By Napoleon S Mawphniang
India’s Data Protection Revolution and Its Cons
Few events in history have changed society as much as the digital revolution. As with the printing press, the internet has transformed how we communicate, do business, and see the world. However, with great power comes great responsibility, and the digital era has presented unparalleled privacy and data security threats.
The draft Digital Personal Data Protection (DPDP) Rules, 2025, released by the Indian government on January 3, 2025, addressed these issues. These guidelines will enforce the Digital Personal Data Protection Act, 2023, a milestone in India’s data protection legislation. This evolution has critics, and a closer look shows a complicated environment of progress and perils.
The Privacy Evolution
The historical backdrop that led to this breakthrough is necessary to comprehend its significance. Privacy has changed considerably over the centuries due to cultural, technological, and legal pressures.
The right to one’s own person—”ius in se ipsum”—protected privacy in ancient Rome. Personal autonomy in Western law was based on this idea. In the 17th century, English jurist Sir Edward Coke said “the house of every one is to him as his castle and fortress.” This home privacy idea influenced the Fourth Amendment to the US Constitution, which prohibits unreasonable searches and seizures.
Urbanisation and technology rendered privacy more vulnerable during the industrial revolution. In 1890, American lawyers Samuel Warren and Louis Brandeis wrote “The Right to Privacy” advocating for legal protection of the right to be left alone. This work shaped US and international privacy law.
Discontents of the Digital Age
However, privacy has faced tremendous threats in the digital age. Personal data is easy to acquire, keep, and analyse, creating a new paradigm in which our digital footprints reveal more than we want to share. The 2018 Cambridge Analytica scandal showed how personal data may be used for political manipulation in this new world.
In 2018, the EU passed the General Data Protection Regulation (GDPR) to address these issues. India’s DPDP Act and Rules, which aim to protect digital rights, reflect the GDPR.
India’s Data Protection Journey
The 2025 proposed DPDP Rules are vital to India’s data protection path. The DPDP Act, 2023’s principles will be operationalised to provide data fiduciaries and data principals with clear instructions.
The suggested guidelines need specific consent before processing personal data. This follows the medical ethics ideal of informed consent, which is now a cornerstone of data protection laws globally. Rules require unambiguous and specific consent to empower individuals to make informed personal data decisions.
The new guidelines also incorporate “consent managers,” intermediaries who handle consent for individuals. This novel solution, inspired by financial account aggregators, simplifies permission management across platforms and services.
Improved data privacy for children is another key guideline. The US minors’s Online Privacy Protection Act (COPPA) and EU GDPR restrict tracking, behavioural monitoring, and targeted advertising to minors. This shows a rising global consensus on protecting vulnerable populations’ privacy.
Data Protection Board
The Data Protection Board (DPB), which enforces the DPDP Act, is also described in the draft rules. Similar authorities exist in the UK’s Information Commissioner’s Office and France’s Commission Nationale de l’Informatique et des Libertés.
Concerns and Criticisms
However, the suggested guidelines are controversial. The DPDP Act included sanctions, but not here. Privacy activists worry about the rules’ enforceability due to this absence. The history of data protection legislation implies strong enforcement is essential for compliance. The EU’s GDPR allows fines of up to €20 million or 4% of global annual revenue.
The guidelines provide the central government broad authority to exempt certain corporations from compliance, which civil society groups have criticised. Similar to the US Patriot Act dispute, numerous governments debate the balance between national security and privacy rights.
Concerns for government accountability and constitution
The government’s treatment of citizen data may infringe the right to privacy, declared by the Supreme Court in 2017 under Article 21 of the Indian Constitution. Massive data breaches, such as the ICMR database leak of 81.5 crore citizens’ data, cast doubt on the government’s ability to defend this fundamental right.
DPDP Act aside, India lacks a comprehensive data protection law. Data protection laws in different sectors don’t work together to secure citizens’ data. This fragmented approach leaves big protection and enforcement holes.
