PRIVACY vs. ACCOUNTABILITY

A Critical Analysis of the DPDP Rules, 2025 and the Erosion of the Right to Information

ABSTRACT

The notification of the Digital Personal Data Protection Rules, 2025 (DPDP Rules) by India’s Ministry of Electronics and Information Technology on November 13, 2025, formally operationalized the Digital Personal Data Protection Act, 2023 (DPDP Act), India’s first comprehensive statutory framework for the protection of digital personal data. Anchored in the Supreme Court’s landmark Puttaswamy judgment recognizing privacy as a fundamental right under Article 21 of the Constitution, the Rules introduce consent as the first architecture, a novel Consent Manager intermediary, and robust protections for children’s data. This article subjects the DPDP Rules to critical legal scrutiny, focusing on a dimension that has received insufficient academic attention: the immediate operationalization of an amendment to Section 8(1)(j) of the Rights to Information Act, 2005 (RTI Act) that eliminates the ‘larger public interest’ override for disclosure of personal information. The article argues that this amendment, effected through Section 44(3) of the DPDP Act, creates a constitutionally asymmetric regime, one that curtails civic accountability mechanisms on day one while deferring substantive citizen-facing privacy rights until May 2027. Drawing on constitutional jurisprudence, comparative data-protection law, and critiques from civil society, the article identifies three structural deficiencies in the current framework and proposes targeted legislative corrections before the full-compliance deadline.

INTRODUCTION

On 13^th November 2025, the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 (DPDP Rules) thus implementing the Digital Personal Data Protection Act, 2023 (DPDP Act) into law. It is pertinent to mention here that India, after almost eight years from the Supreme Court judgment of K.S. Puttaswamy v. Union of India (2017) 10 SCC 1 which held that the right to privacy is a fundamental right under Article 21 of the Constitution, finally has a statutory framework for protecting personal data.

The DPDP Rules supersede the Information Technology (Research Security Practice and Procedures and Sensitive Personal Data or Information) Rules, 2011 under IT Act 2000. It constitutes a regulatory architecture of consent, rights of Data Principals, duties of Data Fiduciaries and the establishment of a fresh adjudicatory body – Data Protection Board of India (DPBI).

Though, on first sight, this framework seems to be fulfilling the promise made by the decision of Puttaswamy; nevertheless, there exists an ironic situation, where such legislation, which on the one hand guarantees the right to privacy of individuals, on the other hand, demolishes another complementary fundamental right – the right to information, thus, in the following lines, it would be argued that the DPDP Rules create an unbalanced regime, in which the state gains power whereas citizens’ rights get deferred, the most constitutionally significant and least-discussed impact of which is the amendment in RTI Act, 2005.

THE LEGAL FRAMEWORK: WHAT DO THE DPDP RULES ESTABLISH

• Architecture of the New Regime:

The DPDP Act regulates the processing of all digital personal data stored digitally within India, and overseas when foreign organizations provide goods or services to persons in India. ‘Personal data’ is very broadly defined under Section 2(t) to mean any data concerning an individual who is ‘identifiable by or in relation to such data’. The definition has been crafted in such a manner that it protects the statute against future technological advancements.

The Rules mandate a staged approach to implementation. As per Stage 1 which came into effect from November 13, 2025, the DPBI was set up, the enforcement process commenced and an amendment to RTI was implemented. As per Stage 2, which will commence from November 13, 2026, the Consent Manager Registration Scheme will be effective. Stage 3 commencing from May 13, 2027, will see the commencement of obligations, including mechanisms for obtaining consents, reporting breaches within 72 hours, right of erasure and SDF obligations.

• Consent as the Primary Legal Basis:

As opposed to the GDPR that acknowledges six distinct grounds for processing such as legitimate interest and contract, the DPDP Act places consent as the foremost and predominant ground within Section 6. Consent should be freely given, specific, informed, unambiguous, and demonstrated via a clear positive action. An innovative ‘Consent Manager’ system is also introduced where the intermediary would act as a registered entity for facilitating the management, granting, and revocation of permissions on behalf of the Data Principal within several Data Fiduciaries.

There are certain legitimate uses listed within Section 7 such as functions of the State, exigencies of medical emergencies, relations of employer and employee, and voluntary disclosures; however, they cannot be considered as parallel to consent. In that regard, the Indian consent paradigm can be deemed among the most rigorous consent models worldwide. For Data Fiduciaries conducting large-scale data processing, consent will necessitate substantial changes in data flow and architecture design.

