Introduction: The Long Shadow of Puttaswamy
The trajectory of privacy jurisprudence in India has been a slow, arduous march from the shadows of denial to the light of constitutional recognition. For over six decades, the Indian legal landscape was defined by the archaic precedents of M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1964), both of which categorically denied the existence of a fundamental right to privacy. The State argued, often successfully, that the Constitution’s silence on privacy was a deliberate exclusion.
This jurisprudential dark age ended on August 24, 2017, with the Supreme Court’s epochal nine-judge bench verdict in Justice K.S. Puttaswamy (Retd.) v. Union of India. By overruling M.P. Sharma and Kharak Singh, the Court did not merely create a new right; it rediscovered an ancient one, locating privacy at the very heart of the “Golden Triangle” of Articles 14, 19, and 21.
Puttaswamy’s Triple Test for Justifying Privacy Intrusion:
- Legality
- Necessity
- Proportionality
Yet, a constitutional right without a statutory framework is like a sword without a hilt—powerful but unwieldy. For eight years, India waited for the legislative machinery to catch up with the judiciary. On November 13, 2025, the Ministry of Electronics and Information Technology (MeitY) finally bridged this gap by notifying the Digital Personal Data Protection (DPDP) Rules, 2025. These Rules serve as the operational soul of the Digital Personal Data Protection Act, 2023.
However, as we dissect this new regulatory regime, a troubling question emerges:
| Promise of Puttaswamy | Concern in DPDP Rules, 2025 |
|---|---|
| Privacy as a fundamental right | Risk of bureaucratic control undermining independence |
| Strong necessity and proportionality safeguards | Expansive powers without equivalent checks |
Does this framework fulfill the transformative promise of Puttaswamy, or does it bureaucratize a fundamental right into submission?
The “Digital Office” Paradigm: Efficiency at the Cost of Independence?
The most striking feature of the new Rules is the introduction of a “digital-by-design” administrative architecture. Unlike traditional tribunals that are often bogged down by paper trails and physical hearings, the Rules mandate that the Data Protection Board of India (DPBI) and the Appellate Tribunal function as “digital offices”. They are empowered to adopt “techno-legal measures” to conduct proceedings entirely online, removing the requirement for the physical presence of parties.
While this modernization is laudable for its potential to reduce pendency, it creates a friction with established principles of administrative law regarding judicial independence.
Judicial Independence Concerns
- Madras Bar Association v. Union of India (2021): Tribunals performing quasi-judicial functions must possess independence from the Executive.
- Rojer Mathew v. South Indian Bank Ltd (2019): Executive dominance compromises separation of powers.
Rule 17 of the newly notified framework establishes a Search-cum-Selection Committee chaired by the Cabinet Secretary.
| Committee Member | Affiliation |
|---|---|
| Cabinet Secretary | Central Government |
| Secretary, MeitY | Central Government |
| Secretary, Department of Legal Affairs | Central Government |
| Two Experts of Repute | Chosen under Executive influence |
In a data economy where the State itself is the largest Data Fiduciary, this structure risks transforming the Board into an extension of the government rather than an impartial arbiter of privacy rights.
The Consent Conundrum: From Karmanya Singh to the Privacy Paradox
Central to the new regime is the architecture of consent. Rule 3 fundamentally restructures the interface between Data Fiduciaries and Data Principals. It mandates that privacy notices must provide an “itemised description” of the personal data collected and the specific purpose for each item. This provision appears to be a direct legislative response to the concerns raised in Karmanya Singh Sareen v. Union of India (2017) (the WhatsApp privacy policy case), where petitioners argued that “take-it-or-leave-it” bundled consents violate the principle of informed choice.
Child Data Protection & The Privacy Paradox
However, the Rules falter significantly when addressing the protection of vulnerable groups, particularly children. Rule 10 introduces a strict obligation for “verifiable consent,” requiring platforms to verify the identity of a parent using “reliable details of identity and age” or digital tokens mapped to government IDs like DigiLocker.