Denying and Not Transparent Government
As in the CoWIN database leak, the government’s refusal to acknowledge data breaches damages public trust and inhibits inquiry and remediation. Lack of transparency in investigating and reporting earlier instances worsens this issue. Citizens are unaware of the size and consequences of past data breaches due to the lack of public investigations.
Lack of Enforcement and Overreach
Without truly independent data protection regulators and a wide range of remedies, present data protection regulations are ineffective. The government’s 2019 National Cyber Security Strategy failure shows the lack of a comprehensive cybersecurity strategy.
The central government has broad rights to exempt certain businesses from compliance with the DPDP Act, which raises worries about misuse and undermines data protection regulations. Other jurisdictions have debated the balance between national security and privacy rights.
Insufficient Security and Conflicts of Interest
The recurrent intrusions of government databases like Aadhaar, ICMR, and state government websites suggest a systematic security failure. Over 100,000 ex-Ministry of Electronics and Information Technology personnel had unfettered access to the UIDAI system after leaving, demonstrating weak access control and data governance.
Data protection rules and citizen data custodianship by the government may create a conflict of interest. The Tribune’s Aadhaar data leak reporting case shows this. The government has sued whistleblowers and journalists.
Unfair Penalties and Breach Notification
Data breaches can result in fines up to Rs 250 crore under the DPDP Act, yet government institutions guilty for breaches are not held accountable. This accountability gap between commercial and government institutions undermines equal law enforcement.
Though rigorous, the government’s 6-hour data breach reporting rule may be unworkable and unproductive. Short deadlines may result in inadequate or erroneous reporting, limiting reaction and remedy.
Surveillance and Privacy Future
Credit information systems, which are supposed to preserve privacy, may increase surveillance. This casts doubt on the government’s data collection and processing goals.As we examine these events, Sun Tzu’s “The Art of War” advises: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Knowing oneself in data protection implies appreciating the value and risks of personal data misuse. Knowing the enemy means recognising privacy concerns from hostile actors, aggressive corporations, and overreaching governments.
India’s draft DPDP Rules try to balance innovation, economic growth, and individual rights. As Robert Greene may note, this is a delicate dance of power in which the government must safeguard civilians while promoting technical growth.
The guidelines’ emphasis on consent and transparency supports Greene’s “winning through seduction rather than force.” The government hopes to develop confidence in the digital ecosystem, essential for its ambitious Digital India plan, by giving people data management.
The principles also follow Greene’s axiom that “the best deceptions are the ones that seem to give the other person a choice.” The vast government exclusions and potential for backdoor data access under the guise of national security could be regarded as subtle control masked as protection.
Finale
Future projections show that digital privacy is still a challenge. Lawmakers will perpetually be playing catch-up due to the lightning-fast rate of technology innovation. The Internet of Things and AI are expanding data collecting and analysis, challenging privacy and consent.
The worldwide nature of the internet makes data protection difficult to solve alone. India’s DPDP Rules must meet international standards to facilitate seamless cross-border data transfers and strong citizen protections.
India’s data protection journey has reached a milestone with the proposed Digital Personal Data Protection Rules, 2025. They handle issues specific to India while simultaneously reflecting a rising worldwide agreement on the need of digital privacy. However, the government’s data breaches, lack of transparency, and potential overreach cast doubt on these measures’ efficacy.
Changing the course of India’s digital future is an inevitable consequence of these regulations as they go from draught to implementation. The government must address enforcement, accountability, and transparency to protect citizens’ privacy and data. It must strengthen security, apply the law equally, and promote privacy across all industries.
Edward Snowden said, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” One of the most important aspects of being a decent human being in this digital era is having the right to privacy. As India becomes a global digital powerhouse, its data protection policies will inspire developing nations and shape privacy in the 21st century. Following the rules to the letter is important, but the government’s dedication to protecting citizens’ personal information is what will really make this effort a success.
(The author is a practising Advocate , Trade Unionist and Humanist)