Digital rights group Internet Freedom Foundation on Friday criticised India’s newly notified Digital Personal Data Protection Rules, 2025, saying the framework delays key protections for users while expanding the government’s powers to access personal information.
IFF’s “initial statement” on the notification said the staggered rollout of the Digital Personal Data Protection Act, 2023, fails to address long-standing concerns about transparency, oversight and user rights.
Under the government’s notification, sections governing the establishment and functioning of the Data Protection Board of India take effect immediately, while core obligations and rights for data principals and data fiduciaries will only apply 18 months from the date of notification.
Several operative rules, including provisions for notices, security, cross-border transfers and exemptions, will also be delayed.
IFF said the long deferral means individuals will remain without meaningful remedies while the data protection regime is being built. The group noted that only definitions, Board-related provisions and a rule on consent managers are being implemented in the interim.
The rules introduce some requirements, including notices drafted in clear language and a 90-day limit for grievance redressal. But IFF said the framework fails to mandate disclosures such as categories of data recipients, specific retention periods or safeguards for cross-border transfers, perpetuating what it called an “information asymmetry” between individuals and large platforms.
IFF singled out data retention and state access provisions for concern. Rule 8(3) requires companies to retain personal data, traffic data and logs for at least one year after processing, or longer if required by law. Significant data fiduciaries must maintain detailed logs for up to three years. The group said these requirements erode the principle of data minimisation and risk normalising long-term behavioural logging.
IFF also criticised Rule 23, which allows government agencies to demand personal data from companies without user consent on broad grounds such as national security. The rule restricts companies from disclosing such requests to users. IFF said the provision “grants unchecked power” to the state and could enable secretive, large-scale data collection without judicial oversight or necessity tests.
The government also formally established the Data Protection Board, headquartered in the National Capital Region, with four members. IFF said the appointment structure and limited independence of the Board “deepens executive control,” diverging from global models where data protection authorities operate as independent regulators.
The group urged the government to amend the law to restore transparency safeguards under the Right to Information framework, establish independent oversight, limit state exemptions and introduce surveillance reforms. It also called for stronger protections for journalism and research carried out in the public interest.
IFF said it will publish a detailed analysis and remains ready to assist policymakers in building a rights-respecting data protection regime.
The post IFF warns Digital Personal Data Protection rules weaken privacy, enable broad government access appeared first on Maktoob media.
