At first glance, the law appears to be a near-perfect one designed to safeguard citizens’ privacy. However, experts have raised several concerns about its implementation
The Union government, on January 3, 2025, notified the draft rules for the Digital Personal Data Protection (DPDP) Act, which was enacted in November 2023. These rules aim to lay the groundwork for implementing the DPDP Act and have been opened for public consultation on the portal https://innovateindia.mygov.in/dpdp-rules-2025/. Citizens have until February 18 to provide feedback.
Once public suggestions and objections are incorporated, the final rules will be notified and made applicable across the country within a few months. The government is targeting a timeline of approximately two years to implement the DPDP law across all online platforms and domains.
The implementation of these rules will require compliance from all data fiduciaries, including social media platforms, websites, and apps. These entities must secure explicit consent from data principals – the individuals whose data they handle – before collecting or using their personal data. This consent will involve an online form detailing how,
when, and why the data will be used, the duration it will be retained, contact points for grievances, and the process for addressing misuse or breaches. Moreover, these consent forms must be available in all 22 languages listed in the Eighth Schedule of the Constitution, including Konkani, to ensure accessibility and comprehension for all citizens.
Data fiduciaries will also be required to establish online mechanisms for citizens to register grievances, report data misuse, or withdraw their data if they choose not to share it further. To oversee this, the government plans to create a robust system of authorities and appellate bodies.
Fiduciaries found misusing data could face fines of up to Rs 250 crore, depending on the severity of the violation. On the flip side, data principals could also face penalties of Rs 10,000 for knowingly providing false or misleading information to fiduciaries.
At first glance, the DPDP Act appears to be a near-perfect law designed to safeguard citizens’ privacy by preventing the misuse of personal data through digital means. However, experts have raised several concerns about its implementation and implications. Some argue that the compliance burden could stifle business operations and innovation, while others believe the challenges will spur the development of innovative tools and solutions to aid companies in meeting compliance requirements.
One of the most significant criticisms comes from retired Justice B N Srikrishna, who spearheaded the first draft of the law in 2017 through extensive public consultations. Justice Srikrishna has warned that the latest version of the law grants the government unchecked access to personal data, not only in its possession but also in the custody of fiduciaries. This, he cautions, could lead to an Orwellian state where the government wields excessive control over citizens’ lives through surveillance and propaganda.
Another contentious issue is the amendment to Section 8(1)(j) of the Right to Information (RTI) Act, which exempts personal information from disclosure entirely. Previously, the RTI Act allowed for the disclosure of personal information about public officials if it served a larger public interest. The removal of this provision has raised concerns that it will weaken the RTI Act, a vital tool for holding government authorities accountable.
Even the government think tank NITI Aayog flagged the amendment, warning that it could diminish the power of the legislation. Despite these concerns, the government has proceeded with the DPDP Act and the accompanying RTI amendment.
These troubling provisions threaten to overshadow the otherwise promising potential of the DPDP Act. As citizens, we must seize this final opportunity to ensure the law serves its intended purpose. By carefully reviewing the draft rules and providing thoughtful feedback before February 18, we can help shape a framework that balances the protection of personal data with the preservation of democratic values and transparency.
(Sangeeta Naik is an IT professional based in Goa.)
