Draft digital data protection rules and authoritarianism

The Draft Digital Data Protection Rules, 2025, in India, have raised concerns about executive overreach and vague governance. The rules, derived from the Digital Personal Data Protection Act, 2023, are deliberately vague and grant broad discretion under the nebulous phrase “as may be prescribed”. Despite its swift passage, implementation remains in limbo. The draft Rules are published as a 51-page PDF with a three-page explanatory note that reads as AI glop.

The rules build on a framework of intentional vagueness and executive dominance, with compliance obligations either selfdetermined by companies handling personal data or left to government discretion. Rule 3, which governs consent notices, mandates “clear and plain language” but fails to define these terms, leaving interpretation subject to India’s vast linguistic and comprehension diversity.

The Data Protection Board (DPB), which has a limited ambit of jurisdiction to adjudicate on breaches, lacks independence. The DPB is hamstrung, with its authority largely limited to determining data breaches and its independence compromised by service conditions of its members to central government employees. Rule 5 exempts data processing for subsidies from consent requirements, raising doubts about its effectiveness in handling complaints involving powerful government entities like the UIDAI that handles Aadhaar.

Rule 22, which contains the power of the government to requisition information, lacks limitations and safeguards. The question remains: which is to be master — that’s all.