This requirement creates a “Privacy Paradox”:
- To protect a child’s data, more sensitive identification data must be collected from parents.
- This directly conflicts with the principle of Data Minimization established in Puttaswamy.
- Private platforms are forced to adjudicate lawful guardianship, a complex legal issue.
This contradicts the reasoning in Shreya Singhal v. Union of India (2015), where the Court warned against requiring private entities to make judicial determinations.
The Remedial Void: Ubi Jus Without Remedium
Perhaps the most critical jurisprudential gap in the 2025 Rules is the disconnection between injury and remedy. A fundamental maxim of tort law is ubi jus ibi remedium—where there is a right, there must be a remedy. The DPDP framework, however, establishes a punitive regime rather than a restorative one.
While the Act imposes colossal penalties (up to ₹250 crore) for non-compliance, these funds are explicitly directed to the Consolidated Fund of India. The Data Principal—the victim who suffers the financial loss, reputational harm, or mental agony due to a breach—receives absolutely no compensation under the Rules.
This stands in stark contrast to the General Data Protection Regulation (GDPR) of the European Union. Article 82 of the GDPR grants any person who has suffered material or non-material damage a distinct right to receive compensation from the controller. By denying this right, the Indian framework reduces the citizen to a mere informant in the regulatory process. As noted in K.S. Puttaswamy (Aadhaar Verdict) (2018), the fear of surveillance and data misuse has a “chilling effect” on civil liberties. Without a compensatory mechanism, the average citizen has little incentive to engage in the arduous process of filing a complaint, thereby weakening the enforcement of the law itself.
The Spectre of Surveillance: Ignoring Vinit Kumar
The Rules are notably silent on the procedural safeguards for government data exemptions. Schedule Seven outlines broad purposes for which the State can access data—including “sovereignty and integrity of India”—but fails to codify the rigorous procedural safeguards mandated by the judiciary.
In the landmark case of People’s Union for Civil Liberties (PUCL) v. Union of India (1997), the Supreme Court laid down specific guidelines for telephone tapping, emphasizing that state surveillance must be accompanied by procedural due process. This was reaffirmed in Vinit Kumar v. CBI (2019), where the Bombay High Court held that any interception order must satisfy the test of proportionality. By leaving the “procedure” for government access largely to future executive notifications (Rule 23), the 2025 Rules fail to check the “culture of surveillance” warned against in Puttaswamy. This legislative omission leaves the door open for executive overreach, unconstrained by judicial oversight.
A Comparative Lens: India vs. The Global Standard
When viewed through a comparative lens, the “Indian Model” of data protection reveals itself as distinctively state-centric.
- Breach Notification: India has aligned with the global “gold standard” by mandating a 72-hour reporting window to the Board, mirroring the GDPR’s requirement. This ensures rapid regulatory awareness.
- Data Portability: Unlike the GDPR, which grants users an explicit right to move their data between platforms (preventing lock-in effects), the Indian Rules are silent on portability. This omission may inadvertently entrench the monopolies of Big Tech firms, as users cannot easily migrate their digital histories to competitors.
- Age of Consent: The Indian Rules set a hard threshold at 18 years for mandatory parental consent. In contrast, the US (COPPA) and many EU nations set the “digital age of consent” between 13 and 16. India’s rigid threshold ignores the reality of teenage digital independence and forces invasive age-gating measures on nearly independent young adults.
To fully appreciate the Indian framework, it is instructive to compare it with the General Data Protection Regulation (GDPR) of the EU and other global standards.
