Clipped from: https://www.thehindubusinessline.com/opinion/editorial/new-data-era/article70293464.ece
Notified data protection rules should be implemented
Eight years after the Supreme Court’s landmark judgment in KS Puttaswamy (2017) that recognised privacy as a fundamental right, India finally has a functioning data protection regime. The notification of the Digital Personal Data Protection (DPDP) Rules marks the end of an unusually protracted journey, from the Srikrishna Committee report of 2018, through multiple drafts and political compromises, to the diluted but workable framework unveiled recently.
For a country that is now one of the world’s most digitised societies, this law could not have come sooner. In recent years, consumers have been consistently exposed to cyber threats. Incidents of hackers breaching sensitive Aadhaar-linked databases, phishing attacks on banks, and ransomware hits on public systems have made it evident that India’s digital infrastructure is only as strong as its weakest node. Even seemingly harmless mobile applications routinely collect vast quantities of data unrelated to the service they provide, including contact lists and messages, as well as access to the camera and location logs. The explosion of Artificial Intelligence and machine learning, both of which rely heavily on data harvesting, only amplifies the risks. Worryingly, there is still no clarity on how data protection norms will be enforced on AI platforms; AI models depend on large volumes of historical data and may retain identifiable traces even after the underlying datasets are deleted.
The new rules, although far from ideal, offer citizens some long-overdue safeguards. They establish a consent mechanism that requires user-data collection to be preceded by a clear, plain-language notice explaining what data will be collected, and for what purpose. For the first time, individuals will have explicit rights to access their personal data, correct inaccuracies, and request erasure. Yet the DPDP framework stops noticeably short of the Srikrishna panel’s vision. The most glaring omission is the absence of a separate category of “sensitive personal data” such as health information, biometrics, or financial records, which require heightened safeguards in most global privacy regimes. Equally concerning is the breadth of exemptions retained for the State. The rules permit wide discretion for agencies to bypass protections in the name of national security or public order. Without clearly articulated tests of necessity and proportionality, these carve-outs risk undermining public trust in a law meant to protect citizens and regulate companies.
But perhaps the greatest challenge lies elsewhere. India has millions of MSMEs, small online sellers, app developers and service providers, many of whom do not have a privacy policy, let alone the capacity for data audits, retention discipline or breach reporting. Privacy awareness among users is even lower. A rulebook alone will not shift practices; sustained implementation and digital literacy will. The DPDP Rules merely mark the start of India’s privacy journey.
Published on November 18, 2025
aniltikotekar4sme.com 