• Children’s Data and Global Benchmarking:

Section 9 of the DPDP Act mandates verifiable parental consent before the processing of personal data belonging to anyone under 18 years old. Under the Rules, there is an absolute prohibition on targeted advertisements, behaviour tracking, and profiling algorithms targeting children. The level of protection afforded to children is more than that provided under the GDPR regime, which considers anyone above 16 as a child (with member states having the discretion to lower the age bar to 13). Nevertheless, the process of obtaining ‘verifiable’ parental consent is not clearly specified in the Rules, and there is no fixed standard in place.

THE CRITICAL FAULT LINE: THE RTI AMENDMENT

• The Legislative Change:

The DPDP Act’s most consequential and least examined provision is Section 44(3), which amends Section 8(1)(j) of the RTI Act, 2005. The original provision exempted personal information from disclosure but preserved a vital override: the CPIO or appellate authority could compel disclosure where ‘larger public interest’ justified it. Section 44(3) eliminates this override entirely, replacing it with an unconditional exemption: “information which relates to personal information.”

Since “personal information” remains undefined in the RTI Act, and the DPDP Act defines personal data broadly, virtually any identifying information – asset declarations, salaries, appointment or transfer orders of public servants – may now be withheld without any proportionality assessment.

• Constitutional Tension:

This amendment pits two fundamental rights against each other. The Supreme Court, in Raj Narain (1975) and S.P. Gupta(1982), held that the right to information is integral to Article 19(1)(a), essential for democratic functioning. The RTI Act gave this right a procedural form.

Puttaswamy itself held that privacy is not absolute, requiring any restriction to satisfy a three-pronged test: legality, legitimate state interest, and proportionality. While the DPDP amendment clears the legality threshold, its proportionality is deeply questionable. An unconditional exemption, irrespective of the public servant’s role or the public interest at stake, cannot constitute the least restrictive means of protecting privacy.

Prior jurisprudence maintained this balance. In Girish Ramchandra Deshpande (2012), the Court held that a public servant’s financial information was ordinarily exempt, but could be disclosed in the larger public interest. The amendment erases this balance entirely. Former CJI (Delhi HC) and Law Commission Chairman Justice A.P. Shah publicly flagged the amendment as raising “constitutionally problematic” concerns.

• Civil Society’s Critique and the Accountability Deficit:

NCPRI and IFF have consistently argued that the amendment shields corruption. RTI has long been civil society’s primary tool for exposing abuse of power, welfare fraud, and financial misappropriation — from electoral bonds to procurement irregularities. The amendment now permits CPIOs to withhold any information touching a government employee’s personal details, with no obligation to invoke or justify public interest.

The Editors Guild of India warned of a “chilling effect on journalism,” noting the absence of press-specific exemptions — a standard feature in the GDPR (Article 85), the UK’s DPDI Act, and Canada’s PIPEDA. The DPDP Act stands apart globally in providing no carve-outs for journalism, public interest research, or whistleblowing.

STRUCTURAL CONCERNS

• Independence of the Regulatory Body:

The DPBI falls within the ambit of administrative control exercised by MeitY. The membership is appointed by the Central Government on the recommendation of a committee headed by the Cabinet Secretary, making it essentially a government-controlled process. According to critics, like the IFF, this system replicates the structural deficiency seen in the Central Information Commission, which governs the RTI Act. This structural deficiency is exemplified by the absence of posts and the exercise of executive influence. For an efficient data protection body, it is essential for the organization to be independent of the same state machinery that deals with most of the personal information of citizens.

• The Asymmetry of Phased Implementation:

The three-stage implementation timeline reveals a structural asymmetry that is difficult to justify as mere administrative pragmatism. From November 13, 2025, two things become immediately operative: the DPBI’s enforcement powers and the RTI amendment. Citizens’ substantive rights – consent, erasure, correction, grievance redressal, and breach notification are deferred until May 2027. In other words, the government may enforce the law against private Data Fiduciaries before those Fiduciaries owe any operational duty to Data Principals. More critically, the one provision that benefits the state, stripping public-interest disclosure from the RTI Act, activates on day one, while the protections that would benefit citizens are postponed by 18 months.

• Cross-Border Data Flows and Location:

The DPDP Rules adopt a ‘negative-list’ approach to cross-border data transfers: Data Fiduciaries may transfer personal data to any country not specifically notified by the Central Government as a restricted destination. While this is more permissive than the GDPR’s adequacy-decision model, it introduces regulatory uncertainty. SDFs, large platforms processing data above government-specified thresholds, face additional data localisation requirements for categories yet to be defined, creating compliance opacity for multinational technology companies investing in Indian infrastructure. Trade bodies have flagged that indeterminate localisation obligations could disrupt global supply chains and prejudice India’s competitiveness as a data-processing hub.

