IAS/UPSC Coaching Institute  

17 Nov 2025 : Too little, much later

 Editorial 1: ​​​​Too little, much later

Context

The Digital Personal Data Protection Rules dilute the scope of the Right to Information.

 

Introduction

India’s data protection journey, from the 2017 privacy judgment to the 2025 Rules, reflects progress mixed with deep structural weaknesses. While the law simplifies earlier drafts and formalises some user safeguards, delays, wide government exemptions, and weakened transparency mechanisms have diluted its purpose. The 2025 Rules further postpone protections, leaving citizens exposed while offering comfort to major data-handling entities.

 

Background and Legislative Journey

  • Over eight years have passed since privacy was recognised as a fundamental right by the Supreme Court.
  • During this period:
    • Three different drafts of a data protection law were released.
    • The process lacked transparency, making it unclear how the final law evolved.

 

The 2023 Data Protection Act — Gains and Losses

What improved

  • Simplified the earlier, more complex 2018 draft.
  • Added core protections for personal data into the law.

What weakened

  • Gave broad exemptions to government agencies for handling citizens’ data.
  • Established a weak Data Protection Board of India (DPBI).
  • Amended the RTI Act, reducing transparency achieved over the last two decades.

 

The 2025 Rules — Minimal Repair, Major Delays

Gaps remain unaddressed

  • The Rules fail to fix problems created by the main Act.
  • Core privacy safeguards are postponed until 2027, delaying meaningful protection.

Immediate dilution of transparency

  • The RTI amendment takes effect immediately.
  • Public Information Officers can now refuse all personal information unless another law mandates its disclosure.
  • This leaves citizens with very limited access to information that ensures accountability.

 

Process Concerns and Timing

  • Draft Rules were delayed and then followed by a three-month consultation, mostly symbolic.
  • Final Rules were notified on November 14, 2025, coinciding with the Bihar Assembly election results — a timing that raises questions.
  • Only minor changes were made from the draft version.

 

Compliance Timeline — Overgenerous for Tech Giants

  • Companies have been given 12–18 months to comply, despite knowing the framework in advance.
  • This generosity raises doubts about the good faith behind the Rules.

 

Institutional Weakness — DPBI’s Lack of Independence

  • The DPBI will function under the Ministry of Electronics and IT.
  • This Ministry:
    • Seeks investment from global tech giants (Google, Amazon, Meta).
    • Will also supervise investigations into their future data misuse.
  • This creates a clear conflict of interest and undermines regulatory neutrality.

 

Impact on Citizens vs. Big Tech

For Big Tech and firms handling data

  • Comfortable, extended timelines.
  • Limited regulatory pressure.
  • Minimal operational disruptions.

For citizens

  • The promised goals of privacy and accountability remain largely unfulfilled.
  • People continue to be transparent to the state and tech corporations, while these entities operate behind opaque walls.

 

Conclusion
The Digital Personal Data Protection framework, as finalised in 2025, falls short of its constitutional promise. With delayed safeguards, weakened transparency, and institutions lacking independence, individuals continue to be easily scrutinised while powerful entities remain shielded. Unless the government strengthens timelines, oversight, and citizen-centric protections, India’s data future will remain imbalanced and insecure.