Source: The Leaflet: https://theleaflet.in/explainer/indias-new-digital-personal-data-protection-rules-2025-a-detailed-reading

By Sneha Chakraborty

Executive Summary

The Digital Personal Data Protection (Amendment) Bill, 2025 builds upon the Digital Personal Data Protection Act, 2023, which marked India’s first comprehensive legal framework for personal data protection. The Amendment Bill seeks to refine regulatory mechanisms, expand exemptions for the state, and streamline compliance obligations for businesses operating in India’s rapidly growing digital economy. While the government presents the amendments as necessary to improve ease of doing business, national security, and administrative efficiency, the Bill has raised significant concerns regarding dilution of privacy safeguards, weakened accountability of state agencies, and limited remedies for citizens.

The Amendment Bill reflects India’s attempt to balance three competing priorities: individual privacy rights, state surveillance and governance needs, and economic growth driven by data-intensive industries. However, critics argue that the proposed changes tilt this balance disproportionately in favour of state and corporate interests, potentially undermining the fundamental right to privacy recognised by the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017).

Background

India’s digital ecosystem has expanded rapidly over the last decade, with widespread adoption of smartphones, digital payments, e-governance platforms, and data-driven services. This expansion has resulted in the large-scale collection, processing, and storage of personal data by both state and private entities. Until recently, India lacked a comprehensive data protection law, relying instead on fragmented provisions under the Information Technology Act, 2000.

The Digital Personal Data Protection Act, 2023 was enacted to address this gap. It introduced key principles such as consent-based data processing, purpose limitation, data minimisation, and the rights of data principals, including the right to access and erase personal data. The Act also established the Data Protection Board of India as a regulatory authority.

However, soon after its enactment, concerns emerged regarding broad state exemptions, limited independence of the regulatory body, and weak enforcement mechanisms. The Digital Personal Data Protection (Amendment) Bill, 2025 has been introduced to modify certain provisions of the 2023 Act, with the stated aim of improving regulatory clarity and implementation efficiency.

Key Issues

Expansion of State Exemptions

One of the most contentious aspects of the Amendment Bill is the expansion and clarification of exemptions granted to the state. The Bill allows government agencies to process personal data without consent for reasons such as national security, public order, and administrative efficiency. While such exemptions are common globally, the lack of clear safeguards, oversight mechanisms, and proportionality tests raises concerns about mass surveillance and misuse of personal data.

Critics argue that broad exemptions undermine the constitutional right to privacy and weaken trust in digital governance platforms, particularly those used for welfare delivery and law enforcement.

Weakening of Regulatory Independence

The Amendment Bill continues to vest significant control over the Data Protection Board of India with the central government, including appointment powers and rule-making authority. This raises questions about the Board’s independence and ability to hold state agencies accountable. Without institutional autonomy, the regulatory body risks becoming ineffective in enforcing compliance, particularly against powerful government actors.

Compliance Relief for Corporations

The Bill introduces measures to ease compliance burdens for certain classes of data fiduciaries, particularly startups and small enterprises. While this may encourage innovation and reduce regulatory friction, there is concern that diluted compliance requirements could weaken data security standards and increase the risk of data breaches. In the absence of strong enforcement, individuals may have limited remedies against large technology companies.

Key Recommendations

First, state exemptions must be accompanied by clear safeguards. The Bill should incorporate principles of necessity and proportionality, along with independent oversight mechanisms such as judicial or parliamentary review of data processing by state agencies. Transparency reports and periodic audits should be mandatory.

Second, the independence of the Data Protection Board must be strengthened. Appointment processes should involve an independent selection committee, fixed tenure protections, and financial autonomy to ensure unbiased enforcement of the law.

Third, corporate compliance relief should not come at the cost of individual rights. Even where simplified compliance frameworks are introduced, core obligations relating to data security, breach notification, and grievance redressal must remain non-negotiable.

Finally, citizen awareness and access to remedies must be prioritised. The government should invest in public education on data rights and ensure that grievance redressal mechanisms are accessible, affordable, and time-bound.

Conclusion

The Digital Personal Data Protection (Amendment) Bill, 2025 represents a critical moment in India’s digital governance journey. While the need to refine and operationalise the 2023 Act is undeniable, the Amendment Bill risks diluting the very protections it seeks to strengthen. A data protection regime that prioritises administrative convenience over constitutional rights may erode public trust and weaken India’s democratic digital infrastructure.

For India to emerge as a global digital leader, its data protection framework must be rights-centric, transparent, and accountable. The long-term legitimacy of the law will depend not merely on economic outcomes, but on its ability to protect citizens in an increasingly data-driven state.

References

https://www.pib.gov.in/PressReleseDetailm.aspx?PRID=2190014

https://www.ey.com/en_in/insights/cybersecurity/india-s-data-privacy-shift-steering-the-dpdp-compliance-and-readiness

Bio:

Sneha Chakraborty is a student, who is currently pursuing her Masters in Social Work from Tata Institute of Social Sciences. Her research interests lie in gender, climate change and livelihood.