DPDP Rules: Narrow Down State Exemptions, Surveillance Powers, Says IFF

New Delhi: The government has notified the rules for the Digital Personal Data Protection Rules, 2025 for its phased implementation. However, civil society organisations, such as the Internet Freedom Foundation (IFF), while terming it an “important institutional milestone” for personal data privacy, said that the rules do not address key structural concerns.

The IFF, which had provided key inputs to the draft DPDP rules, in a statement, said “ordinary users still lack a rights centred data protection legal framework, even as large data processing entities gain greater discretion and benefit from opacity,” adding that “from the outset, the rule-making process has suffered from a lack of transparency and insufficient consultation.”

The IFF also said that the notified DPDP Rules, 2025 “stop short as they do not require disclosure of categories of recipients, specific retention periods, or cross-border transfer safeguards. In practice, this perpetuates information asymmetry between individuals and large platforms and undermines meaningful consent.”

The organisation said it was “especially dismayed that the DPDP Rules, 2025 provides statutory backing for enabling personal data collection by state agencies with scant oversight, thereby entrenching state control over personal data.”

Read the full statement below:

IFF's Statement on DPDP Rules 2025

On 13 November 2025, the Union Government notified the Digital Personal Data Protection Rules, 2025 (“DPDP Rules, 2025”) alongside staggered commencement of the Digital Personal Data Protection Act, 2023 (“DPDP Act, 2023”) and formal establishment of the Data Protection Board of India ("DPB"). Sections 18–26 of the DPDP Act (on the DPB) and several ancillary provisions now come into force immediately, while core data protection obligations and rights in sections 3–17 will only become effective eighteen months from the date of notification.

The DPDP Rules, 2025 follow the same trajectory as the DPDP Act, 2023. While they mark an important institutional milestone, they do not address key structural concerns repeatedly raised by civil society, including the Internet Freedom Foundation (IFF), since the 2022 and 2023 iterations of a data protection law. As a result, ordinary users still lack a rights centred data protection legal framework, even as large data processing entities gain greater discretion and benefit from opacity. From the outset, the rule-making process has suffered from a lack of transparency and insufficient consultation. IFF and other stakeholders had provided detailed feedback on the Draft DPDP Rules, 2025 emphasizing constitutional principles and user rights. Despite this, the notified DPDP Rules, 2025 reflect little of this input. Notably, IFF’s Detailed Submission on the Draft DPDP Rules, 2025 outlined numerous gaps and urged improvements. These ranged from clarifying vague definitions to instituting independent oversight mechanisms which have not been reflected in the final text of the notified DPDP Rules, 2025.

The DPDP Act, 2023 and its implementing DPDP Rules, 2025, instead of protecting citizens’ data rights, have created new barriers to transparency and individual freedoms. The DPDP Act itself instituted onerous duties on individuals and carved out broad exceptions that weaken the fundamental right to privacy. We are providing a reasoned explanation below, which will be substantiated by detailed analysis next week:

The DPDP Rules, 2025 notification brings the institutional machinery of the DPB into force immediately, but defers most core obligations and rights: sections 3–5, 6(1)–(8) and (10), 7–10, 11–17, 27 [except clause (d) of sub-section (1)], 28–34, 36–37 and 44(2) will only apply eighteen months from the date of notification. The DPDP Rules, 2025 mirror this approach. Rules 1, 2 and 17–21 (definitions and Board related provisions) are effective immediately; rule 4 (on consent managers) will apply after one year; and the bulk of operative provisions for notices, State processing, security, rights, cross-border transfers and exemptions (rules 3, 5–16, 22–23) will apply only after eighteen months. 

In our detailed submission on the draft DPDP Rules, 2025, IFF urged the Government to avoid long deferrals and to specify clear, phased but shorter implementation timelines so that individuals do not remain without meaningful remedies while infrastructures for protection of personal data are built.

Notable provisions of these rules include, Rule 3 which requires notices to be in “clear and plain language” and to provide, at a minimum, an itemised description of personal data and the specified purposes for processing. Rule 14 requires data fiduciaries to clearly publish channels and identifiers through which data principals can exercise their rights and sets a maximum ninety day timeline for grievance redressal.

