Sixteen months after the Digital Personal Data Protection (DPDP) Act was enacted in August 2023, the much-awaited DPDP rules were published in January this year. Following this, the Union Ministry of Electronics and Information Technology (MeitY) conducted stakeholder consultations on the draft rules.
The draft rules outline the implementation timeline for India’s data protection regime, beginning with the establishment of the Data Protection Board of India (DPBI) as the enforcement authority under the DPDPA. The board will be constituted upon the official notification of the rules in the Official Gazette after the public consultation is concluded.
However, the exact timeline remains unclear. While the draft rules are a welcome step, certain provisions require further discussion and refinement before finalisation to ensure the framework effectively serves businesses, the state and users without unintended consequences.
The proposed framework aims to balance innovation with individual rights but contains vulnerabilities, including ambiguous notice and consent mechanisms and broad government powers that could compromise privacy.
Rethinking consent notices
The concept of “informed consent” remains contentious in India, where digital literacy is low and the process to obtain it remains ambiguous.
While Draft Rules 3 sets standards for consent notices, their delivery methods are left to data fiduciaries’ (the entity processing the data) discretion, raising concerns that users may not fully understand what they are consenting to. The framework assumes data principals – or the person whose data is being processed – can read and make informed decisions, despite evidence showing that most users skip privacy policies due to their length.
Clear process for obtaining consent is essential for effective data protection. Additionally, data fiduciaries should adopt privacy labels, similar to nutrition and energy labels, after testing their effectiveness in a controlled environment. The regulator should also mandate prominently displayed ‘‘most important terms and conditions’, as seen in RBI’s digital lending guidelines. In the electricity sector, India’s star labels approach helps consumers choose energy-efficient appliances; similarly, privacy labels could help users identify privacy-protecting services.
Data fiduciaries should disclose the specific purpose, good or service provided, or use enabled by each data item collected. This transparency allows data principals to clearly understand the link between their personal data and its intended use, facilitating informed, data-item-specific consent. It will help in preventing “take-it-or-leave-it” services, ensuring individuals are not compelled into consenting to excessive data collection.
Service providers should also offer basic services using only the necessary information from data principals, collecting additional data only for optional features. Currently, the consent mechanism functions in an all-or-nothing fashion, forcing data principals to either share all requested data or be denied access entirely. This lack of choice was also observed in a CUTS’ study, ‘My Data or Yours? Unravelling Multi-Party Privacy among Consumers of Digital Credit in India’. The study noted that people believe permission should be obtained before sharing co-owned data, but practical constraints often become a challenge. A key issue is app design, applications lack mechanisms for seeking consent before sharing contacts or co-owned data.
Defining clear boundaries for consent managers
Under Rule 4, specific provisions outline the role of consent managers in enabling users to provide, manage, review and revoke consent for the processing of their personal data by data fiduciaries. Companies meeting certain criteria can apply to become consent managers, requiring registration with the DPBI and compliance with technical, operational, and financial standards. However, as a relatively new framework in global data protection mandates, its efficiency remains untested.
Meanwhile, a publicly accessible registry of approved consent managers should be maintained, allowing data principals to verify legitimate providers. It should include service details, compliance status and regular updates. A trust mark, developed by the DPBI in consultation with stakeholders, should be displayed to ensure legitimacy and prevent fraud.
Further, the rules rightfully prohibit consent managers from having conflicts of interest with data fiduciaries but fail to adequately define such conflicts in Part B of the schedule. This ambiguity allows multiple interpretations, potentially compromising their independence. Clear definitions and examples are needed to ensure consistent enforcement and maintain the integrity of the consent management system.
Consent managers should also disclose mechanisms to prevent conflicts of interest, making this information publicly available on their website, in policies, and through regular updates to data principals, especially when a new fiduciary is engaged. To ensure transparency and trust, they must disclose all fees upfront. The regulatory board should provide explicit guidelines on permitted and prohibited activities.
Moreover, the provision in Part B of the first schedule imposes an inherent contradiction on consent managers. On one hand, they are required to ensure that the contents of the personal data they facilitate access to remains unreadable to them (clause 2). On the other hand, they must retain consent and data-sharing records for at least seven years (clause 4), which arguably requires some level of accessibility to personal information. However, this apparent conflict can be resolved by explicitly stating that the consent managers cannot access personally identifiable information. Additionally, all records it maintains should be securely encrypted to minimise the risk of data breaches and privacy related harms.
The need for clear safeguards
One of the most contested provisions in the DPDP Act is the blanket exemption for the Union government and executive control over DPBI. Rule 16 of the draft rules outlines the appointment process for DPBI members and the chairperson through a search-cum-selection committee composed of government officials and two government-appointed “experts”. This structure raises concerns about DPBI’s independence, as political influence could undermine its credibility and impartiality. To safeguard independence and ensure transparency, the draft rules should establish a clear selection criteria based on merit, define terms and conditions and outline the removal process for board members.
These principles should be developed in consultation with judicial representatives, subject matter experts and civil society. The joint parliamentary committee (2021) recommended including the attorney general and an independent expert in the selection process, while the Justice Srikrishna Committee suggested involving the chief justice of India or their nominee to ensure impartiality. Given the DPBI’s limited adjudication power, maintaining its independence is essential to prevent undue influence.
Finally, draft rule 22 and the seventh schedule grant the Union government broad, undefined powers to access personal data under the pretext of protecting “the sovereignty and integrity of India or security of the state.” The lack of clear legal definitions of these terms allows for arbitrary interpretation, raising concerns about excessive data collection, mass surveillance and privacy violations. This contradicts the Puttaswamy judgement, which established privacy as a fundamental right and required state intervention in personal data to meet principles of legality, necessity and proportionality. The provision lacks oversight, allowing the government to designate any authority to request data without judicial approval, creating potential for misuse.
Additionally, it avoids disclosing information about such requests, shielding government actions from public scrutiny and eroding trust in digital spaces. Moreover, permitting data access for broadly defined purposes, such as performing functions under any law, potentially enables access to a disproportionately large amount of data.
To mitigate these risks, safeguards like judicial oversight and a necessity-based threshold for data requests should be introduced. Transparency mechanisms, including mandatory periodic reports on government data requests, should also be implemented. MeitY should publish these reports for public accountability while balancing national security interests.
As the draft DPDP rules move toward finalisation, they must effectively operationalise the DPDP Act while addressing unintended consequences through transparent assessment mechanisms. Given their impact on data principles and fiduciaries, it is essential to assess their effectiveness before implementation. A regulatory impact assessment, conducted in consultation with all key stakeholders, will help ensure the rules achieve their objectives without compromising user rights and imposing unnecessary compliance on platforms.
Asheef Iqubbal is a technology policy researcher at CUTS International.