COMPARATIVE PERSPECTIVE

A Comparison with cognates also produces some interesting findings. In particular, the GDPR explicitly lists journalism, research, and processing for reasons of public interest as derogations of certain rights to be enjoyed by some data subjects (Article 85). The UK Data Protection and Digital Information Act expressly exempt journalism and research activities. The Brazilian LGPD excludes journalistic activities from a host of duties imposed under the law. Singapore’s PDPA also excludes research that acts in the public interest. Most importantly, India fails to recognize any of the above in its context, which becomes a constitutional issue in the context of amendments made to the RTI Act.

The GDPR also exemplifies how strict the legal grounds listed under the DPDP Act can be. By completely ignoring legitimate interests as a basis of legal ground, apart from those narrowly provided for under Section 7, companies that do GDPR-compliant data processing operations in India will have to create consent processes anew for the Indian market environment.

THE CONCLUSION & FUTURE OUTLOOK

However, the DPDP Rules, 2025 mark India’s most ambitious step in legislating the digital space — introducing consent-based processing, an innovative Consent Manager framework, and robust child data protections. These are significant achievements.

Yet the Rules carry a critical constitutional flaw: the RTI Amendment — which strips public interest exceptions — takes effect simultaneously, creating a direct tension with citizens’ emerging privacy rights.

Judicial scrutiny appears inevitable. Key constitutional challenges may arise on three fronts: the RTI Amendment’s conflict with Articles 19(1)(a) and 21; the DPBI’s structural independence under the separation of powers doctrine; and data localisation provisions as a disproportionate restriction on trade under Article 19(1)(g). Given that the Supreme Court itself laid the foundation for privacy jurisprudence through Puttaswamy, it must ensure this Act fulfils — not betrays — that legacy.

Before the May 2027 implementation deadline, the legislature should consider three targeted reforms: (i) restoring a proportionality-based public interest override in the RTI amendments; (ii) carving out explicit exceptions for journalism and public interest research; and (iii) depoliticising the DPBI’s appointment process. Without these corrections, India risks enacting a privacy law that shields the State from its citizens — a stark inversion of Puttaswamy‘s core promise.

REFERENCES

1. INDIA CONST. art. 19, cl. 1(a).
2. INDIA CONST. art. 21.
3. Digital Personal Data Protection Act, No. 22, Acts of Parliament, 2023 (India).
4. Digital Personal Data Protection Rules, 2025, MeitY Notification (notified Nov. 13, 2025) (India).
5. Right to Information Act, No. 22, Acts of Parliament, 2005 (India), & 8(1)(j), as amended by the Digital Personal Data Protection Act, No. 22, Acts of Parliament, 2023, § 44(3) (India).
6. The Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India), § 43A. Digital Personal Data Protection Rules, 2025, Gazette of India, pt. II sec. 3(i) (Nov. 13, 2025) (India)
7. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Gazette of India, pt. II sec. 3(i) (Apr. 11, 2011) (India).
8. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
9. Girish Ramchandra Deshpande v. Cent. Info. Comm’r, (2012) 13 SCC 353 (India).
10. State of Uttar Pradesh v. Raj Narain, (1975) 4 SCC 428 (India).
11. P. Gupta v. Union of India, AIR 1982 SC 149 (India).
12. Muthumalai v. Central Public Information Officer, CIC/SA/A/2019/119503 (Cent. Info. Comm’n 2020) (India).
13. Council Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with Regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation), 2016 O.J. (L 119) 1 (EU) [hereinafter GDPR], arts. 6, 85.
14. Lei Geral de Proteção de Dados Pessoais [LGPD], Lei No. 13.709, de 14 de agosto de 2018, Diário Oficial da União [D.O.U.] de 15.8.2018 (Braz.), art. 4.
15. Personal Data Protection Act 2012, c. 26 (Sing.).
16. Data Protection and Digital Information Act 2025, c. 4 (U.K.), § 170.Internet Freedom Foundation, Analysis of DPDP Rules 2025 (Nov. 2025).
17. National Campaign for People’s Right to Information (NCPRI), Briefing Note on Section 44(3) (2025).
18. Editors Guild of India, Statement on DPDP Rules 2025 (Nov. 2025).
19. Justice (Retd.) A.P. Shah, Letter to the Attorney General of India Regarding Amendments to the Right to Information Act, 2005 Under the Digital Personal Data Protection Act, 2023 (July 2025) (India).