Draft Digital Personal Data Protection Rules 2025

Explore India's Draft Digital Personal Data Protection Rules 2025, designed to operationalize the 2023 Act by outlining data fiduciary obligations, consent requirements, and data breach notification protocols.

Table of Contents

Context: The draft Digital Personal Data Protection Rules, 2025, released by MeitY in January under the Digital Personal Data Protection Act, 2023, has faced several criticisms.

Criticisms of the Draft Digital Personal Data Protection Rules, 2025

Appointment of DPB Members: The Union government has the discretion to appoint members to the Data Protection Board (DPB), raising concerns over the separation of powers and the independence of the DPB since it performs quasi-judicial functions.
Dispute Resolution Mechanism: Appeals from the DPB’s decisions will be filed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 6 months, which is seen as unrealistic given the TDSAT’s current workload and capacity constraints.

Demands for Institutional Reforms

Specialist Appointment: A technical member with expertise in data protection should be appointed to the TDSAT since data protection issues are distinct from telecom matters.

An amendment to Section 14C of the TRAI Act is required to accommodate this change.

Fact

Section 14C of the TRAI Act outlines the qualifications and eligibility criteria for the appointment of members to the TDSAT.

Increased Capacity: TDSAT is already overburdened, with over 3,448 pending cases as of February 2025.
- More budget allocations and additional benches are needed to handle the increased workload from data protection cases.
Technological Infrastructure: TDSAT’s website and digital filing systems need significant upgrades to handle data protection appeals efficiently.
- Improved access to case information and smoother digital navigation are necessary.
Accountability: TDSAT should publish annual reports detailing the number of appeals filed, disposed of, and pending, along with key issues involved in each type of matter.

Section 44(3) of The Digital Personal Data Protection (DPDP) Act, 2023

The DPDP Act modifies Section 8(1)(j) of the RTI Act, 2005, which deals with the exemption of personal information from disclosure.
Previously, Section 8(1)(j) stated that information related to personal matters could be disclosed if it served a larger public interest and did not constitute an “unwarranted invasion of privacy.”
The DPDP Act replaces this clause with a broader exemption that simply states that any “personal information” is exempt from disclosure, removing the “larger public interest” test.

Concerns Raised by Activists

Restriction on Public Information Access: The previous provision allowed disclosure of personal information if it was in the public interest (E.g. government officers’ assets and liabilities).
Impact on RTI Decisions and Precedents: Over the years, several decisions of the Central Information Commission (CIC) and state Information Commissions have been based on the “public interest” clause in Section 8(1)(j).
- The new provision removes the discretion to allow access to such data, affecting these past rulings.