Comparative Feature Table: India vs EU (GDPR)
| Feature | India (DPDP Rules 2025) | European Union (GDPR) | Critical Observation |
|---|---|---|---|
| Breach Notification | 72 Hours to the Board; “without delay” to the user. | 72 Hours to the Supervisory Authority; “without undue delay” to the subject. | Aligned. India adopts the global “gold standard” of 72 hours, ensuring rapid regulatory awareness. |
| Penalty Structure | Capped at ₹250 Crore per instance. No compensation to the victim in the Act/Rules. | Up to 4% of global turnover or €20 million. Victims have a right to compensation (Art. 82). | Divergent. The Indian model is punitive (state-centric) rather than restorative (victim-centric). The lack of victim compensation remains a glaring gap compared to the EU. |
| Data Portability | Not explicitly detailed in the current Rules as a standalone right for users to move data between platforms. | Explicit Right to Data Portability (Article 20). | Missing. The Indian framework focuses on access but lacks a clear portability mechanism, potentially entrenching monopolies. |
| Consent Age | Strict 18 years. “Verifiable consent” required for all minors. | Varies by member state (13–16 years). Known as “Digital Age of Consent.” | Strict/Rigid. India’s threshold is high (18), which may force platforms to implement invasive age-gating for older teenagers (16-17) who are digitally independent elsewhere. |
| Legitimate Interest | Limited. Relies on “Consent” or specific “Legitimate Uses” defined by the State (Section 7 of the Act). | Broad “Legitimate Interest” processing ground (Article 6(1)(f)). | State-Controlled. India’s “Legitimate Uses” are statutorily defined, offering less flexibility but perhaps more certainty than the EU’s open-ended “legitimate interest.” |
Conclusion: The Long Road to Implementation
The notification of the DPDP Rules, 2025, is a beginning, not an end. It represents a sophisticated attempt to regulate the world’s largest digital democracy, introducing forward-looking concepts like “Consent Managers” and “Digital Offices” that could theoretically streamline compliance.
However, the ‘implementation lag’ cannot be ignored. Rule 1(4) of the Notification explicitly specifies a staggered timeline: while the Board is constituted immediately, the substantive rights of citizens—including the right to remedy, consent management, and breach notifications—will not come into force until eighteen months after publication. This places the effective date in May 2027. Consequently, for the next 1.5 years, the ‘Right to Privacy’ will remain a constitutional promise rather than a statutory reality.
As legal practitioners and scholars, our role in the coming years will be pivotal. We must test these Rules against the constitutional anvil of Puttaswamy. We must challenge the executive dominance of the Board, advocate for victim compensation, and ensure that the “Digital Office” delivers actual justice, not just digital notices. The infrastructure has been built; the battle for its soul has just begun.
References
- M.P. Sharma v. Satish Chandra, AIR 1954 SC 300.
- Kharak Singh v. State of U.P., AIR 1964 SC 1295.
- Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
- K.S. Puttaswamy (Aadhaar Judgment) v. Union of India, (2019) 1 SCC 1.
- Madras Bar Association v. Union of India, (2021) 2 SCC 792.
- Rojer Mathew v. South Indian Bank Ltd, (2019) 7 SCC 1.
- Shreya Singhal v. Union of India, (2015) 5 SCC 1.
- People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301.
- Karmanya Singh Sareen v. Union of India, SLP (C) No. 804 of 2017.
- Vinit Kumar v. CBI, (2019) SCC OnLine Bom 3155.
- Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023).
- Digital Personal Data Protection Rules, 2025, Ministry of Electronics and Information Technology, notified vide Notification No. G.S.R. 846(E), Gazette of India, Extraordinary, Part II Section 3(i), No. 760, 13 November 2025.
- Notification No. S.O. 4721(E) [Establishment of Data Protection Board], Gazette of India, Extraordinary, Part II Section 3(ii), No. 759, 13 November 2025.
- Regulation (EU) 2016/679 (General Data Protection Regulation), Articles 20, 33, 34, 82.
- Ministry of Electronics and Information Technology (MeitY), “Press Release on Notification of Digital Personal Data Protection Rules, 2025,” 13 November 2025.