However, the DPDP Rules, 2025 do not cure weaknesses that IFF had identified in our first read of the DPDP Bill, 2023. The DPDP Rules, 2025 stop short as they do not require disclosure of categories of recipients, specific retention periods, or cross-border transfer safeguards. In practice, this perpetuates information asymmetry between individuals and large platforms and undermines meaningful consent. Rule 8(3) of the DPDP Rules, 2025 requires data fiduciaries to retain personal data, associated traffic data, and other logs of the processing, if they for so required by State or its instrumentalities for specified purposes, inter-alia security, performance of any function under the law. Such data must be stored for a minimum period of one year after the purpose of processing has been achieved, unless a longer period is required by law. For significant data fiduciaries, Section 8(1) read with Third Schedule goes further by requiring maintenance of extensive logs for three years. In our submission, IFF highlighted that these provisions invert the data minimisation principle recognised in privacy jurisprudence and international standards, and risk normalising long term behavioural logging by both the State and private actors. Further, Rule 5 continues to enable the State and its instrumentalities to treat applications for subsidies, benefits, services, certificates, licences, permits, as requests to open or use a “user account”, with details to be specified in the Second Schedule. In our submission, we cautioned that this architecture that in combination with “techno-legal measures” referenced in rules 20 and 22 would risk expanding centralised identifiers and data capture within DPI without sufficient necessity, proportionality, or parliamentary scrutiny. IFF had urged that the DPDP Rules, 2025 should narrowly define such measures, require impact assessments and safeguards, and ensure that any data linking or single sign on mechanisms are subject to strict purpose limitation and independent review.

The Government has now formally established the Data Protection Board, located in the National Capital Region, and notified that it shall consist of four members. Rules 17–20 of the DPDP Rules, 2025 set out the appointment process, composition, service conditions, procedures for meeting, and the digital offices of the DPB. These provisions largely retain the structure we critiqued in our submission on the Draft DPDP Rules, 2025. In our submissions, we warned that this concentration of appointment powers and composition in the executive “deepens executive control” and departs from global best practice, where data protection authorities are designed as independent regulators.

IFF is especially dismayed that the DPDP Rules, 2025 provides statutory backing for enabling personal data collection by state agencies with scant oversight, thereby entrenching state control over personal data. Rule 23 of the DPDP Rules, 2025 exemplifies this problem. Rule 23 grants unchecked power to the State to demand personal data from Data Fiduciaries without consent, citing vague justifications like national security. With no clear safeguards, oversight, or challenge mechanism, this provision risks enabling surveillance, over-collection of data, and privacy violations. In practice, this means that the government can compel any data holding entity (such as an internet platform or telecom provider) to furnish user data en masse, merely by invoking broad reasons like “sovereignty,” “integrity of India,” or any function of law. The categories of data access are so broadly defined that they invite abuse which was a point we had raised during the consultation. The final text does not tie government data requests to a strict necessity test or judicial authorization, nor does it mandate post-facto oversight. To compound the problem, the DPDP Rules, 2025 impose obligations where data fiduciaries are prohibited from disclosing government demands to Data Principals related to national security, eliminating an important check of transparency. Such gag rules prevent the public from ever knowing the extent of state surveillance.

Our detailed submission on the DPDP Rules, 2025 attempted to use the rule making stage to mitigate some of these harms and align the framework with the constitutional standards laid down in K.S. Puttaswamy v. Union of India. Here, we are disappointed to note a failure to match its promises for privacy, and hence data protection as a measure to protect the autonomy, dignity and liberty of Indians. 

We reiterate our call for:

Restoring Balance Between Privacy and Transparency: A Data Protection (Amendment) Bill to restore a strong RTI framework and introduce a journalistic purpose exemption so that privacy is not used as a blanket excuse to deny information. Legislatively protect journalism and research by carving out activities in public interest from data processing liabilities, as past expert committees recommended.

Ensure Independent Oversight: Reconstitute the Data Protection Board of India both on its independence and powers to make it an independent regulatory body. This requires granting it autonomy and vesting it with powers. Moreover, its exercise should subject the DPB’s functioning to greater transparency by including the need to publish its decisions and annual reports for public and legislative scrutiny.

Narrow State Exemptions and Surveillance Powers: Alongside legislative amendments to withdraw or redraft Rule 23 to strictly limit government access to personal data, any such provision must be tightly bound to national security or law enforcement needs, authorized by law, proportionate, and overseen by an independent authority. Blanket, secret data demands have no place in a rights respecting democracy. The government should also initiate surveillance law reform, to bring intelligence gathering under checks and balances as urged by civil society.

The Internet Freedom Foundation stands ready to assist in developing a data protection framework that upholds citizens’ rights and adheres to India’s constitutional and international obligations. We hope policymakers will heed these concerns.