In the second half of August 2017, a nine-judge bench of the Supreme Court of India upheld privacy as a fundamental right, protected under Article 21 of the Indian Constitution in the landmark Puttaswamy judgement…
At the time, we had no idea that that landmark ruling would change our lives, albeit so slowly that we probably didn’t see it coming. Cut to 2023, and the DPDP (Digital Personal Data Protection) Act saw the light of day. Designed to be the basis for India’s personal data regulatory regime and protection, it stayed in the incubator for two years until its regulators and rules were made known to us in September 2025.
In fact, organisations and business enterprises have until 2027 to comply with it completely, a date that comes a decade after the Supreme Court’s landmark privacy ruling. India might be celebrating a technology-fuelled gold rush for growth and efficiency, but this run-up is fed by a rapidly escalating surveillance economy.
India’s DPDP Act 2025 might be all set to usher in a new digital era, but will it be giving the State unfettered rights to monitor the digital footsteps of its citizens?
What is India’s DPDP Act?
On November 13, 2025, MeitY (India’s Ministry of Electronics and Information Technology) notified the DPDP Rules 2025, which operationalises the DPDP Act 2023 (a.k.a. DPDPA), the first comprehensive and full-fledged data protection and digital privacy law in India. It replaces the previous IT (Information Technology) Rules, 2011 under the IT Act 2000.
The DPDPA introduces a rights-based, consent-led, comprehensive framework governing how companies protect, collect, store, and process personal data. Within a phased 12–18-month timeline, organisations operating in India (named “data fiduciaries”) must meet the Act’s core compliance requirements. These include reporting data breaches within 72 hours, implementing systems for express user permission, and appointing data protection officers and consent managers.
Furthermore, the Act also aims to strengthen the rights of private individuals (referred to as “data principals”) to control, access, erase, and correct their data. It centres on accountability, breach reporting, security safeguards, purpose limitation, and consent, with stricter duties for significant data fiduciaries and penalties amounting to up to INR 250 crore for non-compliance. Additionally, it also establishes a Data Protection Board to enforce compliance while mandating verifiable parental consent for processing children’s data.
The Criticism
According to MeitY, the DPDPA and its rules aim to create an uncomplicated, innovation-friendly, and citizen-focused framework for the responsible use of digital personal data. However, the DPDPA has drawn criticism as it grants the government extensive and far-reaching authority to access personal data without any robust independent oversight. It’s been compared to the EU’s GDPR (General Data Protection Regulation), which requires data minimisation and strict consent, and has an independent regulator.
However, the DPDPA just has a government-appointed, four-person Data Protection Board, which will oversee privacy for some 1.4 billion people, raising concerns over free speech and compromised privacy. In fact, every successful iteration of the rules and the Act has been criticised for granting the governing body too much control and leeway without the required accompanying safeguards.
So, when it comes to genuinely protecting the privacy of people, the Act and its rules might as well remain paper milestones. The government might even go to the extent of coercing businesses and citizens into turning over their data through presumption of consent and sweeping provisions.
However, what’s a particularly controversial aspect of the DPDP Act is its direct impact on the RTI (Right to Information) Act. According to RTI, citizens could seek out access to records that public authorities held if its disclosure was for the larger interest of the public.
Under DPDPA, this public interest provision has been amended. So, even though the requested information could possibly relate to public interest, authorities can still deny its release. This could lead to the State possibly denying personal information outright, which citizens might require to expose corruption and hold governing bodies accountable.
What Lies Ahead
Of course, these rules that were written for data and privacy in some forms are severely under-designed and equipped for AI (artificial intelligence). It lacks requirements for algorithmic accountability, any justification for automated decisions, and any liability for the bias caused by the voracious AI monster that’s been feeding on our data, which EU’s GDPR addresses. And law enforcement and the government are largely exempt.
User consent is the basis on which the DPDP Act relies, but we have zero idea about how our data will be used by AI, which means consent will mean nothing against the scale and opacity of AI processing.
We might have gotten rid of the Sanchar Sathi app which would constantly monitor our activities, but surveillance in some form or the other will definitely continue under the DPDP Act and its Rules. There’s a larger struggle taking place to safeguard our constitutional rights against this seemingly authoritarian structure that’s being designed for our future, and the fight for our digital rights is very much a part of it.
In case you missed:
- The AI Surveillance Society: Is It Necessary or Have We Gone Too Far?
- The Era of Oversharing Online: Data Privacy Concerns
- Studio Ghibli And The Endless Craze Of Digital Fantasies
- Keeping Your Tech Tidy: Tips For Data Backup And Safety
- All About Privacy-Enhancing Technologies (PETS)
- A Beginner’s Guide to Cryptocurrency Trading in India – Part 1
- The Rise of AI-Driven Governance in India
- Can Your Wi-Fi Betray You?
- Blockchain-Based Digital Identity: The Future Of Verification Is Here
- The Ethics of AI in Healthcare
