app alerts. Although users are instructed to adhere to procedures outlined by businesses to assert their rights, the lack of defined processes may result in disparate practices among firms. Similarly, vague terms such as “reasonable security measures” are not defined, resulting in varying interpretations as seen in cases regarding Rule 3(1)(b)(v) of the IT Rules 2021 that mandated platforms to eradicate any material deemed to be “false, fake or misleading” in nature. Thus, the absence of conclusive definitions leads to platforms confronting difficulties in differentiating between disinformation, satire, and opinion-based material, thereby resulting in variable enforcement and constraining free speech and expression.
Similarly, Section 7(b) of the DPDP Act, 2023, empowers the state and its instrumentalities to process ‘personal data’ for subsidies, benefits, and services under two conditions: the consent of the data principal to the processing and the existence of the data processing in the state records. Further, Rule 5 provides the state instrumentalities with the power to process personal data without obtaining consent if the users are being informed by them. Thus, explicit limitations or guidelines are absent for the misuse of personal data, thereby opening the possibility for the state authorities to circumvent the safeguards of “proportionality” and “necessity” laid down in Puttaswamy, which mandates security and accountability in the processing of personal data. There ought to be mechanisms laid down for ensuring regular audits of data processing practices by state entities, and implement unambiguous legal recourse and punishments for the exploitation of personal data by state instrumentalities. Further, the ambiguous definition of “instrumentalities” exacerbates apprehensions regarding state surveillance.
Cross-Border Data Transfer
Rule 14 of the draft rules specifies that data transfers outside India can only be permitted if the data fiduciary complies with the conditions laid down by the Central Government on the transfer of such data. One of the problems that arises regarding such a provision is the absence of precise requirements for identifying jurisdictions for data transfer. It is also unclear whether such restrictions are confined to the physical transfer of personal data beyond India’s borders or if they also encompass data shared with individuals and entities within India that are associated with or governed by a foreign state (e.g., diplomats, sovereign wealth funds, private companies financed by foreign governments, etc.). Moreover, it may result in possible conflicts with foreign legislation that mandates access to such personal data in accordance with their domestic laws. Further, this may hinder Indian business entities from providing the mandatory personal data to the designated foreign governmental authority. Section 16(1) of the DPDPA prescribes the blacklisting of countries that jeopardies individual privacy or national security. The justification for this is that several social media platforms, commercial enterprises, and techno defence organisations in various countries could cause data breaches. Additionally, India’s role in the global market makes it essential for the government to carve out a mechanism to balance India’s economic aspirations and the cross-border data transfers. As per a study conducted by the Reserve Bank of India, data breaches cost the Indian Economy around 2.18 million dollars in the year 2023-24.
A crucial aspect that requires immediate attention is the need to ensure that data transferred to a whitelisted country is not subsequently transferred to a blacklisted country or jurisdictions lacking adequate protection. It is pertinent to note that the absence of a defined criteria for whitelisting or blacklisting countries leaves personal data vulnerable to misuse, including deepfakes and scams. Unlike GDPR’s structured mechanism– Adequacy Decisions (pre-approved countries), Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs) under Articles 45, 46, and 47 respectively, the DPDPA does not provide any comparative safeguards for regulating data transfer. Thus, based on the Schrems II decision, rendered by the CJEU, there is a need for a robust cross-border data transfer regime within the DPDPA Scheme, and data transfers ought to be contingent upon “essentially equivalent” privacy protections in the destination country, failing which transfers must be invalidated. The court in this case held the US Government programs to be highly vague in nature. It was observed that the Privacy Shield of the US fails to satisfy the criteria of an essentially equivalent level of protection. Consequently, the fundamental right to privacy of EU Citizens is not guaranteed when their data is transferred to the US. Thus, the absence of an “essential equivalent standard” as laid down in Schrems II has left personal data of Indians extremely vulnerable when it crosses Indian borders.
Data Protection of Vulnerable Groups- Children and Persons with Disabilities
Rule 10 of the Draft Rules mandates the data fiduciary (the person who determines the purpose and means of processing data) to adopt technical and organisational measures to obtain verifiable consent of a parent for processing personal data of a child. This may be done through: (i) reliable identity and age information already held by the fiduciary, (ii) voluntary submission of such details, or (iii) a virtual token issued by an authorised entity, such as a Digital Locker service provider. However, there is no clarity on the exact manner for the identification of children and how the collection of parental consent will function. The reliance on self-declaration for permission is fundamentally faulty, as it establishes a binary scenario. Individuals either distort their age to circumvent the system, or there is pervasive age verification across the internet, with every service provider requiring identification. It compels individuals to either misrepresent or give unnecessary personal information, both of which compromise privacy and security.
Further, the nature and scope of due diligence obligations under Rule 10 happen to be ambiguous. The Rights of Persons with Disabilities Act, 2016 (“RPWD Act”) authorises district courts or authorised bodies appointed by the State Government to assign limited guardians for individuals with disabilities. The obligation of data fiduciaries to collect and/or verify court orders granting guardianship or similar directives under pertinent statutes, including the Guardians and Wards Act, 1890, the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999, or the Mental Healthcare Act, 2017, remains vague with regard to their due diligence obligations.
Conclusion
The Draft Digital Personal Data Protection Rules, 2025, signify a substantial advancement in creating a regulated and secure digital environment in India; however, its present iteration exposes several deficiencies and ambiguities that require rectification. To sufficiently achieve the constitutional mandate of Puttaswamy, it is fundamental that the final Rules address the deficiencies discussed above by laying down precise definitions, independent supervision mechanisms, transparent criteria for cross-border transfers, and robust protections for vulnerable sections of society.
Author’s Bio
Aditya Vikram Sen is a third-year law student currently pursuing B.A LL. B (Hons.) from Jindal Global Law School, Sonipat. His interests lie in exploring the intersectionality in Constitutional and Criminal Law.
NICKELED AND DIMED 